The Digital Sherlock Holmes

By Larry Lunetta, VP Portfolio Solutions Marketing
Share Post

Anyone familiar with Sir Arthur Conan Doyle’s legendary detective Sherlock Holmes has encountered behavioral analytics. Countless times Holmes amazed new clients (and Watson) with his ability to use small clues to describe an erstwhile stranger to a level of detail that even the person found hard to believe. And then there is the famous “Watson, why is the dog NOT barking” clue that unlocked a typically thorny case.

However fictional, Doyle used his character’s uncanny observation, omnivorous information gathering and phenomenal deductive reasoning to solve crimes that stumped everyone one else. So, while Artificial Intelligence was not a term he would have used, the concept of using large amounts of data and creatively “connecting the dots” to arrive at the correct conclusion fits Holmes to a tee.

We use the famous detective for context because when SC Magazine recognized Aruba’s IntroSpect UEBA with the 2018 Trust Award for Best Threat Detection solution, they called it the “Digital Sherlock Holmes”. Very apt.

IntroSpect belongs to a category of security solutions called User and Entity Behavior Analytics. The mission of UEBA is to use advanced Artificial Intelligence techniques to consume large amounts of user, system and device IT activity data to find the small changes in behavior that are often indicative of a gestating attack. If your security team was infinite and as prescient as Sherlock Holmes, that’s in essence what you would have. Of course, that isn’t possible, but through the power of a big data platform that consumes large volumes of network, flow, log and alert data to feed both supervised and unsupervised machine learning models, you have, as SC Magazine noted, the digital equivalent.

The use of AI techniques for finding advanced attacks that have evaded traditional defenses is a relatively new approach and it is necessary because many of these exploits coopt legitimate credentials and hence can only be found by changes in behavior. As Holmes would have observed: “Why is Sally using an application at night when she’s never done so? Why is she using a new device we have never seen? This is odd, she is communicating with domains that are also new”. And so on.

The point is that only through establishing baselines of normal behavior and then continue looking across an entity’s IT activity for deviations can an attack be found before it does damage—and that’s what machine learning models are designed to do at a scale that will cover hundreds of thousands of users, systems or devices.

Just as Holmes ruffled the feathers of the established constabulary of Scotland Yard given his unconventional techniques and annoyingly successful results, it is also true that they came to rely on him for the really tough cases. Think of AI-based UEBA the same way. Most of the everyday threats that inundate an organization are well handled by the first line of defense of AV, firewalls, IDS, etc. But, when a Moriarty-like insidious attack based on techniques never seen before arrives at your door, signatures and rules will be no match.

When the cyber game’s afoot, that’s when you need the Digital Sherlock Holmes.