We have a monitoring device to secure networks and connected devices, this monitoring device is a compliment to existing firewalls etc. We want to provide customers more value by utilising Analytics.
What are the possible approaches for the bellow given challenges? We have a simple data model consists of Networks, Devices, DNS, and service.
• identify devices that are bypassing our monitoring (this is relatively easy)
• trending: has the behaviour of a device/user/network changed? Is the change good or bad? There are a large number of drivers that can lead to change. Can we relate change back to the threat models earlier?
• recommendation engine. Can we develop a rules engine to make sensible security-related recommendations/observations? For example" “You do not seem to be using any malware/anti-virus software in your network”, “have you considered using a guest network for personal devices"
• network risk — can we provide a high level KPI/measure for associating a risk score for the entire network? This is complex, but could be incredibly valuable, say, to an Insurance company offering a small business Cyber Insurance (which is becoming big business). Gaming may be a good way to motivate our customers to further secure their network.
• DNS classification — can we associate a score with a DNS to indicate how likely it is to be: a) for human consumption b) benign?