Skip to content

Trusting machines to defend against humans

An Advanced Persistent Threat has successfully installed malware on one of the development servers in your network. Maybe one of your engineers clicked on a phishing link? Maybe they hacked in through some vulnerability in your firewall? Maybe it’s an insider who snuck in a USB stick loaded with the program?

That doesn’t matter now. All you can think of is your intellectual property. All of the code you have invested thousands of hours and millions of pounds into is on those servers. You scramble to put together a team to investigate this. Meanwhile the attackers start looking through all that valuable code on the server.

You desperately try to identify the compromised machine and shut it down. You struggle to find it. Should you just pull every plug now? The disruption would cost a fortune, effectively leaving all of your 135 developers unable to work. Meanwhile, the attacker silently disappears back into the internet. They achieved their objective.

man versus machine

There are inherent limitations when it comes to securing a network using a human security team. People are expensive. Salaries are almost certainly the largest chunk of your budget, because you pay more for skilled people who know the current state of the threat landscape and can adapt as it shifts.

They must also sleep, take holidays and sometimes fall ill. 24/7 monitoring is key to ensuring you are protected from attackers who are never off the scene, but achieving this with a human team is prohibitively expensive for many organisations. And there is still a risk of something being overlooked or an undetected insider threat.

In the world of security, defenders are at a distinct disadvantage. In our new world, we face an avalanche of increasingly sophisticated threats. The devices on our corporate networks are increasingly heterogeneous and may not even be entirely managed by us.

In the face of all that, we have to be secure all of the time. From John in Accounting who needs to avoid clicking on that funny-looking link; to Sara in development who has to mitigate against SQL injection vulnerabilities in her code. Threat is persistent and pernicious.

Your attacker only has to be lucky once

Often, attackers can be inside a system without your knowledge for months. In 2020, a supply chain attack on Solarwinds Orion (dubbed ‘Sunburst’) affected at least 200 organizations worldwide. Most notably, attackers had access to the systems of the US federal government for eight to nine months.

While the idea that an attack could go unnoticed is horrifying, there are steps that can be taken to mitigate risk. In the world of cybersecurity there is a new concept emerging which aims to support organizations in their fight against existing and emerging threats. Defense through machine learning.

Machine learning (ML) is already revolutionizing many industries, and is starting to become more prevalent in the cybersecurity industry. The key question we hope to answer is ‘why?’

Why should you use ML-based solutions in your security management? And why should you choose them instead of or alongside more traditional solutions?

AI is faster than humans

As you type, user inputs from a keyboard are transferred over a wired or wireless connection, decoded and mapped to a specific letter. All within milliseconds. Computers are astonishingly fast, and can make decisions at the speed of light.

Humans find traversing and analyzing large data sets laborious, and sometimes impossible. We are great at being creative and solving problems, but computers are way better at maths. This is useful to apply in cybersecurity, because we can hand the tedium of searching our log files or network traffic over to ML.

Then, once an anomaly is detected in the data, we can hand it back to a person who can investigate it further and determine what actions need to be taken. This idea is called anomaly detection, and was originally proposed for application to Intrusion Detection Systems (IDS) in 1986 by Dorothy Denning, an American security researcher.

Instant detection, instant response

In more modern applications of ML to cybersecurity, decisions can be made by the computer in order to provide an instant response to anomalies.

For example, if we detected that credentials that belong to an employee based out of a London office were suddenly being used by someone using a residential IP address in Kolkata, something fishy is probably happening. In response to this anomaly, we could automatically shut down the connection and block them before they try to escalate privilege.

This, of course, could be done by a person looking at graphs and log files, but in a large organization (or a small one with a large IT inventory), you’re going to need a lot of people. The key thing to note here is that we aren’t using a traditional approach of defining and detecting ‘misuse’, we’re constantly analyzing data to define what can be considered ‘normal’ and then detecting things that significantly differ from that.

This is a really great advantage to applying ML techniques to cybersecurity.

Adapting to unknown threats and new environments

ML is designed to adapt. That’s the great thing about it, and why it’s becoming so widespread in its use from learning about user activity to tailor content to them (think Netflix and YouTube), to identifying different types of plant species and performing speech recognition.


Leave a Reply

Your email address will not be published.