NIST 800-53 REV 5 • RISK ASSESSMENT
RA-3(4) — Predictive Cyber Analytics
Employ the following advanced automation and analytics capabilities to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}: {{ insert: param, ra-3.4_prm_2 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
A properly resourced Security Operations Center (SOC) or Computer Incident Response Team (CIRT) may be overwhelmed by the volume of information generated by the proliferation of security tools and appliances unless it employs advanced automation and analytics to analyze the data. Advanced automation and analytics capabilities are typically supported by artificial intelligence concepts, including machine learning. Examples include Automated Threat Discovery and Response (which includes broad-based collection, context-based analysis, and adaptive response capabilities), automated workflow operations, and machine assisted decision tools. Note, however, that sophisticated adversaries may be able to extract information related to analytic parameters and retrain the machine learning to classify malicious activity as benign. Accordingly, machine learning is augmented by human monitoring to ensure that sophisticated adversaries are not able to conceal their activities.
Practitioner Notes
Predictive cyber analytics uses data analytics and modeling to anticipate future threats and vulnerabilities before they are exploited. This is a proactive approach to risk rather than a reactive one.
Example 1: Use your SIEM's machine learning capabilities to identify anomalous patterns that may indicate an emerging attack. Microsoft Sentinel and Splunk both offer User and Entity Behavior Analytics (UEBA) that baseline normal activity and flag deviations that could predict an attack in progress.
Example 2: Analyze your vulnerability scan trend data to predict which systems are most likely to have critical vulnerabilities in the future. Systems that consistently show late patching or recurring misconfigurations should receive extra monitoring and faster remediation timelines.