We have been hearing a lot of buzz about artificial intelligence (AI) for years, but more recently, the discussion within the cybersecurity industry has centered around machine learning (ML), an approach to AI that focuses on using algorithms to sift through data, learn from it and inform action based on the analytics, such as automatically preventing an unknown threat.
When you unpack the history of AI/ML, you quickly realize the science behind it has been in development since the 1950s, or earlier, with Alan Turing’s seminal paper posing the simple question in 1951, “Can machines think?” But, if the methodology has been around for decades, the natural question is, why now?
Since a ML system can evaluate new data and behavior while operating unsupervised, every company wants to hurry and adopt this cutting-edge approach for many applications. However, the real value of machine learning is the ability to make decisions based on what it has learned from the past, not just what it is currently seeing and analyzing. A machine learning system needs to be trained, and it cannot be trained without a large amount of previous data and intelligence.
In order to maximize the effectiveness of ML in your security efforts, it is helpful to first understand what you need to do before adopting it. I would recommend that security practitioners focus on the following criteria when considering adding a capability that includes machine learning:
1) Collect high-quality data – Having access to massive store of high quality data is the basis for training a machine learning system. When you adopt a product that includes ML, you will want to augment the things you have done in the past, like signature collection and automated malware analysis, so you can combine those things with the machine’s capability to determine new, malicious content. In addition to looking at bad data, you also need to have a large collection of good data, so that when it comes time to train the machine, it can accurately distinguish between what is dangerous and what is benign.
2) Establish consistency in your security – Ultimately, you will need to ensure ML algorithms can run at multiple levels including network traffic, user behavior and endpoint. For example, if today you are only looking at anomalous behavior in your network traffic but not on your endpoint or in your user behavior, you won’t be able to accurately correlate and determine whether something is truly malicious so you can make the most sound decisions.
3) Ask the right questions for vendors – Many companies claim their solutions incorporate ML, but oftentimes capabilities are overstated. The questions you ask these vendors should focus on how accurate, fast and efficient their systems are. Where does the analyzed data come from, and how often is it collected? How quickly can the solution make a decision that leads to an action? Developing and asking a comprehensive list of questions like these will help you select the system best suited for your company’s needs.
When you consider the value of machine learning, the ultimate goal is simple: use software to automatically take an action. While the area of study has existed for decades, the industry has reached a place where it can be effectively applied to improve our ability to prevent successful attacks. As attackers continue to increase the volume of attacks they launch, often automating their entire operations, organizations typically apply manual processes to their response efforts, which do not scale. As we seek to require less manual effort and automate as much prevention as possible, machine learning is one way to provide powerful leverage to Cybersecurity professionals.