By Byron V. Acohido
The essence of “machine learning” is that ML is perfectly suited to extracting value from large sets of data.
Thus, whether you realize it or not, ML has come to intersect with just about every aspect of daily living. ML today is used pervasively to profile our online behaviors. When we search for something on Google, make a purchase on Amazon, stream a movie from Netflix, post to Facebook, or Tweet, all of that data is stored and analyzed. And now ML advances are being applied to vehicle and driver data to rapidly steer us (pun intended) towards everyday dependence on driverless vehicles.
But there is another arena where one would expect ML to be making a much larger impact than it has to date: cybersecurity.
Related article: 2018 – Year of the CISO
Consider this: the typical corporate IT system is a sprawling amoeba generating large sets of data, minute-by-minute, day-by-day, from dozens of disparate systems. Hidden in this tumult of network logs are the fingerprints of threat actors actively stealing and disrupting – or getting into position to do so.
Solving ‘hit-and-miss’
Thankfully, ML has recently arisen as a hot buzzword in cybersecurity. A thriving cottage industry of innovators, backed by astute venture capitalists, are bringing ML to bear on various aspects of detecting and deterring network intruders. I’ve talked to a handful of them. I had the chance to visit with Kumar Saurabh, co-founder and CEO, of LogicHub, at the Black Hat 2017 cyberssecurity conference at the Mandalay Bay conference center in Las Vegas.
Saurabh and Monica Jain, LogicHub co-founder and CPO, met when they both worked at ArcSight, prior to that prominent SIEM vendor getting acquired by Hewlett-Packard for $1.5 billion. They fixated on how information sat locally in disparate systems making it cumbersome to do analysis.
SIEMs are designed to bring threat data together, but the vast amounts of data coupled with steep data storage costs, made breach detection a hit-and-miss proposition. So the co-founders set out to apply ML toward dramatically improving the success rate of breach detection in a cost-effective way.
They identified a bottleneck in company Security Operations Centers (SOCs) where, all too often, security analysts were consumed doing tedious, base level sifting.
Saurabh and Acohido
“Security teams have a really hard job trying to figure out the 10, 20 or 50 things they really need to act on a daily basis, while the amount of data they must deal with is literally in terabytes and hundreds of gigabytes,” he told me. “Trying to do this manually doesn’t go very far, but with automation, we think you can increase the productivity and effectiveness of these security teams and their effectiveness by a 100X or more.”
Freeing humans
LogicHub tapped into the essence of ML, which is this: machine learning refers to giving computers access to mountains of data, along with a set of analysis criteria crafted by humans. The computers can then run calculations, at machine scale, and thus incrementally deliver better and better results the deeper they get into the data set.
Meawhile, humans – freed from the tedium of making base-level calculations — can stand by to observe the results and tweak the criteria to help the machines improve how well they learn. That’s an oversimplification, of course.
To illustrate, Saurabh supplied the case study of a director of information security at a large university who was tasked with sorting out legit network logons from potentially malicious logons. LogicHub supplied a system that kept close track of a number of variables, such as geographical location, the university’s events calendar and even whether the person associated with the logon had recently demonstrated a penchant for falling for phishing scams.
This allowed the security officer to triangulate suspicious logons and shut down some accounts in an automated fashion, while in other cases taking steps to contact users before cutting off access. “When you are a security team of one or two, and you have 15 other things to do, this would never happen and it creates a very high risk that the university will get compromised,” Saurabh says. “And this is where automation comes in because it enables a team of two to do what would typically take a team of 15 or 20 to do.”
10-year horizon
As a start-up, LogicHub is aiming to get traction in large enterprises that already have full-blown SOCs; senior execs at these big companies now recognize the value of freeing up security analysts to focus on higher-end forensics work.
I asked him how long it might take ML technologies to make a material difference in the general defense of business networks – and whether he expects the benefits to tickle down to small and mid-sized organizations. His frank answer: 10 years, minimum.
“In the next couple of years, some of the really large enterprises will adopt security automation technology. As the bigger companies adopt it, the products get more and more mature and requires less and less work to deploy, and the smaller companies will take advantage along the way through managed security service providers.
“But the thing is, the threat landscape is so broad and so constantly changing. It truly is an arms race between the adversaries and the defense technologies. So adversaries are going to get smarter and the defense technologies will have to keep getting better. I can easily see this continuing to evolve for at least 10 years, if not more, because the problem is really hard.”
Sounds about right. That said, I’m encouraged that we’re moving in a positive direction. For a deeper drill down, please listen to the accompanying podcast.
