Machine learning is all about algorithms. It’s been used to spot fraud by the financial industry and is supposed to predict behaviors of users.
So how does machine learning intersect with IT security?
“Machine learning is the technology that underpins analytics in security,” says Travis Greene, Identity Solutions strategist at NetIQ, the security portfolio of Micro Focus. “Analytics is the distillation of data or statistics (in this case, security events) into meaningful information that is used for better decision making.”
Analytics, Greene goes on to say, is differentiated from reports, which are typically a graphical representation of data without an identification of trends, abnormalities, predictions or scoring, which analytics provides.
“This automated analysis of data reduces reaction times to security events by focusing attention on truly abnormal activity, and enables better-informed decisions with more objective criteria.”
Identifying Normal, Abnormal User Behavior
Today’s attacks are dominated by outsiders acquiring insider credentials to bypass detection by security monitoring while acquiring sensitive information. That’s why the most important aspect of analytics in the context of IT security is user behavior analytics, Greene explains.
“Based on what has been reported, many of the recent and largest breaches, including the Office of Personnel Management, Anthem and Target, can be attributed to the theft of insider credentials, particularly those of privileged users,” Greene says. “So understanding what behavior is normal for users and being able to identify behavior that is abnormal is a critical component of finding threats.”
Searching Patterns for Anomalies
Security vendors are beginning to take advantage of machine learning components and adding them to their products, but how they are taking advantage depends on the vendor and the type of security the vendor is providing, according to Chris Witeck, principal technology strategist with Citrix.
Witeck points out that the benefit and promise of adding machine learning to a security strategy come in two areas: Gaining new insights into typical usage patterns and better detection of direct threats and anomalous behavior.
“Looking at how BYOD and IoT are impacting network security, many organizations are realizing that it is increasingly challenging to defend their networks, applications and assets using a fixed perimeter approach,” he says. “Too many devices, people and applications are transcending the traditional network boundary. This trend will only increase as new sensors, devices, and things are introduced.”
Augmenting security in this type of environment requires monitoring behaviors to both detect direct known threats and to flag anomalous behavior for investigation.
“Machine learning is an essential tool for evaluating the patterns of activity across the network. Potential issues can then be surfaced to human experts with appropriate supporting data to evaluate potential threats,” Witeck adds. “While much of this may be happening centrally with gateways, firewalls, IPS and other traditional security systems, we likely will see more peer-to-peer machine learning, sort of a hive mentality as the multitude of devices start to do a better job of reporting anomalous behavior observed amongst their peers.”
Analytics Plus Human Analysis
As threats have multiplied and become more sophisticated in the last 10 years, analytics are the technological leap toward keeping up with the evolution of security attacks. At the same time, observing patterns of access across the entire network to correlate and detect access and data patterns is hard to do manually for a human observer. Collecting and analyzing data using machine learning is far more effective.
Still, the need for a human touch remains. Machine learning in security requires the evaluation of all types of access and all types of behaviors, and this includes humans accessing physical objects (entering doors, rooms), devices (phones, laptops) and virtual objects (applications), and capturing where the access occurred, which is increasingly easy to track, Witeck explains.
“With all of the breaches involving identity theft, being able to observe human access to information and flagging access that falls outside of normal patterns will be increasingly important,” he says. “To be truly effective, human curation will be required. The problem is that people are being asked to evaluate increasingly too much data to detect attacks and vulnerabilities. With machine learning, you will be able to filter this data down, automate much of the analysis and alerting, and ultimately make it easier to tie together trends from disparate sets of data. However, you still will need humans, perhaps in new roles (such as data scientists), to curate and monitor the data. Machine learning tools serve to winnow down the data and potential challenges to a manageable set, thereby making the human factor much more effective.”
In the end, there is no lack of security information with machine learning, says Greene. On the contrary, it is easy to be so overwhelmed with data that, given time, all that information could produce meaningful threat disruption.
“It’s the time, particularly of qualified security professionals, that is lacking,” Green says. “Analytics holds the promise of unlocking enormous amounts of data created by security tools to sense abnormal patterns that indicate an attack. It elevates the proverbial needle in the haystack that represents a real threat above the typical noise in the system. The financial fraud industry started using similar techniques in the 1970s; they’re wondering what took us in IT security so long.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba