Machine learning (ML) is becoming increasingly prevalent as a tool to solve complex information security problems. It is an approach that allows computers to acquire intelligence in the way that humans do using algorithms based on artificial intelligence. With this, machines can learn from repeated interactions with situations and events to develop correlations and predictions about current and future behavior. Machine learning algorithms are able to discern information from a data series without dependence on a previously determined relationship or characteristics. Learning occurs as it does with humans and animals, and relationships are further strengthened by repetition and reinforcement. This approach has grown in practical terms with the increase in computer processing power and the reduction in compute cost, allowing the aggregation, ingestion, and analysis of very large datasets and events. In this way, machine learning enables a level of learning and intelligence that mimics the ability of a human, since the ability to analyze data at this volume and speed is impractical for the human brain.
Machine learning is considered a derivative of artificial intelligence (AI) and should not be confused with AI as a technology or theory. Machine learning is best characterized as fixed algorithms within AI that can learn and postulate, while true AI is a step above that actually develops new algorithms to analyze data. This is more akin to a human learning a new task with no previous frame of reference. Therefore, artificial intelligence is more associated with the interpretation of information that is learned to drive conclusions or make decisions, while, to work effectively, machine learning must already have awareness of the scope of data being processed. Because of this relationship, many machine learning implementations are part of, or lead to, an artificial intelligence application when the scope of the project is fully understood.
Machine Learning and Information Security
Due to the considerable volume of data created by modern information networks, machine learning can be a useful way to supplement human analysis of security events to identify indicators of compromise. This value is self-evident due to the inability of humans to interpret raw security event data, which can easily overwhelm even advanced security tools when there is a high quantity of data. Machine learning can help security analysts by detecting when an attack has taken place, evaluating network traffic and flow, assessing vulnerabilities and exposure, and correlating the information with privileged access. This is particularly useful in situations where resources are very dynamic and ephemeral and where nuanced rules like privilege management security policy are being used to determine if an event was malicious or not. Machine learning can be used to assess threats and the output can be utilized to create and maintain a threat database. This database can be supplemented by other external sources, but will serve as a contextually relevant tool to assess what threat actors have potentially impacted in an organization and to what degree. Machine learning is useful because it can create initial relationships and then strengthen or weaken those relationships based on continual learning and analysis. In addition, it can also apply context and attribution to threats to provide a richer picture of them, while also helping to reduce both false positives and false negatives.
The Human Element
Human security analysts also have varying levels of effectiveness in their roles. An analyst starting a shift will generally be more effective than one that is near the end of their shift. This problem is even more pervasive in emergency break glass or crisis situations, where the heat of the moment can limit visibility, dull senses, impair the ability to interpret information, and lead to false conclusions. Repetitive work is frequently the enemy of security analyst effectiveness. Machine learning can greatly reduce analyst burnout due to the need to make decisions based on the repetitive review of events, logs, and alerts. Machine learning can be implemented initially with analysts serving as validators for machine learning decisions and then expanding the ability of ML to operate unsupervised in controlled circumstances. This releases the security analyst to handle more complex tasks and to act as the final arbiter of processed decisions. In time, the machine learning capability can be relied on to handle entire classes of security events, but once this is implemented, it needs to be continually validated at future intervals to ensure that the approach is still effective and not prone to errors. The human element is critical for oversight of any machine learning implementation when measuring privileged risk.
Attack Vectors
Machine learning can also be utilized by security organizations to quickly identify and address malicious attacks. Events can be processed quickly that lead to the identification and interpretation of “low and slow” attacks that the average SIEM solution may miss due to basic correlation based on time. Frequently, anomalous events, which could actually be an indication of initial compromise, are readily lost in the white noise of very chatty security and network devices. Similarly, lateral movement actions can enable threat actors to hide within substantial network traffic, so a machine learning approach will baseline the network traffic so that anomalies will stand out as opposed to being obscured. Baselining makes machine learning approaches inherently customized to each individual company’s network, growing more specialized and accurate over time. For privileged access management, machine learning is especially useful in helping to determine if a user’s behavior should be considered malicious or benign based on all of these characteristics.
In addition, machine learning can be a useful tool for analyzing endpoint assets and their associated behavior. As more companies adopt a bring your own device (BYOD) approach (covered in Chapter 16), utilizing machine learning allows the traffic and events from noncorporate-owned devices to be uniformly analyzed and an overall threat management system developed despite the diversity of the endpoint devices. Since endpoint security and managing administrative privilege is an inherent part of privileged access management, machine learning is useful because it can determine if a user behaves correctly based on prior work history, and it can assess whether current behavior is consistent with allowable limits and boundaries based on policy. If either is violated, automation can quarantine access or raise an escalation to begin additional forensics to determine if the behavior is definitively inappropriate.
To that end, many organizations rely too much on vulnerability and signature-based tools that identify established and documented threats in their environments, but struggle with the detection of zero-day and new threats within acceptable timeframes. These capabilities are useful because they provide an ability to detect and respond to new and unique threats well in advance of them appearing in commercial security offerings. This is also useful detecting threats facing remote workers and in operational technology environments that are largely unsecured or not considered worthy of investment in standardized security tools. These unsecured networks are increasingly becoming the favorite targets of modern threat actors and considering the changing location for workers a modern solution to mitigate the risks.
Machine Learning Benefits
Machine learning can be a useful supplement to an identity and privilege management approach, but should be considered just one tool in the toolbox and not a panacea. Nothing will completely replace the need for security analysts and audits, and forensic information should be readily available for the need to dig deep or to hunt for adversaries. Machine learning tools should also be well understood when implemented, and not managed as a black box. Like any tool in a system, ML tools need to be tuned and optimized to work with the other solutions in your ecosystem. The human element should always look at how many events are yielding true and false positives and how this is improving over time. Overall actionable events should also decline with continued use of this technology as it has time to discover and mitigate threats. One thing that is certain is that machine learning and artificial intelligence approaches will continue to evolve due the ever changing landscape and the need to protect resources outside of corporate governance.