Credit: ID 141664384 © Chanin Hatthakaroon | Dreamstime.com
Cyberthreats have never been more widespread, persistent, and potentially impactful as they are now, and each attack has the potential to bring an organisation to its knees. Most business decision-makers know this and are putting measures in place to protect their organisation.
Security is at the heart of every organisation, and perhaps never more so than companies implementing their digital transformation initiatives with an even more advanced analytics ecosystem needed to assist in their journey. Adding advanced machine learning and user and entity behavioural analytics (UEBA) to an already-seep security, risk, and governance portfolio gives security professionals the most advanced technique for executing rapid and accurate threat-detection analysis.
Chief among these measures is often a security information and event management (SIEM) solution, which can be a powerful way to gain visibility into security breaches and proactively defend against them.
However, SIEM solutions can create more work and complexity for teams that don’t have the skills or resources to cope. When security teams are inundated with security event traffic, it can be difficult to identify and keep pace with advanced threat actors.
It’s therefore essential for organisations to implement security monitoring tools that provide a faster, more automated response capability. These solutions need to be able to distinguish the real, immediate threats from the noise of regular activity in an increasingly-digitalised landscape. Organisations are doing more business online than ever and many actions that may have raised red flags in the past may actually be legitimate business activities now.
Therefore, SIEM tools that throw out massive numbers of alerts merely create too many false positives for the organisation to be able to benefit. However, if SIEM tools are configured to trigger fewer warnings, there is a risk that real threats may go undetected.
This creates a challenge, which has traditionally been difficult to overcome. The rise of artificial intelligence and, specifically, machine learning, could turn this issue into a relic of the past.
Machine learning algorithms learn to tell the difference between the vast amounts of regular traffic that a network carries and potential advanced attacks. Machine learning is perfect for this task because it excels at detecting pattern anomalies.
With machine learning sifting through these vast amounts of information and triggering alerts only when they’re really justified, scarce and valuable skilled security team members can focus their time on stopping threats in their tracks and/or investigating their origins.
This lets organisations structure their teams more appropriately and gain greater efficiencies in security and operations, as well as gain greater returns on their investment in security resources.
Furthermore, using machine learning provides a familiar and reliable way to detect threats. First humans, then SIEM tools, and now machine learning have all used roughly the same process to detect anomalous behaviour on the network. The difference with machine learning is that these algorithms become capable of detecting even very subtle indicators of malicious activity, and can process vast amounts of data in a fraction of the time.
Machine learning in security has already proven its value by identifying even complex and stealthy threats that bypass traditional security controls. These threats can be hard to identify because they’re so sophisticated. The attacker’s methods include compromising authorised users’ credentials and access privileges so their activity can potentially go unnoticed. Unlike a brute force attack, there are no immediate red flags to identify that the account has been hacked.
However, user behaviour analytics powered by machine learning can detect behaviour that would be unusual for that user, indicating that their account may be compromised. This can then be flagged for investigation.
In an ideal world, security would be tight enough to ensure that no malicious activity ever gets through. However, teams must find a balance between a secure environment and one that lets the business operate effectively, without unnecessary restraints.
Machine learning can help overcome many of the challenges associated with this. However, it’s important to remember that machine learning is only effective if its algorithms are correct and it is used to measure a limited number of variables. Once the variables increase past a certain point, the mathematical capacity for the machine to learn and identify anomalies effectively diminishes.
In the long term, machine learning will likely contribute to a vastly-increased speed of identifying and responding to potential threats. In the short term, the advantages are likely to be incremental although still significant. Meanwhile, human experts can claw back more time to spend on the highest-priority threats and organisations can find a better balance between security and ability to operate. This can help overcome issues around the scarcity of appropriately-skilled staff members, as well as help organisations direct their resources to where they can add the most value.