April 2023

Machine Learning for Network Security, Detection and Response

Cybersecurity is the defense mechanism used to prevent malicious attacks on computers and electronic devices. As technology becomes more advanced, it will require more complex skills to detect malicious activities and computer networks’ flaws. This is where machine learning can help.

Machine learning is a subset of artificial intelligence that uses algorithms and statistical analysis to make assumptions about a computer’s behavior. It can help organizations address new security challenges, such as scaling up security solutions, detecting unknown and advanced attacks, and identifying trends and anomalies. Machine learning can also help defenders more accurately detect and triage potential attacks, but it may bring new attack surfaces of its own.

Machine learning can be used to detect malware in encrypted traffic, find insider threat, predict “bad neighborhoods” online, and protect data in the cloud by uncovering suspicious user behavior. However, machine learning is not a silver bullet for cybersecurity. It depends on the quality and quantity of the data used to train the models, as well as the robustness and adaptability of the algorithms.

A common challenge faced by machine learning in cybersecurity is dealing with false positives, which are benign events that are mistakenly flagged as malicious. False positives can overwhelm analysts and reduce their trust in the system. To overcome this challenge, machine learning models need to be constantly updated and validated with new data and feedback.

Another challenge is detecting unknown or zero-day attacks, which are exploits that take advantage of vulnerabilities that have not been discovered or patched yet. Traditional security solutions based on signatures or rules may not be able to detect these attacks, as they rely on prior knowledge of the threat. Machine learning can help to discover new attack patterns or adversary behaviors by using techniques such as anomaly detection, clustering, or reinforcement learning.

Anomaly detection is the process of identifying events or observations that deviate from the normal or expected behavior of the system. For example, machine learning can detect unusual network traffic, login attempts, or file modifications that may indicate a breach.

Clustering is the process of grouping data points based on their similarity or proximity. For example, machine learning can cluster malicious domains or IP addresses based on their features or activities, and flag them as “bad neighborhoods” online.

Reinforcement learning is the process of learning by trial and error, aiming to maximize a cumulative reward. For example, machine learning can learn to optimize the defense strategy of a system by observing the outcomes of different actions and adjusting accordingly.

Machine learning can also leverage statistics, time, and correlation-based detections to enhance its performance. These indicators can help to reduce false positives, identify causal relationships, and provide context for the events. For example, machine learning can use statistical methods to calculate the probability of an event being malicious based on its frequency or distribution. It can also use temporal methods to analyze the sequence or duration of events and detect anomalies or patterns. Furthermore, it can use correlation methods to link events across different sources or domains and reveal hidden connections or dependencies.

Machine learning is a powerful tool for cybersecurity, but it also requires careful design, implementation, and evaluation. It is not a one-size-fits-all solution, but rather a complementary approach that can augment human intelligence and expertise. Machine learning can help to properly navigate the digital ocean of incoming security events, particularly where 90% of them are false positives. The need for real-time security stream processing is now bigger than ever.

Gartner: “it is the user, not the cloud provider” who causes data breaches

Gartner’s recommendations on cloud computing strategy open the rightful discussion on the roles and responsibilities of different actors involved in cloud security. How many security and data breaches happen due to Cloud Service Providers (CSP) flaws, and how many of them are caused by CSP’s customers and human beings dealing with the cloud on a daily base? Gartner predicts that through 2025 99% of cloud security failures will be the customer’s fault. Such a prediction can only be based on the current numbers that obviously should demonstrate that the vast majority of breaches come due to CSP clients’ issues.

Among other reason, the first place is taken by data breaches coming from misconfiguration of the cloud environment and security flaws in software that were missed by DevOps and IT teams working in the cloud.

While the workloads and data keep moving to the cloud, DevOps and IT teams often lack the required skill sets to properly configure and maintain cloud-based software. The likelihood of an unintentional misconfiguration is increased because the majority of seasoned IT workers have significantly more expertise and training with on-premises security than they do with the cloud. While younger, less experienced workers may be more acclimated to publishing data to the cloud, they may not be as familiar with dealing with security, which might result in configuration errors.

Some of the team members have near heard of the Roles Based Access Control (RBAC) principle and will have real trouble working in the cloud like AWS being required to properly set up IAM users and IAM roles for each software component and service. These DevOps and IT engineers need to take intensive training to close the cloud security gap. Until it is done the enterprise will keep struggling from improper configuration, production failures and periodic security breaches.

Simple solutions like a firewall can add an additional degree of security for data and workloads, either for on-prem, hybrid, or pure cloud deployments. And yet, even simple things like that add another dimension of IT complexity and risk due to possible misconfiguration because of a human mistake or a vulnerable historical software package.