Saryu Nayyar | Forbes.com »
Providing effective cybersecurity measures for your organization is like playing a very serious cat-and-mouse game. If you aren’t familiar with the idiom, cat and mouse is an interaction in which the advantage continually shifts between the contestants. One moment, the cat appears ready to pounce on the mouse, and the next moment, the mouse dodges the advance. Then, the cat blocks the mouse’s path but the mouse jukes and goes the other way.
In the cyberworld, the “game” pits your computing environment—protected by your skilled but overworked security team—against a range of miscreants and nation-state-sponsored actors seeking illicit access to your crown jewels. The stakes are high, and should your team lose a round, you’ll soon learn this is no game at all.
Cybersecurity platforms and tools have been evolving to try to give the good guys a permanent upper hand. Not long ago, security tools used static signatures—a sort of watch list—to compare against. For example, a perimeter firewall would look at inbound traffic and ask: Does it come from a known malicious sender? Is the payload malware we can identify? Are there any indicators of compromise (IoCs) that concern us?
The key to using signatures to identify malicious traffic and activity is that you have to develop them in advance. The cat has to know that the mouse will always take the left escape route and then plan accordingly. That doesn’t happen in real life.
Malicious actors know to frequently change their techniques and tactics. Even a small adjustment to malicious code makes it different enough to be unrecognizable by existing signatures. And sometimes, attackers come upon a “zero-day” vulnerability, meaning it’s so new that there’s no signature for it. Zero-day vulnerabilities are behind some of the most consequential cyberattacks in recent years, including the Log4Shell vulnerability discovered in December 2021 that’s been called “the single biggest, most critical vulnerability of the last decade.”
Why are machine learning and artificial intelligence must-have features?
Although many security products still use signatures, this method isn’t effective enough to truly prevent successful attacks. Machine learning (ML) and artificial intelligence (AI) are much more effective tools to detect and respond to suspicious activity that could be traced to an active attack in your environment.
ML uses a complex set of algorithms to evaluate and learn from vast amounts of data from a variety of sources. Similar to human learning, during which each new observation teaches us something and updates our perspective, an ML system has the ability to observe a new data pattern—perhaps a new attack technique—and learn from it. This new information is compared to historical information, and if it proves to be anomalous, an alert is raised. The historical information is simply a baseline of your environment’s normal and acceptable activity patterns.
When you deploy a new ML-based cybersecurity solution, it first learns everything it can about your environment to create that initial baseline. This is unsupervised learning, which means that no human has to help the system learn. From then on, all new information is compared in near real time to this baseline, which itself shifts as your environment changes. New people and new equipment are onboarded. New applications are used, and old ones are retired. The baseline is constantly updating itself.
Occasionally, you might need to instruct the ML system on how to interpret some new piece of information. This human intervention is called supervised learning. For example, you can tell the ML system to ignore any external intelligence feeds that pertain to an application or operating system that you don’t use or to pay extra close attention to activities pertaining to a specific person or geographic region. With your input, you supervise what the system learns to make it more accurate.
AI comes into play when the security system interprets the output of the ML and makes appropriate recommendations on what action(s) to take to mitigate a threat. Then, a human or another automated system can execute those actions to keep your environment secure.
All ML-based solutions aren’t equal in their capabilities.
Unfortunately, many security solution vendors claim to use ML and AI in their systems when, in fact, they’re distorting the definition of “machine learning.” Under the covers, their systems use flow charts or rule-based analysis rather than true learning models to look for anomalous and potentially malicious behaviors. This isn’t much better than looking at static signatures. Their interpretation of “machine learning” is that the system is learning about the data being taken in—not really from that data. The learning system isn’t making adjustments based on the new data observations.
A major clue that a vendor doesn’t support true ML is that it will limit the amount of data going into the system or charge you for using more data. Vendors place limitations on data ingress because their flowchart-based or rules-based solutions can’t accommodate excessive data. But real ML wants as much data as possible, from every source that’s feasible.
Some vendors also consider their ML models to be a trade secret. You can’t know what they are, and you certainly can’t customize them for your specific needs. This reduces the efficacy of the solution in your environment.
As you evaluate potential cybersecurity solutions for your organization, ask questions about their ML and AI capabilities. Can the system correlate data from diverse sources? Does it provide in-depth context around alerts, so you understand what to investigate? Does the system use trained learning models, and if so, can they be customized for your organization? How many learning models are used? (More is better.) Is product licensing based on the quantity of data ingested? What data sources are used? Are alerts prioritized by risk level?
The more you know, the more confidence you can have in the solution’s results.
Machine Learning For Cybersecurity
Machine Learning For Cybersecurity