Last week, Amazon announced a new AWS service called Amazon Machine Learning, designed to “make it easy for developers of all skill levels to use machine learning (ML) technology.” The service is based on the same ML technology Amazon uses to anticipate efficiencies in supply chain management or detect fraudulent transactions, and is a counter-punch to the Microsoft Azure Machine Learning service announced last February.
Amazon’s claim is that, “The service uses powerful algorithms to create ML models by finding patterns in your existing data. Then, Amazon Machine Learning uses these models to process new data and generate predictions for your application.”
ML is something that the financial industry has utilized for decades to spot fraud. For example, many of us have had experiences when our credit card provider has contacted us to confirm the legitimacy of a recent purchase.
In IT security, we have relied heavily on static rules to detect threats based on known attack patterns. But if the steady revelation of new victims is any indication, that approach has long ago reached its limits. The recent development of the democratization of ML is an indication that it’s time to consider adding it to our security arsenal.
What machine learning can bring to IT security
The intersection of ML and IT Security focuses on analytics – an emerging buzzword in security that implies more than just reporting. It encompasses an automated analysis of data that ideally elevates the proverbial needle in the haystack that represents a real threat above the typical noise in the system.
Threats have multiplied and become more sophisticated in the last ten years, while infrastructure and applications have expanded as well. We don’t lack security information – on the contrary, we are overwhelmed with data that, given time, could produce meaningful threat disruption. It’s the time, particularly of qualified security professionals, that is lacking.
So the automated analysis of security data, or analytics, is critical to regaining some semblance of control over the ocean of data that is generated and dumped into SIEM tools daily.
Not just any analytics
The most important aspect of analytics in the context of IT security today is user behavior analytics. Based on what has been reported, many of the recent and largest breaches, including Anthem and Sony Pictures, can be attributed to the theft of insider credentials, particularly those of privileged users. So understanding what behavior is normal for users and being able to identify behavior that is abnormal is a critical component of finding threats.
But in order to support user behavior analytics, we must know who our users are. Identity and Access Management (IAM) systems can supply identity context with attributes such as role, entitlements and organizational structure, to enhance the information necessary to determine risk.
Identity and Access Management needs machine learning too
IAM has been evolving to use risk information to become more intelligent. For example, risk-based authentication (RBA) considers parameters such as location, device, IP address and history, sensitivity of information accessed and certain user attributes to determine a risk score before allowing access to a user. Based on that score, step-up authentication can be required, including multi-factor authentication if necessary. Adaptive certifications are another example of the use of risk data in IAM.
But these risk scores are, once again, based on static rules. ML offers an opportunity to more dynamically measure risk.
Will this actually work?
It remains to be seen whether Amazon or Microsoft’s approach to ML can be applied to IT security (or IAM). While machine learning as a service (MLaaS) is the latest iteration, there are certainly other approaches, such as Apache Spark and their Spark ML library. Regardless of the approach, the time for applying machine learning to IT security has come. The financial fraud industry, who started this in the 1970s, is wondering what took us so long.