All ContentMachine Learning optimiert die Arbeit der Sicherheitsteams
Machine Learning optimiert die Arbeit der Sicherheitsteams
PAT H F I N D E R R E P O R T | M A C H I N E L E A R N I N G R A I S E S
SECURITY TEAMS TO THE NEXT LEVEL
While machine learning can detect patterns hidden in the data
at rapid speeds, the less obvious value of machine learning is
providing enough automation to allow humans the time and focus
to initiate creative responses when responses are less obvious.
INTRODUCTION
Machine learning is all around us, enriching our online lives every day. We see it with our own eyes
when search engines accurately predict what we’re looking for after we type only a few letters. We
feel it protecting our bank accounts evaluating credit card transactions for signs of fraud. We notice it in selections of articles and ads in online newspapers. We no longer think twice about these
conveniences; in fact, it’s hard to imagine online life without machine learning.
In relation to cybersecurity, machine learning has been changing the game as a means of managing
the massive amounts of data within corporate environments. However, machine learning lacks the
innately human ability to creatively solve problems and intellectually analyze events. It has been said
time and again that people are a company’s greatest asset.
Machine learning makes security teams better, and vice versa. Human-machine teams deliver the best
of both worlds:
• Machine learning means security teams are better informed so can, therefore, make
better decisions. Security executives realize that the intelligence and creativity of their security
operations experts are critical business resources. Machine learning is a technology that allows
chief security officers (CSOs) to get the most out of human and security product assets.
• Adversaries are human, continuously introducing new techniques. Creative new tactics
and strategies dealt by adversaries force security teams to employ machine learning to automate
the discovery of new attack methods – creative problem solving and the unique intellect of the
security team strengthens the response.
• Machine learning becomes more accurate as more data is available to feed its
algorithms. Enhancements in handling big data using high-performance and massive-capacity
storage architectures have enabled the growth of artificial intelligence.
• IT teams need help analyzing faults. In those rare instances when endpoint security cannot
prevent damage from an attack, machine learning accumulates relevant data elements into one
place, placing it at the fingertips of security analysts when needed.
• Human-machine teaming makes for sustainable endpoint security. As new threats are introduced, security teams alone cannot sustain the volume, and machines alone cannot issue creative responses. Human-machine teams make endpoint security more effective without draining
performance or inhibiting the user experience.
This Pathfinder Report summarizes the key technical and use-case attributes of machine learning before making recommendations on how to evaluate the capability. This report is sponsored by McAfee.
COM M ISSIONED BY M CAFEE
3
PAT H F I N D E R R E P O R T : M A C H I N E L E A R N I N G R A I S E S S E C U R I T Y T E A M S
TO THE NEXT LEVEL
Machine learning allows endpoint security to continually evolve
to stop new attack tactics
We see attackers focusing on vulnerable endpoints as the preferred point of entry for malware. Popular tactics include
phishing, downloaded code that executes in the browser, infected email attachments, user-installed rogue executable programs, and open stolen account credentials. One of the challenges for IT operations is that endpoints are not constrained in
the datacenter where they can be surrounded by layers of security defenses under the vigilance of security teams. Rather,
they are constantly on the move, in and out of the network.
Market data confirms that the most important job of enterprise security teams is to prevent cyberattacks from penetrating
the infrastructure. It makes sense, because all of the other security products are there to support that one central mission
of protecting the business. According to respondents in the recent 451 Research Voice of the Enterprise: Information Security survey, hackers remain at the top of information security concerns, outpacing compliance, internal audit deficiencies,
espionage and cyber warfare.
Figure 1: Top information security concerns
What were your top general information security concerns during the last 90 days?
Hackers/Crackers with Malicious Intent
58.9%
Compliance
50.1%
Internal Audit Deficiencies Based on Findings
32.4%
Preventing/Detecting Insider Espionage
24.0%
Cyber-Warfare
Other
17.3%
5.7%
Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook, April 2017
Endpoint security is in a constant state of stepwise refinement, embracing new prevention techniques to thwart new attacker tactics. Machine learning is a natural extension to other malware-prevention methods.
Endpoint security has been protecting our devices for decades in a constant back-and-forth conflict with hackers and attackers. Malware developers create a new threat; endpoint security deploys an antidote; malware developers refine their
attacks – and around we go.
Typical protection methods include:
?? Search for exploit code using signatures and patterns. This is the classic blacklist approach – explicitly identifying
attacks that can then be blocked – that started the antivirus market. Today’s endpoint security products tend to also
download active code snippets to identify classes of attacks and remove them from the device.
?? Whitelists specify programs that can execute on the endpoint. Anything not on the approved list is considered a
threat and is not allowed to run. This is effective in environments where the endpoint configuration is relatively stable
and leads to a quick decision.
?? IP reputation filters are consulted before allowing connections to or from sites in the cloud. This blacklist approach
forbids communications to sites with questionable histories or geographies.
?? Host intrusion prevention systems adds a time dimension and brief layer of machine learning to endpoint security. For instance, while it is reasonable for a user to open an email attachment, click on a link and save an encrypted file,
it is not reasonable for this to occur within 300msec.
?? Personal firewalls enforce security policies for network zones. This method controls access to servers and protocols.
COM M ISSIONED BY M CAFEE
4
Please complete the form to gain access to this content
