Using Machine Learning to Address Evolving Threats

There are many benefits to using machine learning as part of your cybersecurity strategy

Cyberthreats posed by malicious actors have never been more prevalent nor potentially harmful as they are now. Each attack has the potential to cripple an organization to its very core. Although it has taken time, most workplace decision-makers now understand cybersecurity is critical to the business and are implementing measures to protect their organization. These measures begin with security fundamentals. As more companies implement their digital transformation initiatives, creating an even more advanced analytics ecosystem their security systems and processes need to evolve as well.

Today, the most advanced techniques for executing rapid and accurate threat-detection analysis and mitigation include integrating a security information and event management (SIEM) solution, advanced machine learning (ML) and user and entity behavioral analytics (UEBA) into the processes and systems into business portfolios that enable security professionals to be nimble and efficient and improve overall decision-making.

SIEM solutions can create an overwhelming workflow for teams that don’t have the manpower, but you also need the skill or resources to cope with the influx of security event traffic. The integration of AI and ML can help these algorithms learn to tell the difference between the vast amounts of regular traffic a network carries and potential threats.

Arguably, the most valuable differentiator with ML is that, as these algorithms can sift through increased amounts of data, and through memory baselining and learning, these technologies can continuously evaluate normal versus abnormal behaviors without the need for human analysis resources.

For organizations looking to incorporate the benefits of AI/ML into their security defense strategy, there are a few key success factors to consider:

1. Make sure you have the best fundamental security practices already in place. Don’t look to employ AI/ML simply because it’s new and the latest technology garnering buzz within the industry. In most cases, ML is only advantageous for more mature security operations that already are successfully identifying the “known threats” through traditional solutions.

2. Just as the name intuits, “learning” is an ongoing process that takes time. Most machine learning and deep learning is still supervised or semi-supervised and must be trained to recognize the good from the bad. Further, ML implementations must be trained with the correct data sources. It’s very possible for ML to learn or to be trained the wrong way. Software solutions vary with how much human involvement and oversight is required during this early training stage.

3. The end goal should be very clear at the outset. One cannot simply throw AI/ML at a problem and expect results. You must first define the expected results and use case and the ML methodology that will get you there. A few of the common high-level uses of ML within the security space are:

  • Classification, or the process of categorizing observable information into good or bad indicators. Phishing email identification and threat intelligence powered by machine learning are two examples.
  • Prediction (regression), or the ability to determine where malicious actions may occur. For example, future financial fraud indicators based on data points such as transaction amounts and geo-location.
  • Visualization, or the process of presenting large data sets into visuals with outliers. Insider threats are often identified when behaviors are observed outside of the expected cluster of similar entities or identities.
  • Rule/response learning, or dynamically responding to threats to reduce the time to threat mitigation. Here it’s important that risk scores are accurate to reduce false positives and to mitigate self-inflicted denial of services.

While ML can help overcome many challenges in network security, it should not be viewed as a “magic bullet” that will remedy threat penetration. Cyber adversaries will continue to advance, and so should an organization’s detection methods.

Meanwhile, human experts can be left to focus on the most critical threats and organizations can find a better balance between security and operations. Looking ahead, ML will continue to truncate the interval between potential threat identification.

Incorporating a ML approach to an organization’s security strategy to address the evolving threat landscape can not only help to overcome critical issues facing the industry as a whole—“alert fatigue” and the scarcity of trained staff—but also help leaders better direct their resources to where they can add the most value.

Chas Clawson

Avatar photo

Chas Clawson

Chas Clawson is a cybersecurity evangelist for ArcSight, a Micro Focus product group, and was previously a senior engineer and SecOps consultant for the Micro Focus Government Solutions. Prior to supporting ArcSight, he worked with DOD Red Teams where he conducted full-scope pen-test assessments and evaluated teams for efficiency and accreditation. He has also been a SIEM architect with a large MSSP, supporting various SIEM platforms. He holds a master’s degree in Information Systems and various advanced industry certifications and teaches network and cyber security classes at UMUC.

chas-clawson has 1 posts and counting.See all posts by chas-clawson