Endpoint Protection

 View Only

Machine Learning is not the Only Answer 

Sep 02, 2016 11:34 PM

There’s been a lot of “buzz” around machine learning, but despite what’s being said it’s not a panacea – the answer to all your protection problems.  I’m not saying machine learning is not an important weapon to identify threats, but let’s be honest, its usefulness is targeted at specific points in the attack chain (below) – and nothing is ever 100% effective by itself.

4 I 80pc.png

I've seen a variety of terms to describe different stages in the attack chain and the chain itself.  I think of the attack chain as the threat lifecycle and the most interesting way to describe it that I've seen is using medical terminology: you are exposed to the virus or threat (incursion), if it is unchecked you become infected, once infected it tries to spread (infestation), sometimes this includes trying to communicate to its command or control center or exfiltrate information.  The ideal outcome of an attack is the virus or threat is neutralized (inoculation).  The later in the attack chain you catch something the more damage it can do, so it’s advantageous to catch it as soon as possible, but the most important thing is that you catch it.  It’s not unheard of for threats to linger in an environment for months collecting information or disrupting business.

As opposed to other protection techniques, one of the unique things about machine learning is that you have to teach it.  It must be trained to understand what to look for to accurately identify a threat then constantly updated because new threats are always emerging.  So a quality education is very important, otherwise it will flag threats that don’t really exist – in other words you get A LOT of false positives. 

Quality education, in this case, means using vast amounts of rich data that is constantly refreshed with new global threat data.  By rich data I don’t mean training your machine learning with known malware alone – it’s too easy for hackers to evade this technique.  Training must be done using good and bad files with constant updates of the newest threats and Indicators of Compromise (IOCs).  Really good machine learning uses very sophisticated algorithms and highly trained classifiers to be able to learn to spot the newest threats – but long term it really comes down to the quality of the dataset.  To most accurately spot new or previously unknown threats, which is where machine learning has the greatest value, you need a constant supply of the best global threat data possible.

We should also be clear that there are different types of machine or deep learning: reputation, behavioral, and attribute based.  All of them have a place in identifying threats, and all should be a part of your endpoint protection solution.

But as I said above, nothing is ever 100% effective by itself.  You want other weapons as a backup and for use later in the attack chain - the bottom line is you want that threat eliminated by whatever means possible.  That’s why you can’t rely on machine learning alone as the answer to all your protection needs.  You must make sure your endpoint protection solution can also effectively identify and eliminate threats during incursion or when the threat attempts some form of outbound communication. 

To sum it up – make sure you have the best protection against threats:

  1. Ensure your solution is initially using the best and most varied dataset possible, from a global source, to train the machine learning

  2. Ensure your solution is being constantly updated, again from a global source, to catch the most recent unknown threats with the fewest false positives

  3. Acknowledge that machine learning alone is not enough, make sure you have weapons to protect you throughout the attack chain as seen below - Intrusion Prevention Services, proven signature-based technology, browser protection, device and application control, memory exploit mitigation, and capabilities to address custom packed malware.

                      Attack Chain 3 I 75pc.png

Machine learning is an important weapon, but it’s not the ONLY answer.

Learn more about endpoint protection at go.symantec.com/sep and Symantec Machine Learning

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Nov 29, 2016 06:09 PM

Es bien sabido que en la actualidad la proteccion de los puntos finales debe ser en capas, ya el concepto de una solucion antivirus es del pasado.  Siempre he hablado de SEP  como una solucion de seguridad para puntos finales ya que nos ofrece esa capas de proteccion.  Machine leaning viene a fortalecert esas capas y brindar un obstaculo mas en los vectores de ataque de los programas maliciosos con una technologia innovadora!

Nov 18, 2016 03:07 PM

Cada vez mas equipos estan expuestos a ataques informaticos. Es importantes contar con herramientas que brinden esa seguridad anticipadamente y es necesario educar a los usuarios al buen uso de la red. Excelente!

Nov 18, 2016 02:37 PM

Machine Learning is only going to be as good as its programmed to learn,  While a lot of companies will attempt it only a few will probably master it in the beginning.

Ultimately it will be part of most big data systems, both ones that are used for good ethical purposes as well as ones used to interupt your privacy.  

In the security arena it will eventually be more useful than other factors but all vectors of remediation will need ot be in place , nit just machine learning alone.

Only time will tell on how well the coding is designed for great uses.

 

Nov 14, 2016 06:30 AM

Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn without being explicitly programmed. Machine learning focuses on the development of computer programs that can teach themselves to grow and change when exposed to new data. I had some experience working with Matlab (some years ago) and that allows me to follow the quizzes, but with some programming experience  in any lenguage you won't find any problem. When this is joined with security and solutions.....something more excited is about to come. Great job n vision @ Symc

Nov 07, 2016 12:40 PM

Machine Learning is a great addition to an environment. I feel like its best use is for around applications that should be more predictable then end users that are never predictable. Being able to feed a machine learning security solution with A LOT of user data to analysis with update IOCs and threat feeds would probably return a lot of points of interests.

Nov 05, 2016 03:03 PM

I think that the rise of this sort of thinking is doing a lot to help people realize the severity of some of the things that we face today.  Things like machine learning and next-gen stateful firewalls are awesome and help thwart a lot of problems but something that a lot of us need to do from time to time is to go back and revisit the basics.  Is your company doing syslogging?  If you have a SIEM, is it properly tuned to provide accurate data?  Do you have a handle on administrative accounts?  I'm not knocking machine learning by any means but none of the things i've mentioned here are meant to be a cure for everything that ails.  I believe defense in depth is the only way to roll and this is a welcome addition.

Nov 03, 2016 04:25 PM

Those are some great points. While machine learning systems help you find valuable data, that data must be put into the proper context. Also, if one can use thier machine learning to out-manuever my machine learning, then what's the point?

Nov 01, 2016 04:20 AM

I am also totally agree with above point that Machine Learning is not the Only Answer. There should be some holistic approach with hybrid solution.

Oct 31, 2016 10:03 AM

Yes Skynet is coming soon.  However you will be eliminated shortly for calling attention to it :)

 

In all seriousness I agree everything has its uses and Machine Learning or AI is not the answer to everything

Oct 31, 2016 08:29 AM

Machine Learning is interesting and efficient. But machines will learn what you will provide  to them and THIS is the most difficult things to do.

If you are able to generate billions of events simulating behavior you want to analyze, it will be perfect....if not by default you will introduce a bias in ML result.

In DLP, machine learning technology is available for few years now, but it is very difficult to get fully efficient result as there is not a lot of difference between a source code to protect and one you dont want to protect....and did you select the correct one to learn positive/false match ? you will never know...but testing detection result is mandatory to at least identifiy potential mistake and tune your input samples.

Oct 29, 2016 09:50 AM

Now with the release of SEP 14 I'm intersted to see what will happen in a production environment as well as how others will apply this.

Oct 28, 2016 03:34 PM

Machine Learning, and the tweaking of it is a dark art. And it's not as easy as many think.

For example, you can show a machine lots of pictures of tanks to teach it what a tank looks like, but that can yield interesting results. The machine learning algorithm might revert to a lower common demoninator that you weren't initially aware of in the data set (humans tend to focus on what they are looking for rather than what is *there*)

A prime example of this is a anti-tank AI which when powered up went mental and identified tanks EVERYWHERE. The system was rapidly shut down whilst the "error" was tracked.

It turned out that the pictures that the AI had been trained on were tanks on exercise on muddy, generally cloudy days. To diversify the dataset, the "other" pictures seelcted to balance the training were the programmers' holiday snaps. The algoritm had evidently decided the best differentor between these pictures wasn't the presence of a tank, but the presence of the sun.....

The richness, or diversity, of the dataset is therefore rather important.

Oct 28, 2016 02:01 AM

Hello,

Machine learning systems help you find valuable insights and patterns in data, which you’d never recognize with traditional methods. In the real world, ML techniques give you a way to identify trends, forecast behavior, and make fact-based recommendations. It’s a hot and growing field, and up-to-speed ML developers are in demand.

Oct 26, 2016 05:47 PM

Agreed. There are many many tools (like a swiss army knife) that is needed when securing your resources. This is just one more that will help combat

Oct 26, 2016 04:28 PM

Interesting article. 

Machine learning certainly has its uses for improving efficency when harvesting data etc. However, how long before the robots take over! Scary thought really. Next think Skynet will have taken over!

Oct 26, 2016 12:38 PM

we are aware that machine learning is not fully dependable and it brigns false positives very often but still it best way to prevent the bad and increase productivity by offloading our workload to a machine. we can handle some false positives in exchange of resource optimization , this blog says the same Machine learning is an important weapon. nice article 

Oct 26, 2016 10:49 AM

Great article @Symantec!

It's very interesting that you mention the educational piece...I've been in the IT industry for around 10 years now and this is something I've been all about since day 1.  I think it is very important to share this information with colleagues, management, and (most importantly) your standard/typical end users.  All though you can't teach stupid, you can do your very best to share important security information and protect your environment to the best of your abilities.  :)

Oct 26, 2016 09:06 AM

Machine learning means the machine has already been hit and if the machine isn't intelligent enough (dataset outdated) it will be infected.  Stopping these before it even hits the machine should be a goal.  In our environment when a user gets an email with an attachment I fear in some cases that is too late.  Fortunately I have trained my end users to always ask before opening. 

Oct 26, 2016 06:48 AM

Machine learning seems great and harvesting data to feed it on a global scale will certainly help imrove the reliability. I still feel that the biggest issue will always be the end users. Great article though, always good to learn more about these things. 

Oct 26, 2016 04:31 AM

Machine Learning is very good & useful for some purposes, but it's still "controlled" by a human because the codes are written by them. They set the design. They set the protocol. They set the rules. They also set the boundaries. And the machines just follow it.

The main question is... who is responsible when something goes wrong? The 'machine' itself, or the person who wrote the code? How do you verify whatever it is doing is correct or not?

That's the big question and we need to decide if it's worth having an application (or even hardware) to do it for us just because we think it can offload our workload to a machine.

Oct 26, 2016 03:30 AM

As with everything it has its uses, it's just another item to use in your toolbelt.

Is skynet just around the corner? :p

Oct 26, 2016 01:24 AM

Machine learnig is trend, everybody does it and some management even thought it could help them to automate what they used to hire a lot of people to do. well, we have to learn how to walk before we start to run, we need a carefully designed product to secure the environment and help business grow, most of the false positive today we are facing are from the internal developed applications, is there a way that we can train the machine to learn them? I like the article describe flow of the stage, but I do not want a machine to learn and correct its own mistakes every day. 

Oct 25, 2016 02:41 PM

Machine learning is good - if your employees are like robots.

There's so many other tools available - like DLP -  Much more valuable from a security standpoint.

If you like to throw money around at products for fun - not to mention the resources you'll need to maintaine.

Then go ahead.... just be prepaired for chasing your tail on false positives that will be popping up on a daily basis.

 

Oct 25, 2016 02:41 PM

Machine learning is good - if your employees are like robots.

There's so many other tools available - like DLP -  Much more valuable from a security standpoint.

If you like to throw money around at products for fun - not to mention the resources you'll need to maintaine.

Then go ahead.... just be prepaired for chasing your tail on false positives that will be popping up on a daily basis.

 

Related Entries and Links

No Related Resource entered.