Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Demystifying Machine Learning: Turning the Buzzword Into Benefits for Endpoint Security

Machine learning has become the most popular new theme in security. Seemingly every vendor is adopting this capability in an attempt to either keep up or to make their product stand out in a crowded market. This creates confusion, because the term itself is often misunderstood, and the implications of its use are varied. Not only does “machine learning” mean different things to different people, different vendors also apply machine learning in different ways.

Machine learning has become the most popular new theme in security. Seemingly every vendor is adopting this capability in an attempt to either keep up or to make their product stand out in a crowded market. This creates confusion, because the term itself is often misunderstood, and the implications of its use are varied. Not only does “machine learning” mean different things to different people, different vendors also apply machine learning in different ways. All of this makes it difficult for buyers to separate the hype from reality, and to know what value all of this machine learning is actually bringing them.

To help clear up some of the confusion, let’s start by clarifying what machine learning in security is NOT:

1. It is not a form of protection. One of the biggest misconceptions is that machine learning is some kind of new product or feature that provides protection to keep companies safe. In fact, machine learning doesn’t actually provide protection, but rather informs how the protection operates by enabling faster, more accurate, broader and more in-depth analysis of threat data. In the face of the virtually overwhelming tsunami of security threat data being generated, it provides a level of efficiency in making sense of it all that human analysts could never achieve.

2. It is not a quick fix for outdated approaches. Most AV solutions are using machine learning to analyze file attributes to determine whether a file is malicious. But this is basically what AV has been doing for years — scanning new file attributes to compare them against known malware attributes to make a determination. And therein lies the problem: the reliance on static, known file attributes means that no amount of machine learning can stop unknown or fileless threats (with no file, there’s nothing to scan).

3. It is not necessarily always getting smarter. Like any analytics tool, machine learning-based security solutions are only as good as the data available—the proverbial “garbage in, garbage out.” Effective protection depends on high quantity, high quality and frequently updated data, and the right set of features, or attributes, to train on. The model must be regularly retrained using timely, relevant, high-fidelity data.

While machine learning has certainly improved endpoint security, clearly we’re still not quite there yet.

In order to be effective at stopping today’s most sophisticated malware, like fileless attacks, CPU-level exploits, and script and macro-based threats (as well as those threats yet to come), machine learning for endpoint security must be responsive to this current climate. It must be able to discern good software from the bad in real time, across all threat parameters and all system configurations.

So, what will it take for machine learning to deliver on the hype and power a truly transformative new wave of endpoint security?

Advertisement. Scroll to continue reading.

1. It must analyze file behavior, not just attributes. Basing security decisions on file attributes only works when 1) there’s a file to analyze and 2) those attributes have been previously identified and embedded into the model. This leaves a huge void when it comes to detecting and stopping new, unknown variants, fileless and script/macro-based attacks. New, more responsive uses of machine learning in endpoint security can analyze runtime behavior—the system calls and commands of programs as they execute—enabling these solutions to also identify and block malicious activity as soon as it starts, providing broader, more dependable protection.

2. It must be informed by a timely, rigorously retrained model. Most vendors update their model every few months, but given the current cadence of new threat emergence, and the volatility of updates to beneficial software, this is not nearly enough. Truly responsive solutions leverage machine learning to update their model in near-real-time, as often as every 24 hours, to provide the most accurate, timely solution that can actually keep pace with today’s threat landscape.

3. It must account for goodware. Just as thousands of new malware variants threaten endpoints daily, legitimate software is also constantly changing with updates and unique integrations. Conventional security solutions that operate based on file attributes often struggle to consistently disambiguate good applications from malware or beneficial processes from malicious attacks. This results in a high rate of false positives and forces users to maintain whitelists and blacklists while waiting months for updated models. Responsive solutions overcome this problem by ingesting and building a model based not only on current malware data but also up-to-the-minute data on known-good software. This provides a more adaptive, agile model that ensures greater accuracy and coverage, while drastically reducing false positives and user friction.

There’s no doubt that machine learning has and will continue to revolutionize endpoint security. But it’s important to understand exactly how this technology actually works, including its limitations. Understanding this, companies can better protect themselves by asking the right questions to achieve the accurate, comprehensive, forward-looking coverage they need to be fully protected in the face of rapidly evolving and increasingly sophisticated threats.

Related: Threat Hunting with Machine Learning, Artificial Intelligence, and Cognitive Computing

Related: Amazon Unveils Machine Learning Security Service

Related: How Machine Learning Will Help Attackers

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...