Is machine learning hampering security?
Machine learning anomaly detection has been hyped as the answer to increasingly ineffective signature AV solutions. Yet it often makes the security analyst's job more difficult.
So says Alex Vaystikh, CTO and co-founder of SecBI, who adds: "If machine learning is pure anomaly detection, it creates many alerts, most of which are false positives and without context. If you simply deploy a solution to find out if something abnormal is taking place, you're going to get thousands of alerts. This forces the analyst to look at more incidents and actually work harder than before."
Not all equal
This is compounded, he says, by the fact that not all algorithms are created equal. "Compare search engines by Google and Bing, and you'll find that the difference in search results is due to the respective strengths of the algorithms used. In cybersecurity, it takes years of research to develop algorithms that are optimised to help security analysts do their jobs more effectively."
Similarly, there is more than one type of machine learning, he says. "Much of what the industry refers to as machine learning is really 'supervised' machine learning, which is based on manual human feedback. In the cyber arms race, evolution happens in milliseconds, making the supervised approach not only inaccurate but also unscalable and human-dependent."
'Unsupervised' machine learning, on the other hand, doesn't merely detect anomalies; it investigates them to find out whether they are indicative of an attack. It then groups together all related evidence so the analyst doesn't have to spend hours digging through data, he explains.
Threat landscape visibility
To combat threats effectively, Vaystikh says several steps are required. "The business needs visibility into what is happening in the threat landscape; the tools to analyse what is observed there; and the ability to take action. Automation is key, but a machine that can monitor all of those intrusion vectors and summarise the findings, instead of just raising the flag whenever an anomaly is detected, is what is really needed."
He cites the analogy of a home security camera. "I recently bought a new one. Its algorithm is much, much better than the one the company was using even a year ago. The old one would alert me every single time there was an indication of possible motion or sound. I'd get thousands of intruder alerts every day."
However, he says his new home security camera is able to learn. "It can identify a car, a dog barking, a familiar face and suchlike, which is enormously helpful, because it can be told to alert me to cars or unfamiliar faces, but not to dogs.
"Recognising faces is machine learning but alerting me every time there's a movement is just anomaly detection with no learning. It floods me instead of focusing me," he explains.
When it comes to cyber security, Vaystikh says there are three common mistakes businesses make. "Everyone agrees that we need authentication and authorisation on critical actions being conducted by users on data. However, if I authenticate into an organisation when working remotely, then, from that point on, I have complete access to the kingdom, all because I've been authenticated once."
The majority of businesses understand that authenticating to the VPN is not enough - you have to authenticate to the data. "But all they do to correct it, is to make you authenticate again. We see many CISOs making this mistake."
He cautions against confusing authentication with authorisation, and not to give employees access to everything. Enforce principles of least privilege and give employees access only to what they specifically need to do their jobs.
Secondly, he says many organisations are unaware of the complete attack surface. "For example, if a hacker finds a vulnerability in a smart printer connected to the network, he then has access to the network, and everything on it. But how many CISOs think to monitor a printer?
"If there is something important you want to monitor, you need to monitor all the ways that it might possibly be accessed," he concludes.