Privileged  Access  Analytics  (PAA)  is now  one of  the most  valued  capabilities  in our entire  portfolio—
            because we started with a more precise problem statement.



            Collect the right data

            No AI model can be better than the data it's trained and operates on. The PAA models referenced could
            not  operate  without  knowledge  of every  Kerberos  transaction  and/or  Azure  AD  action  in  the relevant
            domain.  That  data  trains  its  view  of  privilege  and  relationships,  as  well  as  gives  the  right  insight  to
            evaluate  account  usage in real-time  for detection.  Similarly,  reliably  identifying  network  command  and
            control requires  very granular time-series  data on packet flow, along  with a massive  corpus of labeled
            data for both bad and good traffic.

            It may be tempting to use the data that’s most readily available. For networks, that may be flow or firewall
            logs rather than detailed network metadata. But if you take shortcuts like that, it will dramatically  impact
            the value delivered.



            Choose the best AI approach for each problem

            You have the right problem statement and the right data; now it’s time to select an AI approach tailored
            to  the  problem  you’re  trying  to  solve.  There  are  a  plethora  of  machine  learning  (ML)  techniques
            available—from  neural networks  and deep learning,  to K-means  clustering,  novelties,  and (the current
            rage) transformer and large language models

            As the “No free lunch” theorem dictates, just as with the data, there are no shortcuts to success when it
            comes  to working with  AI algorithms.  Data scientists  and machine  learning  engineers  (MLEs)  need to
            understand  the  data  they’re  working  with  and  the  problem  at  hand  in  order  to  select  a  specialized
            algorithm  that  will  achieve  the  desired  results—and  general-purpose  algorithms  won’t  cut  it.  In  fact,
            choosing the wrong algorithm may give results that aren’t just suboptimal, but flat-out wrong.

            Oh, and if you think that LLMs/transformers make this theorem obsolete, you’d be wrong: we’ve evaluated
            state of the art for detection use cases and found that they underperform specialized models today. LLMs
            are good at predicting what’s next (e.g. how many bytes will be in the next packet), but not so good at
            categorizing things (e.g. is this connection malicious or benign).



            Run at speed and scale (and cost-effectively!)

            Cyberattacks happen fast. This is especially true in the cloud, but even in-network, ransomware  attacks
            can occur seemingly in the blink of an eye. Every minute counts for defenders.  According to one study,
            the vast majority of organizations—90  percent—can’t detect, contain, and resolve cyber threats within an
            hour.








            Cyber Defense eMagazine – January 2024 Edition                                                                                                                                                                                                          124
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.