Machine learning is quite simply the progression of computers from “dumb” machines that can’t learn anything new without being programmed to “smart” machines that can. With regards to security, in particular, ML has become an indispensable tool since it proactively analyzes huge datasets to build patterns that can then be used to not only detect, but also predict where an attack will come from. The bad news, however, is that the bad guys have pretty much the same technology, so using machine learning security tools isn’t so much a choice now — it is a necessity.
Machine learning in malware
Let’s use malware as an example here. Your average piece of malware is designed to self-update whenever it starts getting detected, hence changing its “behavior” to avoid detection. That pretty much sounds like ML. In fact, some malware instances can change their behavior in less than 24 hours, making them difficult to detect for even some machine learning models that aren’t frequently retrained. Additionally, attacks aren’t limited to malware or phishing scams and we are now seeing the use of a number unconventional paradigms like cloud computing, the IoT, fileless attacks, and even some that are AI-powered.
The good news is that the use of machine learning in security is quickly becoming an industry standard with even the top names in conventional security like Symantec getting on board and offering machine learning-powered security tools. This is extremely important, especially since the current pandemic, the ensuing lockdown, and an unprecedented new remote workforce has given hackers around the world the largest target surface area that they have ever seen. While most people are relying on VPNs, which are good but in no way all-encompassing, let’s look at the security tools that are actually giving us ML capabilities.
ML-powered anomaly detection
From the makers of Norton Antivirus comes Symantec TAA (Target Attack Analytics), that’s available to customers as part of the ATP or advanced threat protection program. How TAA works is rather than go the conventional route and retraining and updating to keep up with virus mutations, it uses an ML-enabled cloud platform to detect “anomalies” and resolve them if needed. TAA is also said to encapsulate the experience and capabilities of top security analysts into what is now being referred to as virtual analysts that can assist, advise, and ease the load on security personnel.
To say the new project has been successful would be quite an understatement. Not only have organizations using TAA been able to foil attacks but in some instances they have even been able to trace and uncover the source. Early in 2018, TAA helped researchers uncover planned cyber-espionage against telecom, satellite, and defense systems that would have definitely gone unnoticed without the use of AI. This new cloud-based approach also allows the retraining of analytics without the need for product updates every time a new threat or mutation of a threat occurs.
Nowhere to hide
Next on our list is a UK-based cybersecurity company called Darktrace that’s been unconventional right from the get-go when they started using ML to catch internal breaches in 2013. Jump to the present day and it not only seems like they have created their own niche called unsupervised machine learning, but their ML-powered “enterprise immune system” technology is already being used by thousands of organizations worldwide. Darktrace Antigena makes use of this technology to identify and respond to any suspicious activity, even if something similar has never occurred before in the past, effectively addressing the issue of new and unforeseen threats.
This is an important achievement in security simply due to the fact that data relating to attacks that have happened before, by no means protects us from future ones. Rather than play the cat-and-mouse game that often leads to the good guys at least one generation behind the latest viruses and their mutations, unsupervised machine learning goes on the offensive. It does this by not only constantly looking for “suspicious” behavior but constantly revising what it considers to be suspicious behavior as well. This puts a huge limit on the number of moves a potential attacker could make without getting noticed.
Watson in the mix
Another interesting security tool that’s leveraging ML to secure cloud applications is IBM’s QRadar Advisor with Watson. Similar to the virtual analysts from Symantec’s TAA, Qradar Advisor with Watson is built to help take the load off security analysts by not only providing critical insight into day-to-day operations but also effectively negates a lot of drudgeries involved with routine and repetitive tasks. It does this with the help of cognitive reasoning extended from the cognitive analytics of IBM’s Watson. This also effectively speeds up the overall response cycle while also allowing analysts the freedom to proactively look for new threats.
This unstructured data could include everything from web pages to security websites or even research papers in enormous volumes. This effectively speeds up the overall response cycle while also allowing analysts the freedom to proactively look for new threats. Other useful features include automatic incident investigation, cross-investigation analytics, enhanced Watson feedback using external intel, and proactive tuning of your environment for better overall security. UBA, or User Behavior Analysis, is another interesting feature that provides insight into internal users and can even protect against an attack from the inside by flagging suspicious behavior.
Last but probably the most advanced offering on our list, is Vectra Cognito, which uses AI, ML, data science, and behavioral analytics. It’s made up of two separate tools Cognito Detect and Cognito Recall. Its Cognito Detect is used to find hidden threats and attackers in real-time as well as to automate the process of threat detection. Additional features include automated protection for privileged accounts, persistent threat tracking, automatic security investigations, and integration with firewalls and other endpoint solutions. Cognito Detect also features an “always-learning” behavioral model that as the name suggests is always updating the way it looks for and perceives new threats.
The other half of Cognito, which is called Recall, goes beyond the conventional and often inflexible data retention models. As opposed to using proprietary storage solutions, Recall is 100 percent cloud-based, enabling it to collect, store, and analyze as much metadata as it needs to for investigations or troubleshooting. It’s the limitless scale here that is most attractive, especially in the current situation with hundreds or even thousands of employees working from home. Recall provides the needed visibility to not only keep track of all the new devices but even the networks they travel through. It does this by storing what is now being called “enriched” network metadata that it analyzes for conclusive answers.
Machine learning security tools are simply a must-have
Machine learning security tools have quickly gone from being a cool feature to a term that the whole world is quickly becoming familiar with, and that term is “essential.” With AI-powered attacks, sneaky malware that can go undetected, and AI-powered evasion techniques that can fool deep learning detection, the choices are “get on-board or get hijacked.”
Featured image: Needpix