Machine learning is something of a buzz-word in the industry and is a frequent topic at conferences, in the media and during customer meetings – but is it the solution to all our security woes? Well, not yet – but there is potential for it to significantly help in some of the areas where we truly need it.
As a brief intro for those who haven't looked at the Wikipedia article, machine learning uses algorithms to examine data such that a system can be ‘taught' how to correctly classify, cluster, and perform outlier analysis or regression analysis on its inputs – without being explicitly programmed with the details of how to perform these actions. This seems unbelievable, but it works – although, as with anything, the devil is in the detail. The complexity is in ensuring you are using the right data in the right way, both to train and utilize your network, and in choosing the right algorithms. This is where the data-science comes in, which I am glad to say is outside the scope of this article.
Machine learning has seen significant success in the areas of speech recognition, computer vision, fraud detection, financial trading applications and predictive analysis around shopping, searches etc. – but what about security? In security, machine learning is being used in a number of areas, for example to identify whether files are malicious – and it is very successful.
Here, machine learning is giving us the ability to identify new malicious files and variants of malware that haven't been seen before, without having to linearly scale our staff of analysts as we increase the number of objects we analyze – it is giving us the ability to do something at ‘scale' which previously would have been much more labor intensive. And, the scale element is important because machine algorithms thrive on data – the more data they see, the more accurate they become – hence solutions that work this way often require customers to send objects to the cloud for analysis, concentrating data in one place.
Identifying malware in this way is one thing, but a significant proportion of incursions into networks no longer use malware – they simply use stolen (valid) user credentials to login to our environments, and this can be hard to identify. A similar problem exists in detecting post-exploit lateral movement, where an attacker has compromised a machine and is looking to ‘move' to find something of value within a network. In both cases the attacker is already inside our perimeter controls, conducting operations that could look normal to a cursory inspection, so how can we isolate these suspicious activities?
Technologies such Network Behavioral Analysis (NBA) have been around for over a decade and are all about identifying suspicious or malicious patterns of activity within our networks – but they haven't been broadly deployed. However, all that is changing as attackers increasingly circumvent our other defenses and as our environments become more open with the use of cloud, mobility, SaaS, etc. To manage our risk, we need a better view of what talks to what, when and how much – so that unusual patterns can be identified.
It is often said that people are very good at identifying patterns, especially if data is presented visually, and this is true – but there are limitations. People can only identify patterns within their temporal field of view – for example, if an analyst is presented with an unusual network communication at 10 a.m. and then another one pops up at 3 p.m., it is unlikely that the analyst would be able to correlate the two events as potentially linked. However, a computer can monitor an almost unlimited number of events over time without blinking. This is where machine learning has the power to identify suspicious activities that would otherwise have flown under the radar.
To identify patterns in network traffic, the first thing we need is good visibility of what is going on – layer 3 through 7 meta-data – derived from inspecting the packets moving across and around within our networks. Refining packets down to their salient characteristics reduces the storage and processing requirements for managing the information, and can allow the application various techniques, such as machine learning, to identify, for example, clusters of hosts that behave similarly – so that those that stray from their ‘herd' can then be identified.
Solutions are emerging that apply machine learning techniques to packet data, or meta-data derived from packet data, to identify outliers, clusters etc. So, does this mean we have solved our breach problem?
Unfortunately not. As an industry, security is just starting out with machine learning and we aren't there yet.
One big problem in security is that ‘people' take actions – no one trusts automated blocking except to counter the most obvious threats. And, incident responders usually like to understand ‘why' they are going to quarantine their CEO's laptop before they do so – to forestall the obvious phone call and barrage of questions.
How is this relevant to machine learning? Well, machine learning can tell us that some pattern of activity is suspicious – but unless the humans making a blocking decision can verify the efficacy of the detection, they won't trust it. This is what I call the ‘explainability gap', and is one of the key issues with machine learning's application to security at present.
Everyone knows that in security we already have too many events to deal with – what we need are ways of focusing our security teams on the highest priority ‘real' threats. If a detection is not easily provable then it becomes context. Machine learning may detect a threat, but whether we can act upon the detection is key. The explainability problem is surmountable, and as our ‘trust' grows in the capabilities of machine learning it will become easier to address. I have no doubt that in the next couple of years we will see solutions that can identify and demonstrate the validity of what they have detected. And, when we reach this point we will have learned how to use machine learning in security.