Intelligent CIO Europe Issue 15 - Page 56

FEATURE: MACHINE LEARNING ////////////////////////////////////////////////////////////////////////// MANY CYBERSECURITY PROBLEMS CANNOT BE SOLVED WITHOUT MACHINE LEARNING. to any system that performs tasks having some semblance of automated decision-making. Deep Learning Derek Lin, Chief Data Scientist, Exabeam legitimately claimed as AI. The audience was encouraged to look beyond the marketing spin and find out what’s really being offered. I’m glad to see the hype cycle has reached its peak. It’s a healthy sign that security practitioners are asking the right questions and demanding to know what constitutes reality. In order to ask the right questions, let’s start with a correct understanding of the terminology. Despite all the marketing messaging, for many of us it isn’t always clear what some terms may mean. This is all the rage today. As with AI, Deep Learning evokes an air of sophistication, but it’s also subject to misunderstandings. As a tool within Machine Learning, Deep Learning is highly dependent on matching the right problems to the right tools. Machine Learning. Consider phishing scam domain detection. In this instance, the URLs, WHOIS data, other properties, as well as the known (legitimate or malicious) labels of URLs are examined in a supervised learning setting to predict whether a domain is malicious. It does so without resorting to conventional, but less effective, blacklist-based matching. Peer behind the messaging and examine what’s under the hood Deep Learning applications are best suited in the image processing and natural language processing fields. In cybersecurity, it has found a home in packet stream and malware binary analysis. These benefit most from supervised learning, when labelled (i.e. legitimate vs. malicious) data is available. The cybersecurity marketplace is buzzing with AI and ML terminology. This isn’t surprising as data-driven approaches do lead to exciting applications that were never possible before. That said, it’s all too easy to get confused and thus, lost in the hype. But for insider threat detection, DL doesn’t enjoy wide adoption for several technical reasons. One is the black box nature of the model, where it’s impossible to explain the causes of the alerts. This renders investigations difficult. It’s important to question what the problems or use cases being framed are and which analytical approaches are being used and why. Transparency and a thorough understanding of the terms and their use cases will help you demystify the hype. n Artificial Intelligence Machine Learning AI is often misunderstood and not everyone agrees on its meaning. The term Artificial Intelligence first appeared in the 1950s to describe systems comprising a set of human-defined, if/then decision rules – which have always been easily broken and hard to maintain. For example, static correlation rules that raise alerts – used in traditional security information and event management (SIEM) – cannot learn and adapt. This results in a high number of false positives. Such AI systems appear to be intelligent in their decision- making because they make decisions. But in reality, they’re 100% predetermined (based on static rules) and are drafted by humans. But the word ‘intelligence’ has stuck with the public since AI’s introduction. Why not? It sounds cool. Yet today AI is often little more than a catchy marketing label, liberally applied 56 INTELLIGENTCIO Machine Learning is often expressed in the same breath as AI, but ML is more specific. To learn from collected data, it uses algorithms for prediction, classification and insight generation. With Machine Learning, a formal body of methods are grounded in solid mathematical foundations. Applied to cybersecurity, the right problems must be matched with the right ML tools. But not all problems require advanced ML tools. For example, some popular indicators used in user behaviour analytics (UBA) are based on simple statistical analysis, such as p-value hypothesis testing used for rare event detection. On the other hand, many cybersecurity problems cannot be solved without Sascha Eder, Chief Operations Officer, NewtonX