Cyber Security and Machine Learning
In the past, cyber security systems relied on manually defined rules and human inspection to identify and classify security incidents. This was effective but limited, because it required a high
level of expertise to manage security tools, and overloaded security staff. Many modern security tools use machine techniques to automate security decision making, without requiring rules to be
defined in advance. This can save a lot of time for security teams and result in a faster and more accurate response to threats.
A few examples of the use of machine learning in cyber security are :
- Next-generation antivirus (NGAV) tools use automated malware classification, identifying malware even if it does not match any known binary pattern
- Data loss prevention (DLP) systems use machine learning to read documents or other materials and automatically classify their sensitivity
- Email protection systems are trained using a large dataset of phishing vs. legitimate emails, and can identify emails that “look like” they might be phishing attempts
Application Programming Interfaces (APIs) allow computing systems to communicate with each other and share data. An entire API economy has emerged that allows organizations to share data and
software capabilities with each other.
While APIs provide a lot of value to organizations, they also represent a security risk. There is limited awareness for the importance of API security, and many API endpoints lack basic security
measures. They can be manipulated by attackers to abuse the service behind the API and can also be an entry point to an organization’s critical systems.
In the past few years, dedicated API security solutions are emerging that help organizations lock down API endpoints, protect them from malicious traffic, and defend against DDoS attacks. The Open
API initiative helps organizations define their APIs in a standardized way, making it possible to enforce a security policy built around API capabilities.
Advanced Bot Protection
Bots are systems that access websites and perform automated actions. Some bots are legitimate, for example, the Googlebot crawls websites in order to add them to Google’s search index. But other
bots are malicious, used by threat actors to launch attacks against millions of vulnerable websites.
Bots account for 58% of web traffic today, and a full 22% of web traffic is attributed to bad bots. Bad bots can be installed on end-user devices compromised by attackers, forming massive botnets.
These devices might be home computers, servers, and IoT devices such as game consoles or smart TVs. Attackers leverage networks of compromised devices to launch DDoS and many other types of
Bot management systems help organizations identify unwanted bot traffic and filter it out, while allowing legitimate bot traffic and user traffic to continue uninterrupted. To do this, they need
to identify bad bots, using a variety of methods like :
- Reputation management — managing a database of known good and bad bots
- Device fingerprinting — identifying attributes of the operating system or browser that may indicate a bad bot
- Challenges — subjecting a bot to a “challenge” such as a dynamic page element or a CAPTCHA, which human users can process while bots cannot.
File security is critical to ensure sensitive data has not been accessed or tampered with by unauthorized parties, whether internal or external. Many compliance standards require that
organizations put in place strict control over sensitive data files, demonstrate that those controls are in place, and show an audit trail of file activity in case of a breach.
File security technology can automatically identify suspicious file activity, which may represent an attempt at data exfiltration, a ransomware attack, or even a careless user deleting files by
mistake or copying them to an insecure location.
Runtime Application Self-Protection
Historically, many organizations adopted Application Security Testing (AST) tools that automatically scanned application code for code quality issues and software vulnerabilities. Today, many
organizations are shifting to Runtime Application Self-Protection (RASP), which scans and monitors application code in real time, when it is running in production.
RASP is deployed together with a web application. It monitors traffic and user behavior, and if it detects an issue, it can block specific user requests and alert security staff. RASP does not
rely on specific attack signatures and is able to block entire categories of attacks.
The unique element of RASP is that it leverages inside knowledge of an application’s source code. It knows how an application behaves and can detect attacks that leverage weaknesses in the code,
like code injection and exploits of known vulnerabilities.
As organizations undergo digital transformation and move mission-critical workloads to the cloud, cloud security becomes an essential part of a cyber security strategy. Securing the cloud is a
challenge, because cloud-based systems do not have a traditional security perimeter and can provide attackers access to almost every aspect of the IT environment.
Organizations must understand the division of responsibility between themselves and their cloud provider, and correctly configure security features offered by the cloud provider, in particular
network isolation features like Virtual Private Cloud (VPC). They must also have a robust Identity and Access Management (IAM) solution – a way to define user accounts, roles and access control
When deploying hybrid cloud or multi-cloud infrastructure, which connects between private and public clouds or multiple public clouds, organizations must ensure security is consistent across all
their cloud environments and pay special attention to integration points.
Organizations collect a huge volume of logs and events from IT systems and security tools. It is now common, even in small to medium organizations, to use Security Information and Event Management
(SIEM) to aggregate security data and create alerts for security teams.
The sheer number of alerts, together with the chronic shortage of security staff at many organizations, results in alert fatigue. Security teams receive thousands of alerts at all hours of the
day, making it difficult to sift through the alerts and identify real security incidents.
The problem is not new and there are several approaches to mitigating alert fatigue. For example, organizations implement threat intelligence to identify when an alert correlates with a signature
or attack pattern of a known attacker. Machine learning approaches like User and Event Behavioral Analytics (UEBA) help identify unusual behavior, and automatically score it to identify events
that are more likely to be malicious.