Ellie Mae turns to AI for autonomous threat hunting

In the information security field, bad actors have the advantage: They play proactive offense while security is generally reactive in defense. To take a more proactive footing, some organizations have been adopting threat intelligence, a security practice that involves sifting through data to identify advanced persistent threats (APTs) before attacks occur. Firms such as Ellie Mae, which provides a cloud-based platform that processes about 44 percent of mortgage applications in the U.S., have taken threat intelligence a step further by leveraging predictive analytics to deploy autonomous threat hunting.

“The nature of threat hunting is very proactive,” says Selim Aissi, senior vice president and chief security officer at Ellie Mae. “You don’t wait until an attack has happened. You explore, prioritize, and investigate threats before an attack happens or even before a malware is known.”

Ellie Mae started on developing its Autonomous Threat Hunting for Advanced, Persistent Threats project a little more than two years ago to combat threats such as ransomware, which Aissi calls the most existential and expensive threat to any business. The project has earned Ellie Mae a CIO 100 Award in IT Excellence.

In December 2019, the Emisoft Malware Lab released a report on the state of ransomware in the U.S., finding that the U.S. suffered an “unprecedented and unrelenting barrage of ransomware attacks” in 2019 with a potential cost in excess of $7.5 billion, including the cost of paying ransoms, data recovery, forensic investigations, and loss of revenue.

“The biggest threat to our industry and other similar industries has been ransomware,” Aissi says. “The impact of ransomware to any company is devastating. In SaaS-type companies, when the service is interrupted for days or weeks, that’s a disaster.”

Taking a proactive tack to ransomware

Because they provide static threat protection, traditional ransomware protection technologies are challenged in keeping up with new, sophisticated ransomware techniques, Aissi says. The key is to proactively learn from previous ransomware attacks to understand new compromise indicators and identify new evasion techniques before they can be used. Ellie Mae’s Autonomous Threat Hunting project does just that, leveraging threat intelligence, predictive analytics, AI, and those previously identified indicators of compromise (IOC) to feed into existing security controls.

One of the biggest challenges to a successful threat intelligence program can be the sheer volume of data. Ellie Mae started by manually crunching the data on indicators of compromise (IOCs) and feeding those insights into its security tools. But once that foundation was established Aissi and his team undertook “a very aggressive automation journey” to give the organization the ability to act in a timely manner.

“We automated the aggregation of the data from different sources, we automated the validation, and we also automated the alerting to security operations,” Aissi says. “That was a big step in our journey.”

Another big step: gathering support from executive leadership and stakeholders. Early on Aissi made the rounds with the senior executive team, the board of directors, regulators, and executive advisory boards.

“I have done a lot of validations of our threat hunting program for the last three years,” Aissi says. “There’s a lot of input that came into this. We are executing on a well-defined plan and roadmap and we’re not done yet.”

As with many big transformational projects, change management has also been an essential ingredient.

“From a change management perspective, a lot of the impact was really on my security operations and engineering teams,” Aissi says. “A lot of these capabilities have traditionally been manual, and security analysts had to go collect the threat information and manually input that information into tools. We had to adjust to this and train the security analysts and engineers to this new way autonomous way of doing things.”

For Aissi, change management was especially important because the Autonomous Threat Hunting program is not a standalone one; it’s now tied into everything the cybersecurity organization does, including the vulnerability management program and patch management. The upside, though, is that eliminating manual threat hunting tasks has freed security engineers and security analysts to perform other tasks and has enabled the team to eliminate several security tools that were only capable of static monitoring and detection.

The project also required a high level of cross-departmental collaboration. The security team worked closely with engineering, infrastructure, cloud, and quality assurance to identify all critical assets that could be affected by ransomware, as well as all network protocols that could be exploited to propagate the spread of malware, Aissi says. The teams also collaborated to perform business impact assessments to evaluate the potential impact of ransomware. Security also coordinated with legal, privacy, key customers, and law enforcement agencies to ensure the autonomous aspects of the technology aligned with legal and privacy obligations. 

Aissi says the program has increased security operational efficiency by roughly 35 percent and has led to about 10x improvement in early identification of threats. It’s also increased the speed of resolution of new threats by about 60 percent.

Aissi’s advice to other security professionals seeking to start a threat hunting program is to take a strategic, long-term view.

“Autonomous threat hunting is not something you can spin up in a short time,” Aissi says. “It takes a lot of planning, people and tools training, defining clear SLAs, investment, integration, and automation.”

He also stresses that you must build a robust threat intelligence capability before you can go threat hunting. Finally, he says, ensure that you’re harmonizing the program with other stakeholders in the company.