Every now and then a technology comes along that deserves the hype it attracts – arguably machine learning is one of them.
The premise is simple – cyber-attacks are increasingly sophisticated and creative, while good at concealing their true intentions. The use of automation takes the heavy lifting out of detecting the anomalies which preclude a breach, to spot and protect against attacks. If it works, it can be used to identify everything from known to zero-day attacks.
Used correctly and efficiently, machine learning levels the playing field for security teams as, at the moment, the criminals appear to have an unfair advantage. However, this also means everyone is clambering aboard the bandwagon, and sometimes marketing promises don’t match technical reality.
Start with a definition
The main question is – what should constitute a definition of true machine learning and how does it differ from the hype?
To answer this, it is important to strip things back to their simplest form. In computational and statistical terms, machine learning encompasses any algorithm that gives technology the ability to learn from multiple data sets and create statistical models that the technology then uses to make accurate predictions. Practical applications range from predicting the weather, financial markets and even protein homology detection in human genome sequences. In the world of cybersecurity, where picking out microscopic irregularities from floods of data is vital, the ability to learn and take action, as opposed to requiring input from an already overburdened security team, is where the true benefit and application of machine learning lies.
However, this is also where the promise can differ from the reality. Often marketing teams are happy to label something which can parse big datasets to come up with broad conclusions, to then be acted on by a security team, as machine learning. The problem with this is that it still requires people to make decisions. The heavy lifting is only partially done. Whilst it sounds nuanced, this is an important distinction to make.
To that add context
When assessing the promise of machine learning in cybersecurity, it’s important to take into account the threat landscape, which has become a game of spotting a needle in a haystack.
Take the example of protecting the software your organisation runs from attack. Enterprises are now rolling out more and more applications, the issue is that any erroneous line of code used on your website or internally presents a possible route of attack. This presents a huge amount of potential flaws for attackers to abuse. One poorly constructed piece of code can be the start-point for a full breach, which can wreck reputation and cause financial damage.
The attacks aimed at this code are numerous, unpredictable and have multiple ‘parts’ involving a mix of human creativity and technology. One day can see a single ‘script kiddie’ curious as to whether an idea they have is possible, another sees teams of well-resourced attackers using custom developed exploits. A lot of these attacks may never have been seen before, all use an assortment of separate elements.
Against this hectic backdrop, defence is predicated on the need to make sense of lots of seemingly unrelated actions and act with speed and autonomy. This is where true machine learning comes into its own. Only by being able to correlate seemingly random markers of an attack, put them together in context and decide whether to take action, can attacks be foreseen and stopped. Merely recording large datasets and flagging actions as potentially anomalous is not fast or accurate enough. By then it is too late.
Alex Mathews is Lead Security Evangelist, Positive Technologies