Despite much skepticism about machine learning’s role in security, customers can benefit from machine intelligence when combatting sophisticated attacks. While some believe that machine learning is the latest pipe dream for security, I think otherwise. It all depends on how machine learning is applied. Below, I’ll dive into a few ways that machine intelligence can make a difference and enable analysts to stop chasing ghosts.
#1: Machine learning accurately detects anomalies, despite weak signals and intelligent attackers
The signals for many advanced attacks are weak. Using machine learning to generate alerts on anything that may be an attack (i.e., all the weak signals) only exacerbates the “alert white noise” problem – i.e., the deluge of alerts that enterprises face today. To produce the higher fidelity alerts that will enable analysts to focus on the issues that matter, machine learning must correlate multiple weak signals over time at a user or host level, with a risk score that reflects the accumulation of anomalous events. For example, machine learning techniques, which serve as the foundation for user and entity behavior analytics (UEBA), can detect an attack by comparing user Bob’s normal access using his machine versus an attacker who has gained access to Bob’s machine and is posing as Bob. The attacker’s motivations are likely to be quite different from Bob in his/her desire to move around the network and gain access to sensitive information worth stealing. Unsupervised machine learning techniques could baseline Bob’s normal behavior from the host he usually accesses and spot deviations in behavior that could indicate a potential compromise.
#2 Machine learning makes it easier to know if attackers are still lurking in your network
Machine learning can continually sift through the vast amounts of data that an organization already has, annotating and enriching it, even if suspicious activity is not raised to the level of an alert. And it happens without needing pre-configured rules, a pre-determined notion of good and bad, or needing to produce detection results in real time. This pre-processing results in a higher-level taxonomy, which is key to speeding up the threat hunting process. Starting with a single thread of evidence, analysts can use this new taxonomy to rapidly test different, complex hypotheses and detect hidden attacks lurking within your network. This constant, behind-the-scenes annotation and enrichment of data is an important reason that machine learning should be part of a meaningful security strategy.
#3 Machine learning shortens the time to detect attacks
Today, the average time it takes to identify attacks inside a network is more than six months and a vast majority of attackers are bypassing existing detection and prevention systems. During this time, attackers are using a variety of methods to exploit their presence inside the network, but in doing so are leaving a trail via huge volumes of log, packet and network flow data. Machine learning automatically analyzes these vast amounts of data to detect attacks. And even if the attack isn’t automatically detected, per #2 above, machine learning makes the threat hunting process significantly faster. The result is that machine learning can help shorten the time to detect and investigate these classes of attacks, which is a huge win for customers. This also speaks to the need for a fundamental mind shift for customers – their real-time detection and prevention investments for the last 10 years are wholly inadequate for the security needs of today. Balancing this with monitoring and response for timely detection of threats lurking in the network is increasingly becoming a vital security requirement.
Customers are faced with a sophisticated attack landscape and vast datasets. Traditional defenses that rely on correlation rules and real-time signatures are proving inadequate at detecting a majority of these threats. Sophisticated multi-stage attacks can almost never be detected in real time, and raising alerts for all variances seen during every stage of the kill chain just compounds the alert white noise problem for analysts, rather than mitigating it. Machine learning can help because it can automatically detect attacks. While it may not be able to automatically detect every single attack, it can shed deep insights that support human-driven workflows to detect and respond to threats.