Q&A: How does machine learning help security analytics?

With the exponential growth in the volume of information that a business generates and stores every day, security professionals are increasingly turning to machine learning to analyse reams of data to detect unexpected events and potential threats. Security teams are embracing data science to help them fight the faster evolving threats faced by businesses today. LogRhythm threat research engineer Andrew Costis explains how machine learning helps security analysts.

By John Oates

Mon 4 Sep 2017 @ 9:28

What can machine learning bring to security analytics?

Better security relies on big data – the more you know the safer you can be. But the bad guys rely on the volume of data that businesses create and process to hide their behaviour and keep threats undetected until they are activated. Dealing with this data in real-time can help keep systems safe.

Intelligent systems can consider a variety of threat intelligence sources while also scanning network traffic and user behaviour. Systems can then spot the unusual – whether that is user behaviour or an individual machine sending or receiving more data than usual and take immediate action to isolate that user or machine before a breach becomes a serious data breach.

Behavioural profiling needs a complex understanding of statistics and algorithms. Artificial intelligence (AI) [under which machine learning sits] can help make this usable by security staff without them needing a masters degree in data science.

How do these systems work out of the box?

Even though some solutions come with pre-packaged threat profiles, the real magic of these systems is their ability to learn about the unique fingerprint of your network and the behaviour of your users. Once a baseline has been created, the systems are better able to spot behaviour that is out of the ordinary and therefore suspicious.

This creates a situation where false positives are reduced while maintaining an proactive security posture. Such systems are also easy to configure depending on an organisation’s risk profile and compliance requirements.

What is the next step for machine learning in security systems?

Because threats can lurk in enterprise systems for months, there are potentially vast amounts of data to sift through to find the root causes once a breach is detected. On-premise systems are not infinite and limits can be quickly met, especially with the need to quickly sift through vast data lakes to find the source of an attack.

The next stage for these systems will be a move to the cloud. This offers more advantages than just improved scalability. It gives the opportunity for peer learning – systems will be able to consider behaviour not just against what is typical for a single organisation but what is typical for similar companies in similar industries or even compare individual user behaviour with other similar individuals. Cybersecurity already relies heavily on intelligence sharing on new attacks. Cloud platforms will allow this to happen automatically and more quickly.

AI can also make better use of more pro-active security strategies such as honeypots without creating a constant drain on security team resources. By helping with the grunt work of enterprise security they can also free up staff to take a more strategic view of their work.

But many businesses are still not making full use of the intelligence that systems already offer. Future improvements need not rely on new technology but can be made by fully utilising the capabilities already available.

Is there a role for AI if something does go wrong?

This is an often ignored benefit of AI security. Even with the best planned incident response, the reality of dealing with an active attack is that some lessons will be missed in the rush to isolate and mitigate that attack. AI can help an organisation learn the lessons from a breach.

Incident response teams are increasingly turning to data scientists to help them respond more quickly during an attack but also to learn what they can in order to improve future defences. As security threats continue to evolve ever more quickly, so the role for AI will keep growing.

Security teams need more time to prepare for future attacks and predict zero day threats rather than solving existing issues. AI and ML can help organisations learn deeper lessons about their attackers to improve their own and other organisations' defences in the future.