Modern Insider Threat Management: Machine Learning as a Non-Negotiable
The term ‘machine learning’ has long garnered the reputation of buzzword, evidenced by the more than 800 million search results generated when it’s typed into Google. We've certainly seen more intense focus and scrutiny on this particular topic in recent months - and with good reason, as it disrupts industries far and wide and demonstrates the potential to revolutionize entire businesses.
While all of the hype around machine learning has driven increased interest, it has also heightened confusion in some cases – largely due to a somewhat ambiguous definition and loose parameters around what constitutes 'machine learning.' For many organizations, it has proven difficult to tell fact from fiction and understand what can truly be accomplished with the help of machine learning capabilities.
When it comes to cybersecurity, however, we can say without hesitation that machine learning is actively being integrated into advanced systems and platforms. And it has certainly come at a critical time, when securing an enterprise’s most valuable and sensitive assets - data, people, and intellectual property - has become an enormous and overwhelming challenge. Only one third (36%) of organizations believe they have adequate resources to manage endpoint security effectively, according to the Ponemon Institute, as new threats and attack vectors are emerging at a record pace.
While there’s no single reason or factor to attribute this challenge to, the reliance on outdated approaches is a significant one. More specifically, the use of rule and signature-based detection – the cornerstone of many legacy security solutions – is increasingly being recognized as a source of frustration and vulnerability.
We certainly don't believe that rule-based capabilities should be completely banished from today's enterprise security stacks.. but there's no denying that relying primarily or solely on this approach has left us with significant hurdles that need to be overcome to achieve truly modern and effective insider threat management.
And this is now entirely possible, thanks to advancements in machine learning.
THE CHALLENGE: A sophisticated threat landscape.
Rule and signature-based approaches rely on a catalog of events, behaviors, or activities to understand what is ‘good’ or ‘bad’ – requiring that they be updated often enough to account for every possible threat that might exist at any given time. But new threats, attack vectors and methods are emerging and evolving at a record pace - and only growing more sophisticated by the day. And so, the static nature of legacy rule-based tools has rendered them insufficient when it comes to protecting the modern enterprise.
Furthermore, today’s advanced, multi-stage attacks no longer use immediately identifiable methods to compromise perimeter defenses. It's estimated that one in every 131 emails contain a malware and 230,000 new malware samples are produced every day. And recent industry data shows that an attacker resides within a network for an average of 146 days before detection, allowing them ample time to harvest credentials, escalate privileges, and ultimately, gain access to critical systems and data.
HOW MACHINE LEARNING HELPS:
Organizations need flexibility and adaptability - with the ability to pivot at a moment’s notice - if there is any hope of keeping pace with today’s bad actors and outside infiltrators. From malicious to negligent insiders to outsiders preying on and posing as insiders, the diverse nature of external and internal threats has deemed it essential to invest in solutions that are capable of understanding and self-tuning. This is made possible only with the help of machine learning.
By generating an understanding of individual user behavior and events, machine learning makes it possible to detect all types of threats – notably insider threats. The ability to train systems by feeding them known good and bad behaviors speeds time-to-value without requiring time-intensive manual tuning. And when it comes to especially complex threats, such as compromised credentials, machine learning can be used to enable systems to proactively hunt for these types of threats - and if necessary, correlate multiple, seemingly unrelated behaviors together to detect them.
THE CHALLENGE: The human element.
The simple truth is that every insider, user and employee is human... and that fact alone makes both them vulnerable and susceptible to error. Whether it’s falling prey to the social engineering tactics of bad actors or inadvertently leaving a backdoor open, it only takes one user – any user – to compromise a network. Nearly two thirds (64%) of insider threat-related security incidents are the result of negligent or careless behaviors, and 63 percent of all network intrusions and data breaches are due to compromised user credentials.
But, the unique nature of human behavior combined with diverse and widely-varied employee roles, responsibilities, and needs presents an overwhelming number of variables to contend with. What presents as risky or suspicious activity for one person does not necessarily represent suspicious activity for another. And it is has become all but impossible for the average organization to account for every one of these variables and write a rule for all potentially risky scenarios.
HOW MACHINE LEARNING HELPS:
With a focus on the user and understanding their individual, unique behaviors, machine learning makes it possible to establish a baseline of normal behavior and use that baseline understanding to detect abnormalities and anomalies. It also enables the ability to measure whether a particular behavior is normal or abnormal against a variety of conditions – including the user themselves, a peer group, or an entire organization - with very little manual tuning.
THE CHALLENGE: Excessive alerting and information overload.
The diverse nature of user behaviors, environments, and needs has historically required security analysts and teams to manually fine-tune and teach legacy, rule-based systems to know what to look for. Often times, with limited time and resources, this has resulted in generalized, high-level rules that cast a wide net and generate potentially hundreds, if not thousands, of alerts.
This excessive alerting, and the manual review required to verify if a threat actually exists, has found security teams and analysts in a near-constant state of information overload. One estimate says false positive rates for existing endpoint security solutions are hovering around 50 percent, at a time when a majority of organizations feel they have don’t sufficient resources to adequately secure their networks and endpoints.
HOW MACHINE LEARNING HELPS:
Machine learning enables better anomaly detection – and with better anomaly detection comes higher-quality alerts, meaning they are reliable, actionable and enriched with behavioral context and intelligence. With machine learning in play, alerts are only triggered after suspicious activities are contextually aggregated and verified. And when combined with alert signals and additional behavioral models, there can be vast improvements in signal-to-noise ratio and a notable reduction in false positives and alert fatigue.
It’s also worth noting that in the case that a false positive does inevitably get triggered, it’s possible to feed alerts back into the system – and machine learning can be used to train them on what look for in future instances and optimize existing models.
THE CHALLENGE: The ‘unknown unknowns.’
Traditional rule-based solutions are only as intelligent as the information being fed into them, which means they rely completely on the humans who manage them to tell them what to look for. But if a human doesn’t know that something presents a risk, they won’t tell the system to look for it. In other words, if rules and indicators are designed based only on known and available information, there will inevitably be things that fall through the cracks.
HOW MACHINE LEARNING HELPS:
Because systems powered by machine learning work from a baseline of what is normal behavior or activity, anything that might be considered anomalous or abnormal can be detected and alerted on – even if it hasn’t been seen before. This makes it possible to detect highly unique or specific threats that are likely to fall under the radar.
The bottom line: the modern enterprise must be powered by technologies that are capable of understanding behavioral context and generating intelligence.
As perimeters have disintegrated and the need for flexible, remote access to systems and data has reached an all-time high, the user has come to play a critical and central role in enterprise security. Machine learning makes it possible to truly understand that user, and better protect them - both from malicious outside infiltrators and from themselves. This is a non-negotiable when it comes to detecting insider threats and, ultimately, ensuring the security of an entire organization.