11 Apr Machine Learning – where did the love go?
The lack of emotion in machine learning User Entity Behaviour Analytics (UEBA) platforms is somewhat double-edged. Objectivity is great when it comes to detecting and responding to insider threats. While the math behind machine learning can be pretty complicated, it’s at the very least non-partisan.
UEBA platforms do not pick favourites. They do not have friends, and do not believe that they can let some folks off with violating cybersecurity policy. Machine learning does not slow down due to distraction, anxiety, or a bad breakup. UEBA platforms will give you the same results based on the same data set, and that’s great. The downside to such objectivity is that the platform does not understand whether or not a given user is having a bad day, simply mis-clicked, or was just curious and bears no ill will.
So, before you fire your security analysts and use their salaries to procure a UEBA solution with machine learning, keep in mind that you will need their humanity to help the UEBA platform discern whether the alerts actually signify a malicious insider, an unwitting insider, or a configuration error. While these may all amount to the same type of alert within a UEBA solution, the fact is that each of those incidents would need to be treated differently.
Machine learning still requires human interaction, just less than today’s mainstream monitoring solutions. Although one of the greatest benefits of machine learning solutions is their independence from human interaction, they cannot reach their full potential without some form of help.
Give a helping – human – hand
A UEBA solution that uses machine learning doesn’t require you to create policies, filters, or rules in order to detect potentially malicious behaviour; it uses its own statistical models to deduce whether or not a user is doing something out of the ordinary. Human interaction is required, however, to tell the UEBA solution whether or not it’s correct. Adding a thumbs-up/thumbs-down (to put it simply) result to the equation tells the UEBA whether it’s on the right track, or if it’s throwing up false positives and needs to recognize the action that is under scrutiny as legitimate.
The UEBA solution with machine learning provides more accurate events coming into your cybersecurity operations center. The net result of this added accuracy is far less time spent by your security analysts actually analyzing events (and potential events) to be added as criteria to a SIEM. The difference here is prediction versus reality; in this situation, what would you prefer?
- UEBA with machine learning provides more accurate alerts than conventional security solutions
- Human input into UEBA solutions with machine learning can help the solution provide even more accurate results the next time around
- Machine learning leverages statistical models and probability to provide alerts, instead of analysts manually creating scenarios which will trigger alerts
- Solutions that use machine learning can still provide false positives – analysis is still required!
- Machine learning solutions can save hours of analyst time creating rules and filters
Proactivity is key when it comes to cybersecurity, but we still must maintain the ability to react. Machine learning is great because it’s proactive, but while proactive detection provides a great advantage, it’s nothing without the ability to react appropriately to any security events or incidents that may arise.
In addition to machine learning, we also need common sense. While common sense is not all that common, we can help build it into our cybersecurity practice through the introduction of processes and standards. An incident response plan, especially one that takes into account the insider threat specifically, is one of the keys to success in cybersecurity. If your machine learning solution picks up a potential insider threat, how will your response team react? Will they light their torches and grab their pitchforks, or will they have a calculated, uniform response which includes HR, management, and IT? Proactivity gives us the jump on any potential attackers, whether inside or out. The inability to properly respond, however, will still leave something to be desired. In short, ensure that alongside the next-generation machine learning solution you implement within your environment resides a tried, tested, and true incident response plan.
Subscribe to our blog and keep up to date with the latest industry and ZoneFox news!