Machine learning picks up where traditional threat detection ends

Artificial intelligence gives security analysts a leg up on banishing malware gloom quickly, effectively

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Smart CSOs and CISOs are mov­ing from post-inci­dent to pre-inci­dent threat intel­li­gence. Instead of sig­na­ture and rep­u­ta­tion-based detec­tion meth­ods, they are look­ing at arti­fi­cial intel­li­gence inno­va­tions that use machine learn­ing algo­rithms to dri­ve supe­ri­or foren­sics results.

ed-note_cognetyx_santosh-varugheseIn the past, humans had to look at large sets of data to dis­tin­guish the good char­ac­ter­is­tics from the bad ones. But orga­ni­za­tion­al threats increas­ing­ly man­i­fest them­selves through chang­ing and com­plex sig­nals that are dif­fi­cult to detect with tra­di­tion­al sig­na­ture-based and rule-based mon­i­tor­ing solutions.

Relat­ed pod­cast: How machine learn­ing keeps mal­ware from seep­ing through cracks

What’s more, tra­di­tion­al tools can con­tribute to “alert fatigue” by exces­sive­ly warn­ing about activ­i­ties that may not be indica­tive of a real secu­ri­ty inci­dent. This requires skilled secu­ri­ty ana­lysts to iden­ti­fy and inves­ti­gate these alerts when there already is a short­age of these skilled professionals.

With machine learn­ing, the com­put­er is trained to dis­tin­guish the good char­ac­ter­is­tics from the bad ones, using mul­ti­di­men­sion­al sig­na­tures that can exam­ine pat­terns to iden­ti­fy anom­alies and detect prob­lems. A mit­i­ga­tion response can then be triggered.

Two types of learning

Machine learn­ing gen­er­al­ly works in two ways: super­vised and unsu­per­vised. With the for­mer, humans tell the machines which behav­iors are good and bad. The machines then fig­ure out the com­mon­al­i­ties to devel­op mul­ti­di­men­sion­al sig­na­tures. With unsu­per­vised learn­ing, the machines devel­op the algo­rithms with­out hav­ing the data labeled, ana­lyz­ing clus­ters to fig­ure out what’s nor­mal and what’s an anomaly.

Unsu­per­vised machine learn­ing can be used as part of a lay­ered defense approach, serv­ing as a scal­able safe­ty net across an organization’s infor­ma­tion ecosys­tem. This can help iden­ti­fy rogue uses in all types of net­works, dis­trib­uted or cen­tral­ized, local or glob­al, cloud or on-premise.

Sophis­ti­cat­ed security

By apply­ing machine learn­ing tech­niques across a diverse set of data sources, sys­tems can absorb more and more rel­e­vant data and become increas­ing­ly intel­li­gent. These sys­tems can then help opti­mize the effi­cien­cy of secu­ri­ty per­son­nel, enabling orga­ni­za­tions to more effec­tive­ly iden­ti­fy threats. With mul­ti­ple machine learn­ing mod­ules to scru­ti­nize secu­ri­ty data, orga­ni­za­tions can iden­ti­fy and con­nect oth­er­wise unno­tice­able, sub­tle secu­ri­ty signals.

Machine learn­ing also can pro­duce pre-ana­lyzed con­text for inves­ti­ga­tions, mak­ing it eas­i­er for secu­ri­ty ana­lysts of all expe­ri­ence lev­els to dis­cov­er threats. This is a proac­tive approach for com­bat­ing sophis­ti­cat­ed attacks. It enables CISOs to accel­er­ate detec­tion efforts and reduce time expend­ed on investigations.

More sto­ries relat­ed to machine learning:
Machine learn­ing helps detect real-time net­work threats
Machine learn­ing com­bined with behav­ioral ana­lyt­ics can make big impact on security
Vir­tu­al ana­lysts lever­age human knowl­edge to help solve cyber­se­cu­ri­ty challenges