How to evaluate Machine Learning in cybersecurityThursday, September 28, 2017
Machine learning may well be the talk of the town right now, but how much should your buying decisions be based on it? We take a look at the pros and cons...
The major promise of machine learning in a security context is that the technology offers the opportunity for detecting entirely new, unknown threats by distinguishing atypical from typical behavior, against a background of a wide variety of correlating data points.
The volume of data collected by security teams is rocketing - ESG research indicates that 38 percent of organizations collect, process and analyze more than 10 terabytes of data as part of security operations each month, for example, and the volumes keep increasing. Twenty-eight percent of organizations say they collect, process, and analyze substantially more data today than two years ago, while another 49 percent of organizations collect, process and analyze somewhat more data today than two years ago.
Under this welter of data from a diverse range of sources including firewall logs, log data from other types of security devices, log data from networking devices, data generated by antivirus tools, user activity logs and application logs, security teams are in desperate need of respite. It is in processing this data that machine learning and AI holds significant promise.
However, the road to this mechanised utopia still has one major stumbling block, in that the machine learning algorithms must be trained on large volumes of correctly labelled data in order to distinguish typical activity from potentially malicious. This requires lots of human input to check that the data is accurate, as well as keep an eye on the weightings that are being assigned.
A recent report from analyst firm Frost and Sullivan summarised the benefits of machine learning: “The constant evolution of cyber security threats has forced security providers to improve existing solutions and embed innovative technologies to propose alternative approaches. Machine learning provides a new avenue to follow. The cyber security industry is often a step ahead in testing new technologies, approaches, concepts or algorithms. The idea is to minimize the attacker’s advantage and anticipate future cyber attacks in order to decrease the strength of the “asymmetry of cyber war.” With machine learning, cyber security providers could better optimize counterattacks based on approved algorithms.”
So, what factors should companies consider when implementing machine learning?
A good starting point is to look at and evaluate the outcome, and not get hung up on the ingredients. Ilia Kolochenko, CEO of High-Tech Bridge, said: “First of all, the companies need to understand why and what they are implementing machine learning for. It's a very hot and popular topic today, but if a company does not have a clear vision of its direct benefits (e.g. cost cutting or speed increase), machine learning is not only useless but can also be harmful. Also, machine learning can be quite expensive due to required processing and storage capacities, and sometimes classic algorithms can solve a task in a much less expensive way than machine learning. Therefore, if you efficiently and effectively solve your current problems without machine learning - continue to do so.”
Just because machine learning is the latest buzzword - and indeed may be in active use by attackers themselves - there is no need to achieve a doctorate in data science to evaluate ML-based products. The detailed risk assessment you’ll have done and updated many times over, based on your business sector, digital and physical assets, etc, gives you the key to asking the right questions of any vendor, whether AI/ML or not. Simply ask the questions that address the highest risks to your organization.
Another key technique in choosing the best ML implementation for your company is to ensure that security vendor claims are validated in a proof of concept (POC) trial. A properly-structured trial will help any business determine the technology that best suits their needs, and must form part of a solid due diligence procedure of research, vetting and testing before deployment.
Kolochenko has the last word: “Machines also make mistakes, and can only be as good as humans are. The real advantage of machine learning in cybersecurity is that it can analyse big data and make usable conclusions much faster than a human security analyst. However, we should not expect miracles from machine learning, and remember that it's impossible without smart people.”
High-Tech Bridge’s ImmuniWeb Application Security Testing Platform leverages a machine learning technology for intelligent automation of web vulnerability scanning. Complemented by human intelligence, it detects the most sophisticated web application vulnerabilities and comes with a zero false-positives SLA.