21st century data security model: Can tech save us from ourselves?

Graeme Dawes - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Machine learning in cybersecurity moves needle, doesn't negate threats

The deployment of machine learning in cybersecurity is helping CIOs reduce false positives, quicken response times and make IS staff more efficient. But it's no magic bullet.

Like all diligent CIOs, Will Bailey wanted to be sure that he had solid defenses against the threats lurking out in cyberspace.

But Bailey, the IT director at Catholic Charities of Santa Clara County, saw some potential blind spots in his overall security posture. "There were areas where I think things are OK but had to ask, 'How do I really know?'" he said.

It's a common lament, as IT executives contend with both increasingly complex technology environments and increasingly sophisticated cyberattacks.

At CCSCC specifically, Bailey said perimeter defenses such as firewalls provided security against and visibility into external threats. But they didn't shed light on abnormal internal activities.

So Bailey opted for an emerging option, a platform that uses machine learning and artificial intelligence to analyze and zero in on anomalies.

Last year he implemented a self-learning technology that delivered an ROI during the pilot phase when it detected and reported a ransomware attack on the California charity's network.

Deploying machine learning in cybersecurity

Using artificial intelligence and machine learning in cybersecurity is gaining ground. Most IT leaders are looking at intelligent solutions, according to the May 2017 report "Next Generation Cybersecurity Analytics and Operations Survey." The survey was commissioned by DFLabs, a provider of security automation and orchestration technology, and researched by Enterprise Strategy Group (ESG).

Will Bailey, IT director, Catholic Charities of Santa Clara CountyWill Bailey

"Most of the people [in the survey] were definitely saying that machine learning is something they're evaluating from a strong security standpoint," said Dario Forte, CEO of survey sponsor DFLabs.

The report, based on a survey of 412 IT and cybersecurity professionals, found that 93% of IT leaders are using or planning to use these types of solutions: 12% of respondents have deployed machine learning technologies designed for security analytics and operations automation and orchestration; another 27% said they're doing so on a limited basis, while 22% said they're adding them. Some 20% are in the project phase to onboard such solutions.

Only 6% of respondents said they're either not planning on or not interested in deploying these technologies.

Forte said it's no surprise that the appetite for AI and machine learning in cybersecurity is strong. Tech vendors and their corporate clients are deploying these advanced technologies in a variety of functions within the enterprise, and starting to see returns on investment. He said early use cases show that these tools likewise have great potential in cyber defense, too.

"There is a little bit of hype right now, but I think it's a promising hype," agreed Sebastian Hess, the immediate past CISO of Isabel Group, a Belgium-based financial firm.

Hess listed the advantages that machine learning and AI platforms bring to cybersecurity. He, like other IT executives and analysts, cited the technologies' ability to analyze and discern patterns in network activities at a scale and speed impossible for humans to match. Hess oversaw a trial of a machine learning platform in late 2016 at the company. Like others who have deployed such technologies, he said the implementation wasn't particularly complex. That's not to say, however, that there wasn't strategy involved in implementing it or optimizing its value.

"The goal of most of the vendors is really to make it plug-and-play, but that only works to a certain extent. You might be able to throw a new sensor into the network and let it do its work," Hess said.

But even with optimal implementation, deploying AI and machine learning in cybersecurity won't replace other pieces of an organization's threat defenses.
Sebastian Hessimmediate past CISO, Isabel Group

But, in his experience, proper placement of the new AI equipment and systems is critical to maximizing insight. "If you have a poorly designed network or a non-central DNS (Domain Name Servers), you might not see the relevant traffic at the point where you tapped your network with this new device that would help you detect something negative going on," he said.

But even with optimal implementation, Hess said deploying AI and machine learning in cybersecurity won't replace other pieces of an organization's threat defenses. Intrusion detection, firewalls, antivirus software and other capabilities will continue to be required pieces to an overall security portfolio. Nor will these technologies eliminate the need for security personnel.

"Even though I think AI will be a great help when it comes to getting rid of the alert noise and automatically detecting anomalies, the human factor will always be a key differentiator when it comes to the overall effectiveness of any solution," Hess added.

ROI for machine learning in cybersecurity

Brian Thomas, CIO of Swope Health Services based in Kansas City, Mo., had a similar take.

Brian Thomas, CIO, Swope Health ServicesBrian Thomas

Thomas said an employee's computer was hit with ransomware that managed to get past multiple security layers. And although he and his team were able to quickly isolate the computer and recover files, Thomas said the incident illustrated the need for an additional layer that could quickly identify and detect potential problems. So he started to investigate intelligent technologies, ultimately selecting and implementing Darktrace's Enterprise Immune System platform in 2016. 

He said the additional time it took each week to review the dashboards presented by the platform was overwhelming at first, but it quickly paid off by dramatically reducing false leads that analysts had to track down.

But while he said he still needs some staff to investigate problems identified by Darktrace, he said the added capability has made existing staff more efficient -- eliminating the need for more personnel.

"Once it started to learn our habits, and our employees' habits and the things moving about our network, it not only saved us from hiring a CISO but also hiring an additional engineer," he said.

Jon Oltsik, senior principal analyst at ESG and founder of the firm's cybersecurity service, said organizations already benefit from AI and machine learning. He said vendors supplying traditional security products, such as antivirus software, are using the technologies in their products. Thus, the next step for IT leaders now is considering how to bring in dedicated machine learning and AI technologies to boost their security postures even further.

'Only as good as the data'

As Oltsik explained, organizations are collecting ever-increasing amounts of data. He said more than half the companies his firm has surveyed collect 15 kinds of data flow, such as log data, endpoint data and asset data, all of which can be analyzed for patterns that could indicate breaches and other criminal activities.

"AI and machine learning can make sense of patterns across many sets of data simultaneously," Oltsik said.

However, how well any one platform does depends on various factors, including, notably, the quality and type of data it receives. "Machine learning is only as good as the data you build the model with," Oltsik said, adding that there's no single source of data that either the vendors or their customers use to train these systems.

"Every machine learning solution is going to be different based on what data you use. And, and if you use existing data, it's historical data, so you're using past data to predict what will happen in the future," he added, further noting that organizations must also build in time to "train" these platforms in their own IT environments so they learn what's normal.

Oltsik cautioned against thinking that these intelligent technologies are panaceas. He pointed out that they don't stop attacks nor, at this point, do the tools typically being deployed automatically remediate them, either.

"I haven't talked to anyone who is using machine learning technologies to take automated action. Typically what [executives] want machine learning to do is to figure out if there's a problem and provide a trail of evidence on how they got to that conclusion," he said. "It's automating the security investigation and then giving it to an analyst."

Indeed, the DFLabs-ESG study found that the two top reasons organizations are deploying machine learning for security analytics and operations are, one, to accelerate incident detection and, second, to accelerate incident response.

Moving the needle, but no silver bullet

Jarret Raim, director of Rackspace Managed Security, which uses CrowdStrike, Alert Logic and Splunk for analytics platforms in addition to the company's own modeling to identify abnormalities, said he and his team rely on intelligent technologies to alert them to true anomalies while eliminating the so-called "false positives" that can eat up security staff's time.

Jarret Raim, director, Rackspace Managed SecurityJarret Raim

Raim noted that these platforms do perform some lower-level remediation, such as blocking malware, just as more traditional antivirus software has done for years. But he, too, said they're not mature enough to launch full-scale defenses against potential attacks.

Still, they help, he said.

"They will change the security landscape," Raim said. "They won't solve anything, but they will move the goalpost."

There lies the biggest promise, and the biggest limitation, of AI and machine learning in cybersecurity for IT leaders charged with safeguarding their companies.

Irfan Saif, a principal at Deloitte's risk and financial advisory business, said executives need to think about AI and machine learning as a suite of capabilities, using various types of data, to automate and orchestrate pieces of the cybersecurity operations. These executives can use these emerging technologies to improve their security posture and automate parts of security operations and processes.

Irfan Saif, principal, Deloitte risk and financial advisoryIrfan Saif

"If there is a chance that an organization can really embrace some of these things, even in one or two high-risk areas, then they might find they can move the needle and make an impact on the organization," he said, adding that the market for these technologies is "very, very nascent."

Expect improvements as the field matures, he said, but also expect the bad actors to ramp up their abilities to challenge it.

"The attackers aren't sitting still," Saif said. "It's quite likely that the attackers are trying to leverage the same technologies to defeat the measures that organizations are putting in place."

Next Steps

Recent articles by Mary K. Pratt:

How to prepare for enterprise robotics

Improve your odds of executing on your IT strategy

Business model for monetizing IoT, a work in progress

Dig Deeper on Enterprise information security management