You are here

How machine learning bolsters your security operations

Grant Bourzikas, CISO and VP, Data Science Applied Research, McAfee

In today's threat environment, most security operations centers (SOCs) are losing ground to adversaries. Attackers continue to up their game at a dizzying pace, while everyone else falls behind. Meahwhile, efforts to combat breaches are crippled by a severely understaffed cybersecurity industry

Attackers are raking in huge profits with campaigns such as the bitcoin-stealing Crypto Wall, a lucrative ransomware campaign that resulted in $325 million in damages. The Lazarus group, which has ties to North Korea, has been responsible for WannaCry attacks, theft on the SWIFT banking system, and more.

Some nation-states are bent on obtaining intellectual property, appropriating confidential personal data, and launching acts of destruction. Global threat actors such as APT28, for example, are actively involved in cyber-espionage and other subversive activities against military and government organizations.

SOCs simply aren't winning the war—yet. Many rely on outdated, non-predictive tools and methods, such as traditional antivirus solutions, which miss more than half of threats. Even the most advanced detection techniques fail to identify fileless malware, which doesn't use any malware at all, or zero-day attacks that exploit application vulnerabilities.

For SOCs to gain the advantage, they need to challenge the current way of thinking. Currently, most SOCs defend against attacks by using products that look at alerts, count and sort them out, and check for anomalies. They then use security information and event management (SIEM) systems to sift through mountains of their own threat intelligence data.

That worked a decade ago, but today's highly sophisticated attacks can make changes to the data before defenses can be mounted. Researchers speculate that attackers may soon be using machine learning to architect their attacks, and adversarial machine learning to mask them. Shouldn't SOCs be using the same tools to protect their organizations?

SOCs should leverage threat intelligence based on data—the same type that security researchers have access to—and not just indicators of compromise (IoCs). Here's how to make that happen in your organization.

The State of Security Operations: Go Inside World SOCs

Fuse data science into your security strategy

You need to integrate data science, which combines a number of disciplines—hacking skills, mathematics and statistics, and subject-matter expertise—and artificial intelligence technologies (deep learning and machine learning) into your organization's security strategy.

This is the future of security: you must include data science, and specifically, machine learning, to elevate the level of predictability.

Many forward-thinking security tool vendors have already embraced machine learning as a vital component of a data science–based architecture. But to work well, machine learning needs good data. A viable machine-learning model relies on a foundation of data integrity to detect outliers.

The more relevant, reliable, and clean the data you have, the better the probability of blocking attackers through the use of machine-learning solutions.

[ Special Coverage: RSA Conference 2019 ]

Combine your own data with that of others

While IoCs can be useful, they are not rich enough to help with predictability. In addition, SOCs need to analyze data features in their own environments.

Let's say the SOC receives an alert. If analysts were to use a machine-learning tool that looked at endpoint data and features that are firing off in their environment, they would learn a great deal.

These data features (including behaviors) could provide answers to important questions such as: Was the registry edited? If so, which key? Was there an outbound connection? Did it trigger an intrusion prevention system alert?

In an ideal world, SOCs could capture data features such as these from their own organizations, leverage data gathered from the entire global threat landscape, and apply machine-learning models to find things to investigate that are interesting and/or suspicious.

[ Webinar: SecOps Innovation—A Look Into the Future of Security Insights ]

The benefits of a data-based methodology

This approach can help SOCs find new things in their environment that their current tools don't see. If SOCs can accomplish this, they will be able to:

  • Understand behaviors, hashes, or new patterns first seen in the wild to determine if their organizations are being targeted.
  • Track known campaigns to see if their organizations have been hit.
  • Monitor various threat attackers and patterns to ensure that their organizations are secure.
  • Do retrospective detection to see if anything in the environment that was originally unknown or good later turned bad.
  • Discover early warning indicators by using simple statistics and leveraging geographical and industry data to detect fluctuations in attack patterns.
  • Analyze and understand everything running in their environments from a machine-learning model and investigate unknown items.
  • Assign risk scores or security ratings based on security posture data, operational data, financial data, and geographical data.

Learning what you don't know

The security industry already does a great job of blocking known bad things and allowing the good. SOCs just need help separating the signal from the noise, so they can gain insights during investigations and take appropriate action.

SOCs should look at how they can make optimal use of machine-learning models by training them with datasets that might be different from what they typically use.

Of course, the quality of the data matters. And it certainly is advantageous to hire experts who know how to apply data science to the security function. With the right approach, you can win.

Grant Bourzikas presented at RSA Conference 2019 on this topic. His presentation slides will be available soon.

[ Get Report: How to Get the Most From Your App Sec Testing Budget ]