Automation and Machine Learning in Cybersecurity

Eric Edwards
| 5/11/2017

In a world with driverless cars and package-delivering drones, cybersecurity could be the next industry in which certain tasks are taken over by computers.

Automation and machine learning are certainly not new concepts, but they are relatively recent in the realm of cybersecurity. It is important that organizations understand how these technologies work, to what degree they can be used in security operations, and what some of the potential considerations may be when using them.

First, let’s discuss what automation and machine learning technologies are and their role in cybersecurity. Automation involves taking a manual, potentially time-intensive process and letting a computer handle it. A well-implemented automated solution will increase the speed and consistency of a process. Most cyberattacks today involve some level of automation to attack more quickly and with more persistence. But, automation can also be used in cybersecurity to gather information about an attack or to take preventive action to block an attack.

Machine learning incorporates automation but also has an added level of “intelligence.” Often associated with big data and analytics, a machine learning system takes in large amounts of data – both structured and unstructured – from a variety of sources and develops a model that will aid in decision-making. This model is “trained” over time. As new data is fed into the system, the model will adjust accordingly and become more accurate.

One big reason that these technologies are now being used in cybersecurity is that attackers greatly outnumber defenders. Information security personnel cannot keep up with the volume, complexity, and persistence of cyberattacks that are occurring on a daily basis. Automation and machine learning can augment cybersecurity to provide faster and more accurate detection, analysis, and response capabilities. By aggregating and analyzing the vast quantities of data available, the machine learning systems can improve the model they develop to draw connections and recognize patterns that humans and even security information and event management systems may not be able to recognize. Once an attack has been detected, the system can automatically take action to block or prevent the spread of the attack.

A recent research report by the Internal Audit Foundation and Crowe focused on the need for a change in the approach to cybersecurity – asserting that it is not possible to achieve 100 percent protection 100 percent of the time. Traditionally, organizations have focused on taking a defensive and reactive approach, but the report advocates for a more proactive approach that includes using automation and machine learning technologies to increase the maturity of an organization’s cybersecurity program.

This kind of proactive approach is reflected in the addition of automation and machine learning systems to the product offerings of several security companies. These companies often deploy automation and machine learning technologies through the cloud, which can give the systems access to data warehouses that have years of threat information from internal sources, customer submissions, third-party intelligence feeds, as well as unstructured sources like blog posts and research papers. All of these sources aid in the ability to recognize and evaluate potential threats. In addition to scans against static features of a file, the systems will also look at file behavior and patterns to assess a potential threat or block an attack as quickly as possible.

In their current state, these technologies do not represent a cure-all for cybersecurity. Several factors are worth considering when it comes to an implementation that uses automation or machine learning.

  • Good output requires good input. A heavy reliance is placed on the automation process and the learning model that the system develops. If there is a misconfiguration in the process or there are errors in the data fed to the system, the output from the system will contain errors as well.

  • Humans are still necessary. While the amount of data to sift through is too much for security personnel to handle on their own, the analysis cannot be completely handed over to machines. Automated and machine learning systems can initially generate many false positives and false negatives that require human intervention. Even a fine-tuned system will not be 100 percent accurate when identifying threats.

  • Security continues to be an evolving target. Technology is constantly changing and new vulnerabilities, attacks, and attack methods show up every day. A machine learning system may be capable of detecting the attacks of today but the model needs to be able to adjust quickly to emerging threats.

Organizations should consider automation and machine learning as one part of a layered approach to security. Handing over some of the work to computers can add a level of efficiency to security operations but, as always, it only takes one error to give an attacker access to an organization’s network. However, given the growing amount of data available for analysis and the increasing number of cyberattacks, the future of cybersecurity may lie in systems that can perform analyses quickly and take action on their own.