Mitsubishi Electric to Acquire Nozomi Networks
Read the News
Threat actors are using artificial intelligence (AI) and machine learning (ML) to launch sophisticated attacks faster than ever. The challenge is to use the right AI/ML techniques in the right ways to at least keep pace with them.
Our R&D and Labs teams have been building and training our AI engine in-house from Day 1, and we’ve been refining it ever since based on insights from thousands of real-world OT and IoT environments.
We know how to collect the right data, provide the right context and use the right AI techniques so industrial and critical infrastructure organizations can defend themselves in today’s world.
We use a variety of AI and machine learning (ML) models throughout our platform, choosing the right tool (ML, predictive analysis, behavioral analytics, Bayesian Networks, LLMs) for the task at hand, so you get actionable insights into your environment that explain what to do now to increase operational and cyber resilience.
A complete, accurate inventory of all assets in your environment is the input that enables our AI engine to produce the right outputs.
We use a variety of network, endpoint and wireless sensors; active and passive discovery techniques; and deep packet inspection (DPI) with comprehensive protocol fluency to analyze network traffic and understand behavior.
Our AI engine continuously learns from millions of monitored assets so it can fill in gaps about identical devices across environments, giving you the breadth and depth of data needed to detect threats and anomalies and manage risk.
SOC analysts are overwhelmed by too many alerts: uncorrelated and unprioritized alerts, false positives, alerts they don’t understand and alerts without enough information to act on. AI analyzes, prioritizes and mutes alerts so staff can focus on what matters.
A manual asset inventory is always incomplete, incorrect and out of date. Except for the most obvious details about the assets you know about, there’s no way to collect all the data and context needed to establish behavioral baselines and inform anomaly and threat detection.
CISOs are increasingly responsible for OT/IoT risk as a growing percentage of enterprise risk, which has exposed the perpetual shortage of OT/IoT cybersecurity talent. AI augments the skills gap and collapses the number of hours needed to perform tedious tasks.
To correctly identify assets, classify them, fill in missing information and enrich what we know about them, we use machine learning to match observed characteristics with a continuously updated database of device profiles maintained by Nozomi Networks Labs. If limited data is available, our behavioral inference models can infer asset types and roles based on traffic patterns and protocol usage.
We also leverage Bayesian Networks, a probabilistic model used to reason under uncertainty, to predict what asset information belongs in missing data fields until it can be collected or otherwise populated. This is a very effective way to avoid misclassification of key data used to detect threats and anomalies and manage risk.
Together, the wide array of sensors, data collection methods and AI enrichment techniques continuously raises your overall inventory accuracy.
Effective vulnerability management involves contextualizing, prioritizing and correlating them with real-world risk in your environment. Our platform uses AI-trained asset fingerprinting to identify device make, model, firmware version, OS and more. This enriched profile is used to match the device against known CVEs with far greater accuracy than traditional scanners.
We then using Bayesian inference and weighted probabilistic models to calculate a dynamic, multi-factor risk score that includes vulnerability risk, including patch status.
While continuously monitoring your environment, the platform uses temporal correlation, behavior modeling and threat pattern matching to identify suspicious behavior near a vulnerable asset, inbound probes from threat actors or lateral movement patterns. Any of these events triggers a risk score elevation and alerts, helping teams prioritize vulnerabilities that are actively being targeted.
Operational anomalies can’t be detected using simple rules. A combination of ML, predictive analytics and behavioral analytics is essential for baselining asset behavior and detecting anomalies.
Upon deployment, the Nozomi Networks platform begins monitoring device communications in "learning mode," all the way down to process-level variables. It uses ML and predictive analytics to create detailed profiles of the expected behavior of every device at each stage in a process to establish a baseline of “normal” behavior.
When switched to "protection" mode, the platform uses behavioral analytics to monitor the environment, compare current behavior against baselines and alert on suspicious events that deviate from them, evaluating their criticality and classifying them as a process or cybersecurity anomaly. Even when in protection mode, the system dynamically updates the baseline if normal conditions change.
To reduce false positives, we use behavioral modeling, pattern recognition and other techniques to filter out benign changes such as legitimate firmware updates.
Rule-based detection, including signature-based, is efficient for detecting known threats, where the indicators are easily observable and identifiable. Unknown threats, including zero days, require the same behavior-based detection techniques as anomalies. Neural network models, Bayesian Networks and other AI techniques are also essential for managing threat-related alerts and prioritizing mitigations.
Neural network models correlate multi-variable events across your environment to reduce investigation time and spot complex threats such as advanced persistent threats. Our query engine analyzes these correlated alerts alongside asset attribute and network relationships to suggest the right steps to take.
Root cause analysis is essential for threat investigation. Our platform uses neural network, clustering, and time-series analysis to correlate behavior across assets, traffic and time. It quickly isolates the source of anomalies or alerts by identifying causal chains, which reduces investigation time and enables faster, more targeted response.
The Nozomi Networks platform calculates dynamic risk scores for each of your assets to help you prioritize security efforts, address the most critical risks first and mitigate them effectively. It calculates asset risk based on five factors with customizable weights: vulnerability risk, alert risk, communication risk, device risk, asset criticality and compensating controls in place.
We use a combination of ML, predictive analytics and behavioral analytics to calculate risk scores at the asset, facility and enterprise level. These same tools are used to recommend actions to take, ranked by how much they will reduce your overall risk score.
Calculations are updated as the threat environment changes, new vulnerabilities are reported, we see anomalous behavior in your network and as you add controls, so you can assess their impact.
We also use clustering, statistical modeling, supervised learning and contextual analysis to display peer benchmarks, so can see how your security posture compares to other companies in your region or industry.
Finally, we use predictive analytics based on historical vulnerability, threat and asset behavior data to help identify which vulnerabilities are likely to be exploited, which asset types or sites are riskiest and emerging attack chains.
The overriding value of a cybersecurity platform is ease of use. It can collect all the right data and use all the right AI and ML techniques to draw all the right conclusions, but how valuable is that if authorized users, including non-expert stakeholders, can’t easily tap into those insights?
Nozomi Networks uses generative AI (like ChatGPT and Gemini) in one part of the platform, Vantage IQ, to summarize threats, speed investigations and recommend actions for overwhelmed analysts in resource-strapped SOCs. It has its own query language, but thanks to a natural-language interface, any authorized user, from a SOC analyst to an operating engineer, can ask it anything they want to know about the environment and get an accurate, actionable answer — instantly, with drill-down access to deeper insights.
For a junior SOC analyst, that’s like having a seasoned expert at your side, one who’s always available. For an operator, that means getting immediate answers about anything in the environment to keep it running more safely and efficiently.
Generative AI relies on large language models (LLMs) to generate answers. Unlike an LLM designed for public use, our LLM is trained on real-world incident telemetry across thousands of industrial deployments and fine-tuned with data from asset profiles as well as public and Nozomi-curated threat intelligence.
