Vulnerability precognition is an interesting concept, but it leads to interesting and valuable threat mitigations. Rather than relying on some mystical ability to see events before they occur—the more usual meaning for “precognition”—vulnerability precognition arises from an assessment technique known as predictive analytics. It’s worth unpacking and exploring this terminology to get a sense not just for its meaning, but also for its significance and utility in combating security threats.
The analytics part of predictive analytics comes from mining the huge amounts of data that security software routinely collects from its agents in the field. As security software packages undertake continuous scanning and analysis of network traffic and payloads, they also record and respond to actual or potential attempts to exploit any of a variety of vulnerabilities. Such exploits may either be known already, thanks to careful collection and distribution of signatures, heuristics, or malicious behavior patterns. Sometimes, as new vulnerabilities or exploits are discovered in real time, those same heuristics and pattern recognition tools can even add to the enormous catalogs of known exploits and countermeasures that security software vendors routinely maintain. All in all, analytics not only detect which threats are active in the populations they monitor and measure, but they also keep up with the number of observations of threats, their geographical distribution, the methods whereby they propagate, how quickly they propagate, the kinds of attack vectors they follow, and so forth and so on.
The same large volumes of data that permit analytics to detect and monitor threats also provides a mathematical foundation upon which to base predictions about them: knowing where they are located, and what kinds of network traffic patterns are prevalent allows security software to calculate their probability of arrival at the ingress points for other networks not yet affected. The degree to which exploits are observed to succeed in the observed population also allows security providers to calculate the probability that an exploit will fail or succeed if and when it arrives at such ingress points, or at systems behind those points of ingress. Paying extremely close attention to what’s happening at any given moment in the field turns out to be an excellent basis upon which to not only make predictions about what’s going to happen next, especially where recognized threats or attacks are concerned, but also where potential signs of threat or attack make themselves known to monitoring tools and software.
One of the most interesting effects of this kind of monitoring and prediction is that it gives security vendors tools to continually prioritize the severity of threats currently active amongst the systems and networks they monitor. This not only allows them to guide the efforts of their response teams in analyzing exploits and crafting detection tools and active or passive countermeasures (and interim workarounds where necessary), but it also allows them to provide early warning to their client populations when dangerous threats or exploits have a high probability of occurrence at specific sites, perhaps because of systems or networks targeted, geographical location, or highly probable traffic flows likely to move such threats to such locations. Worst case, this might mean an urgent suggestion to “slam the doors shut” on potentially vulnerable networks until countermeasures are in place, though threats of such magnitude are rare. More often, it provides methods of alerting users to potential dangers, and providing information on how to mitigate potential threats before they show up on the network doorstep.
This kind of proactive, predictive information is what gives modern information security much of its value, and is an important criterion to look for when seeking security solutions. The best predictor of the future is indeed the immediate past, so you want to find a provider with a keen and accurate assessment of the way things stand at any given moment, to increase the level of certainty about what’s most likely to happen next.
About the Author: Ed Tittel is a full-time freelance writer and researcher who covers information security, markup languages, and Windows operating systems. A regular contributor to numerous TechTarget websites, Tom’s IT Pro, and PearsonITCertification.com, and UpperTraining.com, Ed also blogs on Windows Enterprise Desktop and IT Career topics. His latest book is Unified Threat Management For Dummies. Learn more about or contact Ed at his website.