Certain use cases are ideal for the exorbitant data amounts frequently required to capitalize on machine learning investments. Others are rendered increasingly difficult—if not impossible—by the lack of exampled data needed to train algorithms on specific business objectives.
Security analytics, particularly in the context of cyber security, has never suffered from the latter consideration and is representative of the former. It’s as simple as it is data reliant: just aggregate as much data as possible and analyze them for threats. It speaks volumes about the current threat landscape facing the enterprise that there’s not only no shortage of such data but, significantly, no dearth of threats to guard against, either.
According to Mark Carl, Chief Security Officer of PDI Security Solutions, there is a mounting number of “threat actors that are out there. They’re building custom malware and ransomware to attack a particular victim. In order to flip that, we can’t rely on traditional [methods] anymore. We have to be able to see what the software is doing, even at a kernel level, so we can stop it from happening before it’s able to encrypt files in a ransomware example.”
Machine learning plays a vital role in assisting security analytics with succeeding in this endeavor. It’s part of a larger assortment of approaches and techniques that are becoming more and more necessary to safeguard valued enterprise data.
Broadly speaking, machine intelligence factors into two interrelated aspects of security analytics that are indicative of the cloud based nature of cyber security in general. Machine learning operates on individual endpoint devices via software to provide an initial form of analysis and protection. It’s also used in centralized locations, often in conjunction with other forms of cognitive computing, for further aggregation and analysis for more profound intelligence into pattern detection of malefic activity.
On endpoint devices, this technology enables the underlying software to “adapt and look for things that are suspicious or malicious outside of file signatures, which would be your traditional antivirus software,” Carl noted. “If there’s a custom piece of software built to attack a particular customer, file signatures won’t find it.” However, the machine intelligence provided by cognitive computing technologies can detect even slight anomalies on endpoint devices.
In these instances, it enables smart cyber security protection software to “flag it and say okay, I’m going to let this execute but once it starts trying to talk to things that I think might be a threat, then I’m going to stop that from happening and alert [people] that someone needs to investigate this malicious activity,” Carl explained. In some cases, the malware or ransomware is isolated during the interim in which it’s monitored for suspicious behavior.
As previously mentioned, the principal value derived from security analytics is in assembling large quantities of diverse data for scrutiny. Such data may include log files, hash tags, file signatures, and more. That’s why a seminal aspect of security analytics is a centralized “security operations center…with a security operations team with 24 by 7 security analyst visibility into deployment environments,” Carl stipulated. Such teams are able to multiply the value of security analytics a number of ways, including by:
- Reducing False Positives: False positives are a reality for using most forms of detection and prevention methods. Correlating the large scale data of a particular network by centralized security teams monitoring firewall activity as well as software activity on endpoint devices is useful “to find and identify malicious activity on the network and help us eliminate false positives where normal things happen on a [specific] server,” Carl commented. “If they don’t have any correlation, it may not actually turn out to be a threat.”
- Teaching Machine Learning: The operations and findings of centralized teams can inform the learning of cognitive computing algorithms. “On our back office server, for example, you have certain things that run all the time that we know are not malicious,” Carl remarked. “The [machine] learning may white list those over time.”
- Improving Overall Network Security: Machine learning gains for one end user may extend throughout the network to fortify it collectively against malefactors. In the white list use case Carl identified above, it’s applicable “not only for a particular site, but an entire chain of sites where all our customers are running a particular piece of software and we’ve got a signature for that software,” he mentioned. “Then we know, through machine learning, that it’s not malicious.”
There are several different components of security analytics. It involves company policies, business rules, log data, firewall monitoring, and endpoint devices and centralized location aggregation for analysis. The contribution of these factors at scale—for individual users, business units, organizations, and networks—creates datasets large enough for machine learning algorithms to train on and improve their penchant for detecting—and preventing—cyber security attacks.
Featured Image: NeedPix