Machine learning is a very hot topic (some might say buzzword ) in the tech world in general and in especially in cyber security. This post will provide an easy to understand explanation of how it is being applied to some of today's most pressing cybersecurity issues. Machine learning is a topic that will be regularly touched upon in this blog since there are many dimensions to the application of machine learning and rapid advances taking place in its development.
Technology is moving rapidly. And it seems like you can't avoid hearing about machine learning. Almost every large online storefront use it to recommend items you may want to purchase, it’s analyzing your credit card purchases, and self-driving cars depend upon it.
But what is it? It is often used interchangeably with Artificial Intelligence; however, Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed. Machine learning focuses on the development of computer programs that can change when exposed to new data.
Common applications of machine learning in today’s security technology include voice recognition, fraud detection, email spam filtering, text processing, log searches, video analysis, etc. Also, these current technologies are being improved daily, with these improvements fueled by greater data analytics, reduction in the cost of computation, and advancements in the state of the art of machine learning research
So how exactly is machine learning being applied in cyber security?
There are two ways: Data gathering and data analysis. Cyber security leverages data gathering or big data for the collection and storage of large amounts of useful data points. This becomes helpful to security operations teams and analysts who are overwhelmed by the vast amount of raw data that gets collected every day. In larger and more mature environments (aka those who are more advanced and better funded) there are many tools deployed that have been designed to help sort, slice, and mine this data in a somewhat automated fashion to help the analyst perform in their day-to-day activities.
Take for example the user and entity behavioral analysis; machine learning can be used to profile each user, each device, each application, and each file/document to establish a baseline and then flag behavior that is contextually abnormal.
For IoT, it's easier, because there is no user to associate with, and the behavior patterns of IoT are much simpler: typically the "thing" is only sending traffic to a fixed destination with standard volume. As soon as the device starts to send to multiple destinations, or the volume significantly increases, it can be detected. For example, the Target IoT attack which happened last year could have been easily detected if this type of system had been deployed.
These technologies exponentially improve cybersecurity effectiveness and can dramatically improve the initial detection of threats by addressing the initial overload problem — reducing 500,000 alerts to 500, for example. But at the end of the day, we still need a human in the loop for that last step. Humans have the ability to apply real-world experience and knowledge to flag exceptions, and while better AI will help decrease the number of exceptions, those that remain will still require the attention of an IT or security professional.
This blog reflects the contribution of the HoloNet team and guest bloggers who are security experts. HoloNet Security is led by a team of seasoned security industry professionals with a long, proven track record of successful security products and services.