The Machines Are Coming. And That’s a Good Thing.

There has been a lot of press articles recently with titles like “Robots are Coming for Your Job” and “Will Artificial Intelligence Be the Fall of Humankind?”, etc.  Most predictions of the future inevitably turn out to be wrong (or, as Yogi Berra said, “The future isn’t what it used be.”).

Science fiction aside, there is one area where automated help is wanted and needed: cybersecurity. Cyber threats are coming fast and furious. So much so that these unwanted visitors could seriously impact the progress of the Digital Age. Do we need more people to combat this problem? Yes. Many more people are needed. So much so that a recent issue of a business publication named “Cybersecurity Expert” as one of nine “future proof” jobs.

But it’s not just a question of throwing more and more people at the problem. Or of software developers working overtime to perfect yet another standalone cybersecurity widget. The onslaught of malware and new permutations like ransomware simply evolve too fast. The industry needs help, and it will come from automation. McAfee recently commissioned research on the current state of machine intelligence as it relates to endpoint security: “Machine Learning Raises Security Teams to the Next Level”. I urge anyone who is seriously interested in cybersecurity to check it out. It makes clear that machine learning is needed, but is not a replacement for people – it’s an adjunct to the job people are already doing.

The Limits of Machine Learning

As much as we need machines, it’s important to remember what they can and cannot do:

Machine learning can: detect patterns hidden in the data at rapid speeds; increase this accuracy as more data feeds its algorithms; analyze results when a breach has occurred; and keep up with a large volume of routine attacks.

Machine learning cannot: initiate creative responses, understand the Big Picture; communicate threats across disparate organizations and systems; anticipate the threat arc of new human adversaries.

Machine learning is only as good as the algorithm it was “trained on.” Machine learning can’t exist without humans.

Machine learning makes security teams better. It means they are better informed and can make better decisions. As new threats are introduced, human security teams alone cannot sustain the volume, and machines alone cannot issue creative responses. Human-machine teams make cyber security more effective without draining performance or inhibiting the user experience.

ML + Endpoint

Machine learning allows endpoint security to continually evolve to stop new attack tactics. One of the challenges for IT operations is that endpoints are not sheltered in the datacenter, where they can be surrounded by layers of security defenses under the vigilance of security teams. Endpoints are constantly on the move, in and out of the network.

Thus, endpoint security is in a constant state of stepwise refinement, embracing new prevention techniques to stop new tactics. Machine learning is a natural extension to other malware-prevention methods and the constant back-and-forth conflict with hackers and attackers.

However, locating machine learning in the client alone is not the whole answer. There are those who believe that client-based solutions are the best way to stop malware before it starts running. Others claim ML should be based in the cloud, where the experiments of the bad guys can be analyzed.

McAfee does not subscribe exclusively to either — we think ML should cover both. In short, an integrated solution is the only way to be fully protected.

It’s also important to remember that machine learning is just one element of a successful Endpoint strategy.

Beyond Endpoint

Finally, though there is currently a lot of press and attention on ML at the endpoint, machine learning is not just for endpoint; it is a valuable tool that can be used across many aspects of cyber security. McAfee uses machine learning and other unsupervised learning algorithms across our portfolio, from Advanced Threat Defense (ATD) and Security Information and Event Management (SIEM) to URL Classification Systems and in the Gateway.

Conclusion

If a security analyst requires 15 minutes to investigate and clear a security alert, then that person can only process about 30 alerts per day. This formula dooms security teams into unsustainable reactionary patterns, and it fails to allow security personnel to develop problem-solving skills. Attackers use automated practices to discover what works and then relaunch tactics for maximum effect. The best way for security teams to get ahead in this game is to allocate time for people to use their intelligence and creativity to enhance security practices, and to leverage efficiencies gained from machine-learning technology to make that time.

Machine learning in cybersecurity is here, and that’s a good thing. It is a critical component of any enterprise endpoint security strategy. Given the volume and evolution of attacks hammering away at endpoints, security must be able to adapt without human intervention, and must provide the visibility and focus to enable humans to make more informed decisions. So, look at that “robot” as performing the routine stuff – and allowing the human to soar.

Leave a Comment

11 − 1 =