Cybersecurity is an industry rife with buzzwords: hackers, zero trust, and of course, artificial intelligence (AI). Buzzwords can often be overused and underdelivered in terms of solutions on the market. But, one subset of AI, machine learning (ML), is going beyond the buzzword, promising the ability to streamline and improve security practices.
It’s a well-needed advancement. Today’s malicious actors are dedicated to finding novel ways to ensure their attacks are successful. As such, the use of ML in cybersecurity solutions offers a way to stay in stride with attackers. We’ll break down what ML is, how it’s used in cybersecurity today, and the ways its uses can expand into the future.
Machine learning is the practice of training computer algorithms with data to identify and recognize patterns. In this way, ML mimics how humans learn, allowing computers to find ways to improve upon their functions in the future.
With ML, specific models are trained on large amounts of data to serve certain use cases and solve problems. From there, the models can constantly evolve on data input and validation, furthering their “understanding” of the use case in finding more efficient ways to solve the problem. When it comes to its use in cybersecurity, this ability to adapt proves useful.
With a constantly changing threat landscape, human threat hunters can only do so much at any given time. There’s always a limited amount of time and resources and it’s impossible to know exactly what the next new attack vector will be. But the addition of ML introduces predictive analytics to the picture.
ML analyzes data to recognize patterns, and because of this, can see when patterns are unfolding in real time. For example, a data scientist feeds an ML model large data sets of both malicious and benign scripts or malware samples. The model learns to identify how to differentiate the “good” samples from the “bad.” Then, in practice, it scans incoming data logs to see if there are any similarities. If the data matches the good samples, nothing happens, and everything operates as normal. But, when the data appears anomalous, the ML model assigns a risk score that can be utilized to alert the appropriate people or solutions.
Although this approach is generally similar to what human threat hunters do on a daily basis, ML models are considerably faster at combing through data to find anomalies. But this is only one use of ML in today’s cybersecurity landscape.
Another such use case is the improvement of cybersecurity solutions, such as endpoint security platforms. ML can assist and improve upon existing detections by identifying anomalies that are difficult to detect with traditional static or even behavioral-based detections. Typically, these approaches rely on making inferences in near real time. Using the same methodology as before, ML can recognize common patterns using data collected on endpoints or other entities, flagging anomalous behaviors and activity more quickly and at a larger scale. Products like next-generation anti-virus go a step further, intelligently reacting to the detected threat by taking actions on the system to remedy any potential compromise.
For example, when an endpoint solution powered by ML detects anomalous and potentially malicious behavior in the data, it acts accordingly, alerting security teams. Going a step further, the best ML solutions incorporate the learnings from the experience to target the application or file in question and take response actions. They also build off past data to better understand and identify false positives, reducing the amount of unnecessary alerts the security team receives.
It all boils down to speed. Although humans are best at understanding what adversaries are doing, thinking, and feeling, ML models act faster, more succinctly, and at greater scale than a human possibly could. And, as ML models add new capabilities based on their learnings, they offload work from their human counterparts, freeing them up for deeper and more wide-reaching endeavors.
Just like it’s impossible to truly know the next attack vector, there’s no way of knowing what the future of ML in cybersecurity holds. But, also like ML, we can identify the patterns of ML use today to make some predictions.
As ML models continue to ingest data from today’s threat actors, they will continue to “understand” anomalous behaviors and how to spot them in the wild. In this way, ML will likely be the first line of defense against the onslaught of cyberattacks. And, once the technology advances far enough, there is little doubt that it will be used ubiquitously in organizations both large and small.
Going further, sophisticated attack groups aren’t the only threat to businesses. In many cases, an attack can come from within the organization from a malicious or disgruntled employee. ML will better be able to monitor employee behavior and identify these cases as well, allowing businesses to root out any bad eggs before they have a chance to hurt the organization. This applies to other types of threats as well, including business email compromise, providing more proactive defense strategies against a wider range of threats.
Culminating the two points above, having a wider, more robust understanding of the global threat landscape enables ML models to make more informed decisions when it comes to heading off threats before they happen. More historical data points provide ML models with more purview into the ways that attacks unfold, so when the first indication of compromise hits, the response can be swift and effective.
As ML models become more advanced, it’s likely that other models will be leveraged atop the existing ones to further understand data. With many different data sources around the IT environment, ML models can correlate data from across those different sources. Doing so paints a bigger picture of what’s going on, tying together events to better understand when a breach is occurring in real time.
In addition, the use of other models like ChatGPT for understanding language and image/speech recognition models paves the way for even more uses. For instance, security teams can use ChatGPT to streamline the creation and documentation of security processes, laying out a solid framework before tailoring it to the specifics of the business. Some examples include building out investigation guides or detection rule descriptions, taking the initial work off the humans in the business who instead have to just review and implement the results.
Used in combination with existing ML models, these processes could also help dictate future incident response plans. In this scenario, the ML solution follows established procedures while building off its understanding of the overall IT environment to efficiently automate response processes. This promises both quicker and more repeatable responses to incidents while also removing some of the stresses and burdens of incident response from the security team.
Another use would be the improvement of biometrics as a second/multiple factor in authentication. Currently, biometric authentication methods can be spoofed. With more advanced, deep learning ML modeling, authentication methods can better weed out these phony attempts and fully recognize a user’s identity.
These are, of course, predictions and may or may not come true, but looking at the capabilities of ML today as they relate to cybersecurity, the possibilities are endless. Todyl is at the cutting edge of ML in cybersecurity, using ML to power our EDR solution’s detection and response capabilities in concert with the rules created by our expert Detection Engineers. We also leverage ML to innovate with our SIEM module as well.
Learn more about how we use ML here at Todyl by reading our EDR eBook.
Subscribe to receive the latest insights, news, and updates from Todyl.
