Cognitive Security – Positioning Network Behavior Analysis in the Security Ecosystem

Portfolio - Cognitive Security, Cognitive Analyst (title)

Cognitive Positioning

Modern Internet security practice has been traditionally formed by building security layers. These layers are analogous to multiple concentric walls, to which more of them serves to providing additional layers of protection.  Individually each wall has its limitations, but collectively they create a strong defensive perimeter. The challenge CTOs or CISOs face is in balancing security spending against an acceptable level of protection needed to facilitate corporate objectives. This balance is formed by establishing a corporate strategy, and mapping security spending to protect these goals.

The first layer of defense; Baseline security (as shown in the figure) is considered ubiquitous and necessary for even the smallest of enterprises. Namely, the installation of;

  • Firewalls to reduce the number of accessible ports, and provide basic packet filtering functionality
  • Anti-virus solutions to protect desktop and servers from known malware, viruses, and Trojans
  • Email security to prevent malicious code from infiltrating the perimeter hidden in the communication stream, and
  • VPN solutions (such as SSL, IPsec, or point-to-point tunnels) to impede man-in-the-middle attacks, and encrypt sensitive traffic.

Until recently these devices have enjoyed an install-and-forget approach, based on the notation that they have the means to protect through technology alone. Through tried and true product updates, Baseline Security devices have been relatively successful in keep up with new malware instances such as worms, Trojans or viruses. But this security layer struggles with its own limitations due to the timeliness of signature updates, the reactiveness of vendors to write them, and the reliance on end-users to immediately deploy software patches.

Figure i – Security Eco-System

Figure i – The Security Eco-System

As threats have become more complex, the need for
Advanced Security has evolved to meet these growing needs. Devices at this security layer focus on a cross-device, multi-layer, and multi-department view of security.Criminals are well aware of the latency that software vendor face to write a signature. This delay allows perpetrators to maximize the damage that their malware can reap during their window of opportunity. Ultimately this opportunity closes when the end user finally deploys an associated patch. Attack detection is further complicated by viruses that can morph to avert detection – referred to as ‘polymorphic malware’. Signature databases for known viruses are typically not up-to-date with the latest variants. For these reasons it has become increasingly challenging for Baseline Security devices to keep up with criminals that are continually evolving their craft to circumvent detection. Automatic signature updates and patching relies on administrators to deploy them. But patching does not always happen because it may lead to application instability and compatibility issues for mission critical applications. As a result this opens additional opportunities for criminal hackers to breach the perimeter of a company.

  • An Intrusion Detection and Prevention system (IDS and IPS respectively) greatly enhances the administrator’s visibility into complex threats to their environment, and overcomes some of the detection limitations of Baseline Security devices. For example, an IDS in stealth mode stretches it’s visibility to all traffic on a LAN segment, or spam port, thus increasing its security monitoring capabilities across multiple devices, compared to firewalls that only see what passing through it.
  • Likewise, Vulnerability Management and Scanning Services (VMS) provide visibility into the exposed ‘holes’ from which criminals could exploit and compromise the enterprise. VMS solutions are initially deployed to detect vulnerabilities of critical web-facing applications such as online banking, and are also very effective in identifying enterprise-wide weaknesses. Once identified these vulnerabilities require prioritization due to human resource constraints and the cost to patch every single vulnerability. As a result, prioritization is required, so that only gaping holes are filled. Most of the remaining vulnerabilities classified as ‘low risk’ are left exposed.
  • A further layer of defense in this category is the implementation of web security which provides the necessary protection of content filtering. Since many firewalls only have port 80 (http), and 443 (https) open, this has redirected most threats through these ports. Enter Web Security which mitigates some attacks by filtering browser-level communications, as well as significantly reducing spam traffic.
  • Web Application firewalls on the other hand, provide a different level of protection at the application level, by mitigating attacks undetectable by network security appliances, such as SQL injections or cross site scripting (XXS).
  • Identity and Access Management (IAM) further diverts focus from the device level over to one of the most vulnerable corporate resources – employees.  By extending security to include people, the mantra becomes, “Let the good guys in“, not, “Keep the bad guys out”, and encompasses fairly complex deployments of Authentication, Authorization, & Accounting (AAA) solutions. These solutions have their own challenges in modifying the corporate culture and providing security awareness education.
Figure ii – Modern Threats Require Higher Walls

Figure ii – Modern Threats Require Higher Walls

Implementing some or all of these security layers results in escalating complexity. Advanced Security requires a level of security expertise that does not exist in a typical SME (Small to Medium sized Enterprise). They don’t have the in-house expertise to configure, tune and efficiently operate these platforms and outsourcing options are also considered cost-prohibitive.

Even though Advanced Security devices answer the need to protect against an exponential increase in attack complexity, is it enough? Even Advanced Security devices have their limits since they focus on known attack patterns. Current and future attacks now focus on unknown attack patterns.

Ideally, an operating system (OS) vendor, software company, or device manufacturer, would like to discover their own vulnerabilities, and patch them at their leisure.  Currently most patches are available in days, but some patches takes weeks or months to write.  Regardless, there are 37% of vulnerabilities which are never patched[1].  At the very least, vendors would prefer to be informed by the internet experts that vulnerability exists in their product before it is made public, and allow them time to create a patch. The hope is that a patch will precede any exploit before the criminal eMarketplace could take advantage of it (Shown in the figure as “Ideal”). Unfortunately, in some cases the criminals win the race, and deploy an exploit before a patch is available, as shown in the figure as a “Threat“. Although, what has become common practice today for modern cyber-threats, are exploits that are deployed before the actual vulnerability is known, thus labeled as a “zero-day” attack. Once the exploit is deployed in cyberspace, the industry is caught unaware of the source vulnerability.  In this scenario, since the vulnerability isn’t known, the industry must scramble to reverse engineer the exploit and utilize sophisticated forensics, and reverse engineering techniques to determine what is the source vulnerability. Once a reverse engineer identifies the vulnerability they can create a patch to protect against the attack. To minimize exposure some vendors focus on creating signatures against the actual exploit itself (of which there may be thousands). In other words, they want to be able to detect when a zero day attack is occuring even if they don’t yet know the vulnerability. It’s similar to monitoring a thief entering your home before you have installed a lock on the door – at least you can catch them in the act. The next phase in this reverse engineering process is to replace the exploit signatures with the vulnerability signature. Zero-day exploit criminals enjoying looting of identities, committing fraud, or stealing corporate secrets. They also avert detection by morphing their attack. The company must increase resources to thwart the attack, and defend against each variant. Modern sophisticated attacks require a combination of intelligence, self-learning, and the ability to analyze a longer timeline of data in order to distinguish between normal and anomalous network behavior.

Expert Security evolves defense strategies to the next level, and offers a cost effective approach to solving complex security threats. As mentioned above, zero-day attacks do not have signatures or “blueprints”. This is intentional from the criminal’s perspective because their vulnerability database is a valuable asset in the lucrative acquisition of corporate secrets, leading to a huge pay-cheque. Therefore it’s beneficial for the criminal to keep their portfolio of vulnerabilities a secret, so that they can spend their unhindered timeframe to write their exploits.  Enter Network Behavior Analysis and Anomaly Detection (NBA & AD) which uses a series of algorithms and artificial intelligence (A.I.) to learn the normal behavior of a network and segment the bad traffic from the good.  NBA & AD identifies attacks that have no known signature or patterns, and provide the necessary protection against any state-of-the-art attack. This approach effectively builds a higher wall for cyber criminals, making it even more difficult for them to compromise valuable client resources. Ideally the goal is to create a scenario where it is financially impractical for the criminal to deploy their attack, and to conclude that there is a poor return on investment (ROI) in their efforts. NBA increases the operational costs for a criminal, deterring their interest in the corporate asset.

Figure iii – Vulnerability vs. Exploit vs. Patch

Figure iii – Vulnerability vs. Exploit vs. Patch

Although some enterprises view
Security as a Service as costly alternative in their security spending – and have perceived concerns of losing control of their critical assets to the cloud – this solution is often a necessary evil to keep-up with the battle being fought in cyberspace.Expert Security addresses the need to implement more robust and cost effective levels of expertise, and also helps to bridge the gap to higher, and more expensive enterprise security solutions, such as Security as a Service. As companies grow, their need for additional layers of protection is paramount to ensure asset protection. Network Behavior Analysis and Anomaly detection are the building blocks of Expert Security.  Security as a Service supplied by Managed Security Service Provides (MSSP) is currently the definitive layer in the security eco-system. This layer adds assets such as people, process and expertise, to provide 24×7 security monitoring, and addressing the need to protect companies during off-hours – A time when employees are asleep but the criminals are not.  Expert Security helps to ease the transition for companies considering Security as a Service, and provides a cost effective approach in such a transition.  Network Behavior Analysis solutions utilizes a sophisticated product based approach which assists in the diagnosis of modern attack vectors, and provides a new level of viaibility in MSSP diagnostics.


Corporate leaders face complex challenges in balancing security spending against the evolving risks that internet commerce presents. This has resulted in new and advanced levels of protection. Expert Security addresses the need to implement more robust and cost effective levels of expertise and helps to bridge the gap to higher – culturally adverse – outsourced solutions. As companies expand, their need for additional layers of protection it is paramount to ensure asset protection. Network Behavior Analysis are the building blocks of Expert Security, and offers a viable solution to modern sophisticated cyber-attacks.

About Cognitive Security

Cognitive Security specializes in Network Behavior Analysis, allowing businesses to identify and protect themselves against sophisticated network attacks.

Cognitive Security offers solutions designed to fill the security gaps left by the current generation of network security tools. Our expertise in Network Behavior Analysis allows us the ability to accurately expose both known and unknown attacks. Our solution is ideally suited for the detection, prioritization and handling of modern-day attack patterns that would typically evade a client’s defenses.

Please contact us at, or for more details.

About the Author

Gabriel Dusil oversees the global sales & marketing strategies of Cognitive Security, with a mandate to expand the company’s presence across Europe, the USA, and beyond.

Before joining Cognitive Security, Gabriel was the Director of Alliances at SecureWorks, responsible for partnerships across Europe, Middle East, and Africa (EMEA).  Previous to SecureWorks, Gabriel worked at VeriSign and Motorola in a combination of senior marketing and sales roles.

Over nearly two decades, Gabriel’s experience has encompassed the development and management of international partner programs, EMEA marketing & sales, and business development.  Gabriel has also lectured in security, authentication, and data communications, as well as speaking in several prominent IT symposiums.

Gabriel obtained a Degree in Engineering Physics from the University of McMaster, in Canada and has advanced knowledge in Cloud Computing, SaaS (Security as a Service), Managed Security Services (MSS), Identity and Access Management (IAM), and Security Best Practices.


Network Behavior Analysis, NBA, Cyber Attacks, Forensics Analysis, Normal vs. Abnormal Behavior, Anomaly Detection, NetFlow, Incident Response, Security as a Service, SaaS, Managed Security Services, MSS, Monitoring & Management, Advanced Persistent Threats, APT, Zero-Day attacks, Zero Day attacks, polymorphic malware, Modern Sophisticated Attacks, MSA, Non-Signature Detection, Artificial Intelligence, A.I., AI, Security Innovation, Mobile security, Cognitive Security, Cognitive Analyst, Forensics analysis, Gabriel Dusil

[1] IBM X-Force® 2011 Mid-year Trend and Risk Report, Figure. 33: Vendor Patch Timeline 11.H1

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.