Machine learning (ML) lets computers learn without being explicitly programmed. Put another way, machine learning teaches computers to do what people do: learn by experience. Machine learning is a domain within the broader field of artificial intelligence.
In security, machine learning continuously learns by analyzing data to find patterns so we can better detect malware in encrypted traffic, find insider threats, predict where “bad neighborhoods” are online to keep people safe when browsing, or protect data in the cloud by uncovering suspicious user behavior.
The cyber threat landscape forces organizations to constantly track and correlate millions of external and internal data points across their infrastructure and users. It simply is not feasible to manage this volume of information with only a team of people.
This is where machine learning shines, because it can recognize patterns and predict threats in massive data sets, all at machine speed. By automating the analysis, cyber teams can rapidly detect threats and isolate situations that need deeper human analysis.
The details of machine learning can seem intimidating to non-data scientists, so let's look at some key terms.
Supervised learning calls on sets of training data, called “ground truth,” which are correct question-and-answer pairs. This training helps classifiers, the workhorses of machine learning analysis, to accurately categorize observations. It also helps algorithms, used to organize and orient classifiers, successfully analyze new data in the real world. An everyday example is recognizing faces in online photos: Classifiers analyze the data patterns they are trained on--not the actual noses or eyes--in order to correctly tag a unique face amongst many millions of online photos.
Machine learning detects threats by constantly monitoring the behavior of the network for anomalies. Machine learning engines process massive amounts of data in near real time to discover critical incidents. These techniques allow for the detection of insider threats, unknown malware, and policy violations.
Machine learning can predict “bad neighborhoods” online to help prevent people from connecting to malicious websites. Machine learning analyzes Internet activity to automatically identify attack infrastructures staged for current and emergent threats.
Algorithms can detect never-before-seen malware that is trying to run on endpoints. It identifies new malicious files and activity based on the attributes and behaviors of known malware.
Machine learning can protect productivity by analyzing suspicious cloud app login activity, detecting location-based anomalies, and conducting IP reputation analysis to identify threats and risks in cloud apps and platforms.
Machine learning can detect malware in encrypted traffic by analyzing encrypted traffic data elements in common network telemetry. Rather than decrypting, machine learning algorithms pinpoint malicious patterns to find threats hidden with encryption.