A recurring claim at security conferences is that ‘security is a big data / machine learning (ML) / artificial intelligence (AI) problem’. This is unfortunately wildly optimistic, and wrong in general. While certain security problems can be addressed by ML/AI algorithms, in general the problem of detecting a malicious actor amidst the vast trove of information collected by most organisations is not one of them.
Our faith in AI is based on personal experience (‘everything cloud is big data and good’) and the memes of the consumerisation era. It is tempting to project this optimism into an enterprise context: The idea that it ought to be possible to sift through large amounts of data to find signs of an attack or breach is intuitively reasonable. Moreover, every IT pro managing systems at scale is aware of the value of sophisticated tools that help them to pick through large volumes of data to find relevant information to aid trouble shooting and even security investigations.
First generation tools such as SIEM systems (Security Information and Event Management) gave security teams a new way of correlating events and triaging large volumes of noisy data. Solutions emerged that borrowed the approach of Google to index logs and alerts, adding powerful search and manipulation capabilities to allow teams to be ever more effective in finding faults and security violations. These tools have helped security teams enormously, but still leave two challenges: vast amounts of data of unknown value that we don’t know when to discard; and the nagging worry that the security team may have missed a needle somewhere within the haystack – ie a concern that the algorithms may be imperfect and miss the bad guy anyway.
Is machine learning the answer to the security problem? Again, this is an imprecise statement of the problem and the potential set of solutions. In this piece I want to focus on attack detection. In this domain we need to ask two questions: Can an algorithm reliably find the needle in the haystack (the tiny differences from ‘normal’ behavior that might be indicative of an attack)? Second, can such an algorithm increase our confidence in the absence of an attack – effectively enabling us to be sure that there would be no loss if we discard the haystack of data representing the organisation’s normal activity? AI and ML are broadly viewed as magical technologies that will transform human experience. It’s an enormously seductive idea. We’ve all experienced the power of machine learning systems in Google search, the recommendation engines of Amazon and Netflix and the powerful spam filtering capabilities of web-mail providers such as G-Mail and Outlook. Former Symantec CTO Amit Mital once said that machine learning offers one of the ‘few beacons of hope in this mess’.
But it is important not to succumb to hubris. Google’s fabled ability to identify flu epidemics turned out to be woefully inaccurate and, while the domain of cyber security is characterised by weak signals and a huge number of variables to track, intelligent actors have a large attack surface to exploit. Unfortunately there is no guarantee that using ML/AI will leave you much better off than before – which is relying on skilled experts to do the hard work. Unfortunately that has yet to stop the marketing spin.
What is Normal?
It is important to remember there is no silver bullet in security, and there is no evidence at all that tools such as ML and AI can solve the problem. ML is good at finding similarities between things (such as spam emails), but it is not so good at locating anomalies. In fact, any discussion of anomalous behavior presumes that it is possible to describe normal behavior. Unfortunately, decades of research confirm that human activity, application behavior and network traffic are all heavily auto-correlated, making it hard to understand what activity can be categorised as ‘normal’. This gives malicious actors plenty of opportunity to ‘hide in plain sight’ and can even give them the opportunity to train the system to believe that malicious activity is normal.
The Difference between Trained and Untrained Learning
Any ML system must attempt to separate and differentiate activity based either on pre-defined (ie trained learning) or self-learned classifications. Training an ML engine using human experts seems like a great idea, but assumes that the attackers will not subtly vary their behaviour over time in response. Self-learned categories are often impossible for humans to understand. Unfortunately, ML systems are not good at describing why a particular activity is inconsistent with normal behaviour, and how it is related to others. So when the ML system delivers an alert, security teams still have to do the hard work of understanding whether or not it is a false positive, before trying to understand how the anomaly is related to other activity within the system.
Is it Real?
There is a quite a big difference between being happy when Netflix recommends a movie you like, and expecting it to never recommend a movie that you don’t. So while applying ML to your security feeds might deliver some helpful insights, you cannot rely on such a system to reliably deliver only valid results. In the cyber security industry, the difference is cost, time spent understanding why an alert was triggered and whether or not it is a false positive. Ponemon research estimates that an archetypal large enterprise spends up to 395 hours per week processing false alerts – a cost of approximately $1.27 million per year. Unfortunately, organisations also cannot rely on a ML system to find all anomalies, so there is no way to know if an attacker may still be lurking within network, and therefore no way to know when to throw the data away.
Experts are Still Better
Cybersecurity is a field where human expertise will always be needed to pick through the subtle differences between anomalies. Rather than waste money on the unproven promises that ML and AI-based security technologies are promoting, it is wiser for companies to invest in experts, and in tools that enhance their ability to quickly search for and identify components of a new attack. In the context of endpoint security, an emerging category of tools that Gartner calls ‘Endpoint Detection & Response’ play an important role in equipping security teams with real-time insight into indicators of compromise on the endpoint. Here, both continuous monitoring and real-time searches are key.
ML Cannot Protect You
One final word of caution: As obvious as it may be, post-hoc analysis of monitoring data cannot prevent a vulnerable system from being compromised in the first place. Ultimately, we need to swiftly adopt technologies and infrastructure that is more secure by design. By way of example, segmenting the enterprise network and placing all PCs on a separate routed network segment, and making users authenticate in order to access privileged applications makes it much harder for malware to penetrate and move sideways in the organisation. Virtualization and micro-segmentation take this a step further, restricting the flow of activity within networks and making applications more resilient to attack. Overall, good infrastructure architecture can make the biggest difference to an organisations security posture – reducing the size of the haystack and making the business of defending the enterprise much easier.
Simon Crosby is CTO and co-founder at Bromium