The CISO Guide to Machine Learning and UEBA

21 Sep

The CISO Guide to Machine Learning and UEBA

in Blog, Perspectives

by Larry Lunetta

The security team has decided it is time to check out the new security analytics solutions that have burst on the market—the ones that tout machine learning, AI, behavior analytics, etc.   You’ve been chosen to lead the charge.  Where do you start?

Here are seven concepts and key terms that will help you deal with the blizzard of buzzwords and marketing hype:

  1. Machine Learning. From Google: “Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed. Machine learning focuses on the development of computer programs that can teach themselves to grow and change when exposed to new data.”  Machine Learning and AI are often used interchangeable, especially in marketing material.


  1. Data Scientists. Typically PhD’s, these are experts in the use of AI techniques.  Based on the goal or use case of the desired outcome, they select the right models and algorithms, combine them with the right data and tune them to produce accurate results.


  1. Supervised Machine Learning. Supervised ML models employ a “teaching” technique to develop the relationship between a known set of outputs and their inputs. Once the model is developed it can be used to predict the output for a new set of inputs.


  1. Unsupervised Machine Learning. In an unsupervised model, the algorithm is “self- learning” which means there is no prior training or preparation required before it is deployed.  The algorithm automatically discovers relevant structure and relationships between the inputs.


  1. Anomaly detection models typically build a profile of “expected” behavior for an entity such as user or a system.  Once these baselines are established the models look for deviations from the baseline.


  1. Features are individual data elements relevant to the specific machine learning model and use case. They can be directly extracted from the data or derived after passing the raw data through a pre-processing algorithm. Some example of features are:
    • “Access” features: IP addresses, countries visited, etc.
    • “Time” features: access start/end times, etc.
    • “Counter” features: volume of upload/download (in bytes), etc.


  1. Models take in features, and apply one or more mathematical algorithms to produce a specific ML decision. For example:  is this part of a certain cluster or group, or is this a “good” or “bad” event?


If you would like a more in-depth explanation of the technology and terminology underpinning the new wave of security analytics, check out our “CISO Guide to Machine Learning and UBA”.

In addition to handy technology tips, it also provides:

  • An overview of the new threat and attack landscape where legitimate credentials are the starting point for attacks that leverage compromised, negligent or malicious insiders.
  • An explanation of why Machine Learning is a critical technology in defending against these types of attacks.
  • An overview of the principles of machine learning including detailed descriptions of supervised and unsupervised techniques and how machine learning models are assembled.
  • Recommendations on how to apply machine learning in the form of a UEBA solution.


Tags: Blog, Perspectives