Machine-learning communities will help businesses fight hacker fraternisation, predict insider threats

With data volumes out of control, open-source machine learning will foster communal support around behavioural models

Cybercriminals are collaborating to refine their attacks and businesses must do the same by leveraging a growing body of open-source security tools, a security expert has advised as open-source machine learning puts the technology into the mainstream.

Mainstream adoption of machine-learning techniques has become crucial for businesses that are being inundated with security-related data and are well past the hope of having humans – or security information and management (SIEM) platforms – keep up with the flood, Cloudera chief security architect Eddie Garcia recently told CSO Australia.

“The machine learning part makes a huge difference,” he said. “Whereas before SIEM technology searched for known patterns like DDoS or brute-force attacks, machine learning recognises a baseline of what normal activity is, and uses this to recognise anomalies.”

Machine-learning techniques exploded into the mainstream during 2016, with the launch of the Intel-Cloudera based Apache Spot platform a turning point in the adoption of machine-learning techniques to security analytics.

The platform allows businesses to monitor and model their own normal behaviour – and in so doing, to more easily identify anomalies suggestive of potential security attacks. This capability had become critical not only because of the volume of security-related data being generated by today’s tools, but because those tools needed to be able to apply machine-learning techniques to images, video, voice, social-media feeds, and all manner of other unstructured data.

Conventional SIEM tools “are no longer as effective with new, sophisticated types of attacks,” Garcia explained. “It’s a totally different age and the type of data that we can fit into the models is changing. All of these data types, combined together, give a much better representation of what may be happening in your organisation.”

Fostering an open-source community around machine-learning security analytics would allow businesses to tap into growing communities of common interest, where behavioural models can be swapped and traded in support of a common defence strategy.

This would be particularly useful in modelling user behaviour that may indicate an insider compromise – if, for example, an employee’s account suddenly begins accessing file servers that it has never tried to access before.

Ultimately, the application and refinement of such models would help machine-learning technologies become watchdogs of network behaviour – picking up the slack where humans no longer have the capacity to keep up with volumes of security alerts.

“As you get down the road with models of user behaviour, that’s where we’re going to be really effective,” Garcia said, likening the process to the fraud-detection models that have been successfully developed within financial-services companies and telecommunications companies.

“There are a lot of models where they’ve been able to build models and flag behaviour as a potential fraud or risk,” he continued. “Now we can do the same thing at the infrastructure and network level.”

Broader adoption of the techniques, he said, would elevate machine-learning analytics from being a commercially-driven competitive advantage, to a baseline capability that every organisation should be using to protect customer data and business integrity.

They would also support the rapid modernisation of security defences within companies that are still very much focused on supporting transactional databases designed and administered for operational purposes. This would allow companies to build a unified defence capable of addressing both a broad range of outside and insider threats, while also addressing issues around internet of things (IoT) devices and the myriad threats they will introduce in the future.

“Security, data protection, and privacy protection are things that all enterprise organisations should do by default,” he explained. “It shouldn’t be a differentiator. By commoditising it and doing it through open source, all organisations will be able to take advantage of it so they can invest their resources into other things that are competitive in nature.”

Tags information securitySIEMinfosecinsider threatsclouderaprivacy protectionmachine-learningsecurity defencesIoT devicescybercrimnialsopen-soure machiine learningsecurity-related dataopen-source security tools

Show Comments