Follow Datanami:
March 24, 2015

Achieve Business Value with Machine Learning

Shawn Masters

With major companies battling constant cyberattacks and advanced persistent threats from cyber attackers, larger dedicated staffs are currently required to handle cyber espionage issues. Right now, a common problem across corporations and agencies in defending against these attacks is that too few people are solely tasked to early detection and interdiction. As our adversaries increase their use of automation, staff increases will not be able to keep up with the exponential growth of the threat. Manual querying, analysis, and response is limited in efficiency and will remain the bottleneck in incident handling.

The good news is technology is providing us with the critical tools for preparing our defenses and maximizing our manpower against cyber-attacks. One of those key tools is machine learning. In a nutshell, machine learning leverages a series of algorithms in order to draw conclusions from data sets. Rather than following strictly programmed instructions, machine learning operates by building a model from example inputs and using that to make predictions, and ultimately time-saving decisions.

Machine learning can be used across any industry, but it is especially well suited for cyber where the data volumes are monstrous and the risk increases quickly. Damage done in the early days of serious threats can’t be prevented or managed by signatures and data alone. We need machine learning to help detect and adapt to the emerging threats used against major corporations and the pace attackers change their tools.

By marrying the correct technology with the right people we can see real benefits against malicious and advanced persistent threats. Incorporating machine-learning techniques into our monitoring and defensive strategies equips us with the ability to detect hostile behavior and new variants of attacks on an ever changing landscape. Machine learning will eventually help organizations achieve business value and security in three ways. The first, through quicker responses to data breaches. Second, by deducing insights about attacks from large collections of security data. And finally, by automating recommended reactions.

Quicker Responses to Data Breaches

As a rule, network responders or tier three analysts rely on rapid detection and evaluation of potential threats. As they find and detail breaches they are responsible for recommending and often taking action to mitigate, isolate and/or eliminate the attack. The onslaught of false positives, benign probes/attacks and actual threats are so voluminous that many attacks and vulnerabilities are left undetected while the analyst is focused on the issue at hand.

Machine learning is the key to overcoming the cyber fog of war and concentrating limited resources where they are needed the most. It gives the responders the ability to detect a range of threats, filter out false alarms and prioritize efforts based on the scope of the potential breach. At the same time, machine learning will arm analysts and network responders with the means to detect potential threats and vulnerabilities before there is a full-blown data breach.

Deducing Insights from Big Data

Machine learning algorithms fall into two types. Supervised algorithms take examples of human labeled data and learn how to find equivalent versions.  Unsupervised algorithms look for patterns (obvious and unobvious to the human) and highlight the differences found.

Both types can be used to find the important irregularities that the analyst needs. Just like a person learns through repetition, machine learning allows computers to establish a repeatable and trustworthy workflow based on the data available.

Machine learning algorithms do not replace the tier-three analyst, but leverages key concepts from human interactions and applies interpretations from past experience to current and future questions. Machine learning expedites the data analytics process – monitoring, learning and automating processes for faster response times.

Automating Recommended Actions

Cyber machine learning can be used to create recommendations by learning typical actions taken by network responders during malware analysis, categorization and kill chain initiation. The computer is then capable of taking these recommendations and putting them into action, defending data and systems against invasions. While a fully autonomous reaction is years away, manipulation of security policies and enforcement can often slow or stop an attack while the operational staff is making their assessments.

Over time, machine learning can be retrained on new data, errors, or examples of radically new concepts, to grow better over time by detecting patterns in behavior. In addition, ongoing training improves the prioritization of high-risk situations and detection of false alarms. This saves analysts a lot of time since they don’t have to determine which threats are serious and which aren’t, and avoids wasted time on false alarms. Cyber threats are only going to become more prevalent and machine learning will be a key component of future protection of systems and data. It is better to be forward looking and preventative about these attacks and trust the technology available to us than risk becoming the next victim of serious cybercrime.

About the author: Shawn Masters is Vice President of Solutions Engineering at Novetta Solutions. Shawn is responsible for driving new ideas and innovation across Novetta’s technical landscape so our customers get solutions that meet their needs and grow over time. Shawn learned the fundamentals of computational theory by playing with a Curta mechanical calculator as a small child. He has since parlayed that knowledge into a successful career of building computer systems that push boundaries and solve the problems left for dead by others. Over the last two decades he has designed and implemented supercomputers, new algorithms in digital forensics and cyber security, worked with signal processing in multiple domains (X-Rays, IR, audio and even visual), and questioned best practices whenever possible. Since 2004, Shawn has been doing all of these things for Novetta. Somewhere along the way Shawn received a BS in Electrical Engineering, and a whole lot of graduate credits from George Mason University.

Datanami