INTELLIGENT ENTERPRISE SECURITY
Blending
machine learning
with security
practices
Balancing the role played by machine
learning and human driven security
practices will be critical ahead, elaborates
Raj Samani at McAfee.
Raj Samani is Head of Strategic Intelligence at McAfee.
I
n relation to cybersecurity, machine
learning has been changing the
game as a means of managing the
massive amounts of data within corporate
environments. However, machine learning
lacks the innately human ability to
creatively solve problems and intellectually
analyse events. Machine learning makes
security teams better, and vice versa.
Human-machine teams deliver the best of
both worlds.
While machine learning can detect
patterns hidden in data at rapid speeds,
the less obvious value of machine learning
is providing enough automation to allow
humans the time to initiate creative
responses when responses are less
obvious. By using a filter for optimisation
across the best advantages of human and
machine elements, it is easier to evaluate
the relationship between them.
The process of security researchers
analysing malware to develop signatures
is still important, but only as a capability
to address the large volume of known
malware because it cannot be expected to
evolve quickly enough to meet the rapid
38
pace of malware being introduced to the
wild.
Machine learning becomes the fastest
way to identify new attacks and to push
that information out to endpoint security
platforms. The key differentiator in
incorporating machine learning into
endpoint security is the amount of relevant
data consumed by the algorithms.
Machine learning manifests itself in
multiple ways in helping save the security
team’s time and energy:
Optimising user experience
Machine-learning algorithms feed
information to the endpoint about file
attributes that indicate the presence of
malware. These attributes may be related
to type, size and source, as well as header
anomalies and detected sequences of
operating system calls. A quick scan before
execution allows security to perform its
preliminary triage without souring the
user experience.
Flagging suspicious behavior
Once the programme is running, machine
learning on the endpoint monitors
behaviour for signs of an attack. This
runtime detection is keyed by information
on attack tactics again uncovered by
machine-learning analysis of malware
samples in the datacentre. While pre-
execution checks file attributes to make
a malware decision, runtime execution
requires knowledge of specific actions
attackers are likely to use.
For example, ransomware can render
your files useless in less than a minute.
Machine-learning analysis of ransomware
attacks may uncover timing and access
patterns of file shares that would indicate
an attack is underway, allowing endpoint
security to stop the threat before all files
are encrypted.
Investigation and response data
Helping security teams respond to an
incident, machine learning can identify
suspicious connects and create alerts
based on equations. In this case, security
analysts need precise information on
the threat such as files touched, registry
changes, server connections, others.
Issue 11
INTELLIGENT TECH CHANNELS