Inference vs. Prediction – Why does it Matter?

Written By The SecLytics Research Team

Several cybersecurity companies today claim that their solutions include predictive threat intelligence. In most cases, they are knowingly or unknowingly making a false claim. They infer relationships from known data rather than predicting something new. Is this bad? No, it’s great. Correlating threat data to draw connections and make intelligent conclusions is a solid and valuable technique that adds value to your threat intelligence. But it isn’t prediction. It’s inference. Sounds like we are splitting hairs, right? We aren’t, and there is a point to all this. So let’s discuss the difference between inference-based intel and true predictive threat intel and why the predictive intel is so unique and has such high value.

Known Bad vs. Unknown Bad – The Struggle Is Real
In inference-based modeling, the analysis starts with Known Bads, confirmed threats that have already been spotted in the wild and reported. Inference looks at these Known Bads to try to discern patterns that allow the algorithms to determine a relationship between threats. If the relationship is scored as highly probable, the system will flag these additional threats and recommend you block them. It’s a solid model that definitely extends protection. But it is still firmly rooted in the world of existing and identified threats. Inference can’t help with novel exploits or new threat vectors unless they are closely related to an existing threat.

Predictive threat intelligence is different in a very fundamental way. A genuinely predictive model works with raw data or unknowns unrelated to existing IOCs and creates meaning by looking for a combination of other signals. In the world of machine learning, we call this the difference between a positive class and a negative class. Inference relies on positive classes, whereas prediction relies on negative classes. For a quick real-world example, let’s look at spam filters. These rely on blocklists of known bad senders, reputation scores, and analysis of various telltales within the email itself to decide what to block, what to send to your spam folder and what to allow into your inbox. It may seem like a prediction, but it is pure inference. And I repeat, very useful and very intelligent.

How Does SecLytics Augur Predictive Threat Intelligence Work
Unlike the spam example above or the models used by many cybersecurity companies, our Augur platform makes true predictions. If you know a little about Augur, you might know that what Augur does (among other things) is identify cybercriminal infrastructure in the setup stage, on average 60 days before any attacks are launched. And it does this based on negative class information only.

Augur scours the internet daily, analyzing changes in the IP space (IPv4 and IPv6), domain name registrations, DNS resolution, and BGP announcements. Augur takes all the negative class data and leverages supervised and unsupervised learning to generate potential cybercriminal profiles, labels these profiles, and then attributes new infrastructure to these profiles.

In the unsupervised learning phase, Augur generates profiles and assigns them to potential cybercriminal and threat actor groups. Augur labels the generated profiles during the supervised learning phase and adds predicted threat category information. Turning Unknown Bad into Known Bad.

The Value of Predictive Threat Intelligence
The end product is unique, highly valuable data about imminent threats. This gives SOC teams using Augur a headstart and allows them to proactively block threats before they are even detected and reported by other cybersecurity companies.

Of course, we can’t catch everything. Nobody can. That’s why we bundle over 120 other threat intel sources into our pXDR solution to provide in-depth coverage. But our predictive threat intelligence on cybercriminal infrastructure is both unique and valuable. For example, we predicted important elements of the SolarWinds supply chain hack and the Colonial Pipelines ransomware attack well before any IOCs were reported – giving our clients proactive protection.

Those are just two examples of creating Known Bads from Unknown Bads. Augur generates thousands of unique predictions every week with a false positive rate of under 0.01%. That means you can block threats identified by Augur with a high degree of confidence. If your organization needs the best protection possible, your coverage is still incomplete without Augur.

About SecLytics
Based in sunny San Diego, California, SecLytics is the leader in predictive intelligence technology and the developer of the world’s first pXDR platform. Our SaaS-based Augur pXDR platform streamlines SOC operations and uses behavioral profiling and machine learning to hunt down cybercriminals in the wild, predict attacks, and block attackers before they can get to your network.

RockITek is a distributor specializing in building and managing purpose-built consortiums that accelerate the adoption of emerging technology in the government space. We collaborate with our partners to create alignment and work together for mutual success. Our portfolio of cybersecurity solutions meet agency mission goals and address government requirements, policies, and processes (e.g., NIST, Zero Trust, GDPR). We are a small business (NAICS 541519) with a GSA Federal Supply Schedule 47QTCA19D0085.