CISO’s Guide: Introduction to Machine Learning for Cybersecurity

By Larry Lunetta, VP WLAN & Security Solutions Marketing
Share Post

Cybersecurity has long been a boardroom discussion, and the potential use of artificial intelligence to detect attacks that have evaded traditional security defenses should be added to the agenda. This blog is the first in a series to introduce chief information security officers (CISOs) and other security leaders to the possibilities of using machine learning and user entity behavioral analytics (UEBA) to detect cyber attacks faster—and before lasting damage is done. In this first blog, we explain the overall situation and why machine learning can help.

In days past, threats to the business most often came from the outside through a perimeter that could easily be defended. But things have changed. Organizations face challenging new threats coming from attacks that have reached inside— compromised users, negligent employees and malicious insiders. This, in turn, makes it much more challenging for CISOs and security leaders to successfully protect the organization.

Nuance Matters

One of the central problems is that most of the security products used by the vast majority of companies look at the world in binary terms: Traffic is bad or good, files are infected or not, users are authorized or blocked. While these approaches have historically proved effective in many circumstances, today, these "black and white" checkpoints are becoming more and more permeable.

Once inside an organization, free from fears of being readily caught, targeted attacks can leisurely surveil, probe and exploit an organization by bypassing the traditional defenses. To identify these "low and slow" threats, security approaches have to deal with the world of "gray"—small signals that must be detected, put in context over time and added up to indicate pending harm. These targeted attacks may pace themselves, taking tiny steps. Most attackers are all too aware of the arsenal of tools designed to find telltale attack signatures.


Adding to this nuanced puzzle is that CISOs must keep in mind that detecting these attacks requires the ability to not only understand what is different but also to make a decision about whether "different" means "deadly." Anomalous doesn't always mean malicious. Employees change jobs, locations and work habits all the time. Analysts already see too many false positives, and to alert on every small change is overwhelming and impractical.

Choosing the Best Tool

So, what to do? How can CISOs stand a fighting chance? Enter machine learning. Machine learning is one of the most powerful tools a company can use to detect these types of inside attacks before they do damage.

Machine learning is a form of artificial intelligence (AI) that learns and makes judgments without needing to be explicitly programmed for every scenario. Unlike signature-based products, machine-learning models learn from data. They are capable of providing a probabilistic conclusion, which can then be converted into a binary signal of "good or bad." The likelihood of a decision being accurate can be interpreted as a measure of confidence in that conclusion.

Machine learning is a core capability in the product category that Gartner calls user and entity behavioral analytics (UEBA) and forecasts a healthy 48% compound annual growth rate from 2015 to 2020.

UEBA solutions can be used on their own or add value across the security ecosystem. UEBA leverages the same logs that a security information enterprise management (SIEM) like ArcSight, Splunk or QRadar collects, which means that the investment a company made for IT operations and compliance can be easily extended to produce additional value in terms of precision attack detection and accelerated incident response.

Learn More

In our next blog, we'll dive into the principles of machine learning.

Ready to learn more? Download the CISO's Guide to Machine Learning and User Entity Behavioral Analytics e-book now.