The Terminator once proclaimed that his “CPU is a neural-net processor, a learning computer.” For an audience in 1985, those words meant little. But today, machine learning plays a major part in cyber-security – and it has moved from the box office to a day-to-day reality.
There remains a concern. In any true Hollywood thriller, the villain is never the intimidating figure that dominates our screen, but the unassuming character that always befriends and betrays the hero. A similar twist also exists in cyber-security. Everyone concentrates on the external menace – but the forgotten internal threat is often the one that plunges the knife.
It can be easy to discover the unintentional insider and address this with training and technology. The intentional insider threat, however, can be much harder to detect through conventional network security monitoring methods. While most security operations are doing all they can to keep up and mitigate the insider as best they can, they’re still largely at a disadvantage. Fortunately, there is a savior in sight and machine learning is gaining momentum and catching up with the sophisticated, malicious insider at a rapid pace.
The challenge
Traditionally, monitoring for insider threats has been difficult because of one major obstacle: data, or the sheer quantity of it. When monitoring for insider threat activity using conventional network security monitoring, companies have to track and analyze data with just the eyes and brains of their employees.
Of course, the human brain is an uber-powerful processor, but processing huge swathes of data can be nigh on impossible. There are tools that can help, including event aggregation and data correlation with a security information and event management (SIEM) platform, but even these have their limitations and can only monitor for events that are known to be malicious.
This however is ineffective because malicious actors are often patient, using “low and slow” attack methods to access, steal and exfiltrate data as stealthily as possible. These attacks come out of the blue and their methods don’t raise the alarm in traditional security monitoring.
This is where the machines come into play. By running data from multiple event sources through various user behavior analysis (UBA) algorithms, new platforms backed by machine learning can help identify whether someone is trying to access data that they shouldn’t be. Machine learning is so effective because it can improve by simply watching and processing data from multiple event sources. Fundamentally, it can learn without human interaction – meaning it can find insider threats that humans may not have thought possible and with less margin for error.
The perfect partnership
Machine learning is a powerful tool that can utilize big data in a way that simply isn’t possible by a human, or even ten. However, to make the most of machine learning it has to be effectively managed and work in tangent with the human brain.
The reason it is so effective alongside human analysts is because machine learning has the ability to crunch data in such a way that it can create the holy grail on cybersecurity – context.
For example, an average security analyst will often take each event in the network in isolation. The analyst monitors the network, picks up an event (e.g. a manager tried to open a website that hosts malware) remedies it and returns to monitoring.
This is fine for certain threats, but against an advanced malware infection or a “low and slow” data exfiltration attempt by a user – it’s almost useless. Unless events are tied together to provide context, detecting a sophisticated insider threat is near impossible.
By utilizing Big Data however, a UBA solution can form context by monitoring from all angles. This creates a picture of normality and then raises the alarm as soon as that normality is broken, be it via an email, network file transfer or anything else the user wouldn’t usually do.
Coupled with spotting abnormalities in context is having the ability to respond in lightning speed. Traditional network security monitoring, in most cases, falls short at providing timely response to insider threat events and incidents. Machine learning provides fast detection and reporting to permit your cybersecurity analysts to respond more quickly to insider threats.
Some UBA systems can also use various scripts and APIs with configuration management tools to implement mitigating controls, such as firewall rules or account restrictions, to prevent the attacker from sending data or command and control traffic out of your network. From zero to containment in mere seconds. Although insider threat actors work at a low and slow pace, machine learning UBA tools can use automation and interoperability to put a stop to insider threat activity instantly.
The machine learning revolution
Technology is moving to the front line in the battle against insider threats. The machine learning revolution is still only in its infancy and we are yet to reach widespread adoption, but inroads are being made every day. Ultimately, equipping humans with the power of machine learning is a great leap forward, and with its accuracy and speed, malicious users will struggle to hide. Hasta la vista insider threats.