Redefining the Definition of “Baseline” in Cybersecurity

Christian Wiens Director of Marketing

Christian Wiens is Director of Marketing at MixMode. He has 10+ years of experience as a cybersecurity professional. He has his BA from The University of California, Berkeley and resides in Austin, TX.

While many security solution providers promise to protect your network by establishing a baseline of your network behavior, the definition of “baseline” can vary widely.

What is a baseline?

At a basic level, a baseline is a network traffic analysis (NTA) of normal, day-to-day network behavior. Effective network security and regulatory compliance depend on a baseline benchmark that serves as a single source of truth.

Security companies typically gain access to an organization’s network and spend time logging information about how data flows in and out. Once the company’s security tool has established this baseline data, it can evaluate new behavior against it and advise the security team about anomalous behavior.

Limitations of Typical Network Baseline Creation

On the face of it, a baseline is a relatively simple concept. When it comes to cybersecurity platform solutions, however, vendors tend to gloss over the details.

Historical Data Limitations

While the standard baselining process provides insight into past network behavior, historical data is limited in predicting future behavior. Additionally, most Security Information and Event Management (SIEM) platform solutions cannot make decisions while taking context into account. These systems will trigger alerts anytime network behavior occurs that doesn’t match historical data.

The result is an ever-growing list of false positive alarms that security analysts have to sort through, and potentially, a false sense of security. Without a good baseline and a security solution that is smart enough to analyze real-time behavior against it, a network is at risk.

Resource Spend Issues

Incomplete or misleading baselines weaken your overall network security approach, but establishing an accurate baseline is challenging. The process is often time-consuming, a logistical challenge, and costly.

Most security solutions on the market today use first or second-wave AI to “train” data to make security decisions. It takes some providers a few months to train their platforms or even a few years when an organization maintains a hybrid network where some data is stored onsite and some in the cloud.

Worse, by the time the security company completes their baseline analysis, the data is mostly out of date, and will quickly change. If there’s one given regarding today’s threatscape, it’s that data is dynamic. “Normal” today may not be normal tomorrow, and what’s normal tomorrow may appear threatening against an incomplete baseline lacking context.

Typical SIEMs Can’t Handle Non-Threatening Network Behavior Shifts

One example of where the traditional baselining approach falls short is the sudden, significant shift in the way many companies started working during the 2020 Coronavirus outbreak. In response to a recent survey, 71 percent of cybersecurity professionals reported an increase in security threats during the first month of the nationwide shutdown.

For many organizations, it was business as usual one day, and a completely different, telecommuting workforce the next. Whatever baseline had been established was likely woefully out of date almost instantly.

The MixMode Approach

The fact is, some companies claim they are establishing baselines as the bedrock of their security solutions, but without unsupervised learning and context-aware AI, their effectiveness is limited.

MixMode uses true third-wave AI to gain a full understanding of an accurate, generative network baseline that evolves. The process takes about a week, not the months or years other solutions can take. MixMode is self-supervised and delivers reliable anomaly detection based on real-time data, not a historic log record.