Page 47 - Cyber Warnings
P. 47
If input data comes from every layer of the network, then the Machine Intelligence solution can
identify anomalies at each layer, and each device within each layer. This means the Machine
Intelligence solution identifies behavior - like advanced persistent threats or insider attacks - that
may be limited or very well hidden among massive volumes of network traffic, and which would
be missed by a security team pre-programming logic in SIEM systems, even well thought-out
ones (a limitation of SIEM systems), or working with an IDS ruleset alone.
Drawbacks are Claimed
Advanced analytics have been around for 20 years or more, there must be something wrong
with them, or we’d all be using them. Right? Naturally, as with anything created by humans,
Machine Intelligence solutions can be defeated by other humans. However, there are several
existing approaches, including classification algorithms, proven to successfully mimic security
analyst behavior which can be used in design to detect and avoid defeat by new threat samples.
A second criticism of Machine Intelligence solutions is that they are not “plug and play,” e.g. that
they need analyst time to filter out false positives/e.g. teach the system what is a threat and
what isn’t. Failure to do so leads to excessive false positives and alert fatigue. Alert fatigue is a
problem. A recent article suggests that over half of security professionals are missing alerts they
should address.
However, MIT research indicates that human/Machine Intelligence collaboration is actually
beneficial and can reduce false positives by close to 85%. Furthermore, while Machine
Intelligence solutions may not be “plug and play,” their implementation time is much lower as
compared to SIEM systems (hours vs. months) and training the machine on false positives
requires a very small actual time commitment (minutes a day).
Bringing Solutions Together
Is it possible to have the benefits of Machine Intelligence technology, but minimize the hassles?
Is it possible to use Machine Intelligence in such a way that this technology is used for truly
advanced analysis, reducing false positives and saving the security team’s time?
Integrating several features/technology types into one solution mitigates several issues with
Machine Intelligence technology, and creates a more efficient system. Specifically, integrating
with IDS rules and network performance monitoring is an efficient means of improving network
security by joining complimentary features and data sets.
Integration Brings Advantages
In such an integration, detection is more effective and false positives are reduced. Less time
training the system is required, and information that is “trained” starts from a more accurate
position.
Integration with an IDS ruleset specifically brings two benefits: The first is that the IDS, a list of
existing rules and known signatures, helps the Machine Intelligence tools function more
47 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide