Ten years ago, security leaders couldn’t wait to tell you about their cutting-edge use of Linux – nowadays, that’s considered table stakes. Today, the big buzzwords are artificial intelligence (AI) and machine learning – and for good reason. With the computational power we have today, we can apply straightforward math tricks to data and surface insights that are not only interesting and valuable but also may not have been possible five or ten years ago – this is particularly effective for security as it helps us become faster, more effective and increasingly innovative in our approach to defending systems from the evolving threat landscape we face today.
While this excitement around machine learning is deserved, much like Linux, it will eventually be something everyone in security is doing. It will become an everyday tool within our broader cyber security toolbox to augment the work security analysts are doing.
At Adobe, we’re continually looking for new opportunities where we can apply machine learning to amplify and reinforce the work of our security analysts. Below are three key ways we’ve leveraged machine learning to surface data-based insights and automate mundane, time-consuming tasks, empowering our security analysts to focus on higher order activities.
Anomaly Detection
At Adobe, we’ve trained our machine learning algorithms to sift through millions of events that occur over a 24-hour period and surface the key events that a security analyst should look at. Now, we know from the beginning that each of these instances is an anomaly that’s worth our attention and investigation.
Given what happens day-to-day in our environment, it doesn’t necessarily mean an observation is malicious, but it may require the human eye. For instance, when it comes to our user endpoint data, the first employee to use a fancy new running watch may trigger an investigation, but after that, these devices will be recognized by the algorithms and no longer trigger an alert.
Threat Hunting
No data is the same. Every data source has its own characteristics, patterns and separate interpretation. This can make it difficult for security analysts to identify malicious threats if they’re simply searching through the raw data itself.
Machine learning allows us to apply various visualization techniques to the data to identify interesting events that appear to be outside of the patterns, while dimensionality reduction algorithms can convert the data to a simple plot that takes into consideration all its features.
Zero Trust
Adobe uses technologies and workflows that aim to make our zero-trust network one that not only has a stringent security framework but also offers an efficient and pleasant user experience. This can be challenging to navigate.
This is where machine learning comes in. It’s become a critical component of this initiative, creating trust scores of users and associated devices and automating access rules to make real time decisions on who is allowed to safely access a particular resource.
What’s Needed to Be Successful
Machine learning can have a significant impact in assisting a security analyst in making the right decisions. With that said, the work of a security analyst is more than a binary, zero or one, kind of a job – we rely on human interactions to investigate and understand many of the things that machine learning flags for us.
As such, there are several key components be successful in implementing machine learning into your security framework:
- Training… and more training: We have to give our workforce hands-on experience with vast amounts data and machine learning. But let’s be clear, this isn’t a two-day training and they’re off to the races. It takes a lot of time and training – at Adobe, we put our engineers through a 24-week training course.
- The right people: You cannot throw a generic code writer at the issue, particularly if they have no machine learning skills or cyber security background. The best approach is to train your security analysts on machine learning, and if you can secure support from a data scientist, you could have a patented technology in the making.
- Skepticism: There is no magic bullet that will solve your security issues. Machine learning is another tool in the tool belt, but like other tools it can be used wrong and have unintended consequences. Therefore, the security analyst’s role is crucial in the process.
- Good data: It feels silly to say this, but it’s too important not to mention. If you put junk data in, there is a good change you’ll get junk data out.
As I’ve said, there isn't a magic bullet for this. It requires a lot of time, investment and the right talent to implement and tailor machine learning that can successfully identify anomalies for your company’s own specific issues and environments.
However, once you achieve this, it’s a game changer for security analysts and strategy.