Home » Security Bloggers Network » Human vs Machine: Why Machine Learning Won’t Replace Threat Hunters (Yet)

Human vs Machine: Why Machine Learning Won’t Replace Threat Hunters (Yet)

by Perry Kuhnen on September 6, 2018

Mathematicians and marketing people alike would have us believe that Machine Learning is soon to replace all our human undertakings. While the automation opportunities afforded by Machine Learning will surely replace some human jobs, I’m here to explain why Threat Hunting won’t be one of them.

What is Threat Hunting? Threat hunting is the human act (art?) of searching a network, investigating indicators of compromise, and responding to malicious threats like malware, ransomware, or even active human adversaries. Threat hunting used to be the last phase of a company’s cybersecurity prevention strategy and is now becoming readily available to companies with emerging prevention postures through Managed Detection and Response Services. Threat hunters tend to use technologies that involve elements of Machine Learning.

What is machine learning? At a very high level, machine learning is a system that leverages algorithms to correlate data with the existence of given outcomes, based on exemplars input, such that that system can make a predictive attribution of those outcomes based on new data. My goal is to compare Machine Learning techniques as applied in cybersecurity relative to the (human) threat hunters’ techniques. What you will see is that despite the advancements that have been made in Machine Learning, it can’t adequately replicate what a qualified threat hunter does every day.

I’m not knocking Machine Learning – in fact, it enables visibility into more relevant data than it would take a human aggregator far longer (impossibly so) to ‘sift through.’ Treat Hunters need and actively use the outputs of Machine Learning to do their job; Machine Learning-driven tools alert, while Threat Hunters investigate, remediate, and respond.

Let’s compare them in context – here are five reasons: