August 23, 2013, 5:09 PM — Using machine learning to automate the current manual process used to gain application visibility brings network visibility and analytics to a new level. By harnessing the power of the semantic Web through machine learning, emerging solutions let you act faster and proactively defend against cyber threats.
The timing is good, because new applications are introduced at incredible rates: More than 300 applications are created each day, and the Apple AppStore adds some 40,000 apps per month. While everyone benefits from the application diversity, they prove to be a cyber security challenge.
Security teams must dedicate skilled analysts to monitor and analyze their organizations' network activity to determine if the applications are white-listed or authorized. Unauthorized applications must be blocked from entering the enterprise network, since they might consume bandwidth, lower productivity, compromise critical data or pose potential security threats.
Even if the impact of the applications is minimal, it is critical that security organization have complete visibility. Security organizations that employ static methods (that is, manual reverse engineering) struggle to keep pace with identifying and classifying new applications, especially given the rate at which new applications are being introduced. They must use machine learning to discover applications, extract signatures and create white lists. Security analysts can then have the incisive intelligence necessary to act early, without using costly and scarce resources.
Manual reverse engineering: DPI's Achilles' heel
While deep packet inspection (DPI) solutions have historically held a place in the cyber security solution landscape, a reliance on analysts to manually reverse-engineer applications is quickly becoming the DPI Achilles' heel. DPI solutions provide visibility and enforcement of traffic policies on traffic (flow) for which a packet payload signature exists. In a recent study of a Fortune 50 gateway, DPIs were able to provide detailed visibility into 19% of network traffic, coarse visibility into 64% of the traffic captured (i.e. HTTP), and 17% of the traffic was classified as unknown.
So when faced with unidentified traffic, DPI solutions must employ manual reverse engineering, which requires weeks of investigative work by skilled analysts to identify and generate a signature from a new application, and then appropriately classify it. In the meantime, the unidentified application continues to run on the network, compromising security and operational efficiency.
Innovation Changes the Game