Balancing the Sharing of Information

CyberSecurity Journal

Subscribe to CyberSecurity Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get CyberSecurity Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Security Authors: Ambuj Kumar, Shelly Palmer, Slavik Markovich, Elizabeth White, Greg Ness

Related Topics: Cloud Computing, CyberSecurity Journal

Blog Post

The Cyber Security Maturity Model | @CloudExpo [#IoT #Cloud]

Unsupervised Learning In Cyber Security

Cyber Attacks
We continue to see an increasing trend in cyber-attacks in line with the growth of new technologies, and enterprises have to protect themselves. It is critical for enterprises to devise their own measures to protect against cyber-attacks because any tolerance on this front is more than an IT issue but may affect the very existence and the business model of the enterprise. We have seen in a recent incident where a cyber-attack prevented a large enterprise from performing their basic business process.

Limitations of Policy Based Approach
In the past decade to mitigate the risk of cyber-attacks, enterprises usually appointed security officers and they ensured typical Zero Tolerance Policies on their network, applications, processes and people. Some of them include:

  • No access from home
  • No external devices at work
  • No access to the Internet at work
  • No access to production environments from the development environment
  • No exposure of application APIs outside the firewall

Most of these policies resulted from the first principles of security and quality audits and they continue to be relevant, but some of the basic business models of enterprises have changed:

  • Mobility is a part of enterprise business model such that much of the enterprise business is served through mobile devices anywhere, any time
  • Gen Y workforce demanded to work from anywhere, which means access to the systems should also be open from anywhere
  • Internet of Things opened a new set of business opportunities and at the same time opened up the very micro-level component of an assembly pipeline in a manufacturing plant to the external world
  • Social media and crowdsourcing almost becomes part of most business processes like CRM, Warranty Management, and HRMS
  • Cloud is the enabler that enterprises cannot ignore
  • The DevOps model is sweeping the industry so that the barriers between the production environment and development environment no longer exist

With these points in mind, while the traditional approach of policy enforcement mainly through human means still holds good as a base protection, but will not protect an enterprise from all possibilities of cyber-attack, because the options and combinations are so much such that mere policy enforcement will not identify and prevent them.

Machine Learning Approach
As the enterprise becomes digital, which means every touc hpoint and navigation across the enterprise is handled with some sort of a connected device, be it a VPN gateway, directory servers, access card systems, fingerprint recognition systems, network devices and more, we are in the midst of massive flow of machine data when it comes to tracking the cyber-attacks.

Fortunately the advent of cloud and its byproducts, such as Big Data storage and massively parallel processing frameworks, have provided an opportunity for enterprises to tackle the issue of monitoring the security breaches and also to prevent them. This means enterprises adopted the techniques of understanding massive flows of machine data from various sources and found ways and means to find insights out of that data toward possible security breaches and cyber-attacks.

Machine Learning Approach Maturity Models
To fill in the vacuum in the cyber security prevention space as well as to help the enterprises, several Big Data and machine learning solutions have appeared in the market that claim to help enterprises detect and prevent security attacks. So naturally enterprises will find them interesting but at the same time these initiatives involve cost and effort as well as the risk of choosing a solution that may not foresee all the possibilities and yet make the enterprises vulnerable.

The following maturity models will help enterprises understand the capabilities of the solutions that they will employ to tackle the cyber-security threats.

Level I (Preventive/ Rule Based)
This analyzes the machine data based on certain known rules, which may vary from industry to industry. For example, a finance industry may not allow a credit card authentication of the same card within a span of five minutes from two different geographic areas. Or a healthcare application may not allow log on to a critical life monitoring system from an IP address not listed as part of known addresses. The role of a rule-based approach continues to hold good but they are limited to the domain knowledge of the solution providers and require constant updates to the rule engine.

Level II (Predictive/ Supervised Machine Learning)
A rule-based approach prevents attacks from known conditions and most of the time they cannot predict the intent of the user before an event has occurred. For example, if a rule detects user intention after four failed login attempts, what if a user is able to breach the network on the first attempt. Supervised machine learning methods come to rescue to predict the user intent based on past training data. This technique is highly useful for enterprises in areas like predicting the behavior of a customer or the likelihood of acquiring or losing a customer. Because this approach is highly dependent on past data, we are already seeing the online ad engines offering the products we look for while we are browsing online. In the machine learning world, most algorithms support this technique:

  • Linear regression
  • K - nearest neighbors
  • Naïve bayes
  • Logistic regression
  • Decision tress

This technique will continue to be useful for detecting certain known conditions that occurred in the past for which enterprise security analysts could clearly label them.

But consider the fact that today's hackers are getting sophisticated day by day and security attacks come from unknown places and in unknown means. This means that it is almost impossible to label the security breaches based on some indicators. We have seen that some enterprises are attacked first time in their history and yet that one attack will be so devastating such that there will not be even another chance for the enterprise to survive. This kind of supervised machine learning can be good in other scenarios whereby an enterprise that has lost customers in the past can figure out the likelihood of losing another customer and take preventive actions. Software solutions for cyber-attacks can continue to employ this technique to bring an additional level of protection to their solution.

Level III (Cognitive/ Unsupervised Machine Learning)
There is a recent interview with MIT Artificial Intelligence Expert Professor Joel Moses - Next Phase Of Artificial Intelligence is all about Unsupervised Machine Learning. Such is the power of this level of maturity. In the unsupervised model the goal is to identify or label a threat without any past labeling; rather it will try to cluster the data in a fashion close to the level of human brains but at the speed of machine, such that the abnormal patterns are detected and security is enforced. Some of the famous algorithms for unsupervised learning are:

  • Hidden Markov Models
  • K-Means Clustering

As you see these algorithms they try to uncover something that hasn't already happened with the level of intelligence closest to human thinking or what we call as artificial intelligence.

Summary
All the methods explained above are not mutually exclusive, in order for your enterprise to be effectively immune from cyber threats, you need a,

  • Strong Security Policies & Governance
  • You needed rule based algorithms that prevent known threats
  • You needed supervised machine learning that will predict the past labelled security threats

Finally you can complement all of the above with Unsupervised Machine Learning that will even understand the unknown events of the past and predict the security breaches. So you can always assess your security defense at what level of maturity and take further actions to protect your enterprise.

More Stories By Srinivasan Sundara Rajan

Highly passionate about utilizing Digital Technologies to enable next generation enterprise. Believes in enterprise transformation through the Natives (Cloud Native & Mobile Native).