The Age of Machine Learning in Cybersecurity

Ely Kahn, VP - Marketing & Business Development, Sqrrl
Tuesday, August 23, 2016
Ely Kahn, VP - Marketing & Business Development, Sqrrl
Headquartered in Cambridge, Sqrrl is an innovative security analytics company that enables businesses to identify, hunt, and disrupt advanced cyber threats by leveraging Linked Data, Machine Learning, User& Entity Behavior Analytics (UEBA), Risk Scoring, and Big Data technologies.

On an average, it will take an organization a shocking 265 days to identify a data breach caused by a malicious attack; it then takes an additional 69 days to contain the breach. Yet the length of cyber incident detection and response are not the only issues organizations are facing. The other troubling factor is that these breaches are on the rise, both in number and in scope of impact. Furthermore, it's not just sectors like finance and government that are under attack - nearly every sector is facing threats, including healthcare, entertainment, and retail. It's clear that traditional security measures aren't enough in today's increasingly sophisticated cyber threat environment.

However, there's a new approach that's giving security executives renewed hope: User and Entity Behavior Analytics (UEBA). Its development is closely tied to that of machine learning which has been gaining momentum throughout the technology industry.But in particular, it is quickly becoming one of the most important trends in cybersecurity. Before, security analysts were expected to comb through all the logs in a given day; however, with the amount of data that's available today, that's simply no longer feasible. This is where machine learning tools such as UEBA play a crucial role. They automate the process of shifting through large amounts of data, complementing the analyst's skills of finding patterns or noticing when something seems unusual. Thus, when used effectively, machine learning provides powerful and accurate insights, making it likely to be one of the largest influencing factors on organizations' Security Operations Center workflows in the coming years.

Normal algorithms will return the same result for a particular set of data if it's run multiple times. Machine learning algorithms, on the other hand, are adaptive such that they will change their behavior based on the data they are fed. In the case of UEBA, the data is all the various activity on a network such as users, devices, or servers, which the program uses to create a historical baseline. It can then calculate the risk of security anomalies against those baselines. These anomalies can be aligned to adversary behaviors such as lateral movement and malware command and control. UEBA is designed to complement rule or signature-based approaches (such as SIEMs) and identify security anomalies that they miss. It's most effective when it leverages Big Data storage and processing to bring together a wide variety of datasets and to look for anomalies across them and at their intersection.

Beaconing is an example of a technique that UEBA can be used to discover. Beacons are network traffic typically sent at regular intervals and can be used to signal availability, or to receive new instructions between an external command and control (C2) point. Machine learning algorithms, which can be used to power UEBA, allow a security solution to ignore benign beacons from mail clients, software update agents, or websites that automatically refresh their content (e.g., weather sites). This reduces the number of false positives when it does detect behavior indicative of malicious beacons.

Share on Twitter
Share on LinkedIn
Share on facebook