In-brief: experts at an event in San Francisco predicted that humans will be in the loop on information security for the foreseeable future, even as advances in machine learning eliminate whole categories of lower level information security work.
For those who predict that machine learning technology and automation will have information security analysts going the way of the wheelwright, the message from a group of security experts is: “don’t count on it.”
Humans will be in the loop on information security for the foreseeable future, even as advances in machine learning, “big data” analysis and automation eliminate whole categories of lower level information security work, experts speaking at the Structure Security event in San Francisco on Tuesday.
“You can’t replace human reasoning,” said Carson Sweet, the Chief Technology Officer of the firm CloudPassage. “The amount of work a human does between the raw data and taking action – refining it, correlating it with other data, turning it into intelligence – is enormous,” Sweet said.
Machine learning is a discipline within computer science in which computers are trained to both spot patterns in large amount of data and make useful and accurate decisions (or predictions) based on that data. The “learning” part refers to the ability for machine learning tools to draw conclusions absent explicit instructions (or programming). It is one of the building blocks of artificial intelligence (or AI).
In the field of information security, machine learning is increasingly used to sift through massive volumes of data generated by network monitoring and security tools and identify suspicious “incidents.” “There’s a whole set of things that say ‘that’s an incident and that’s not.’ That’s where machine learning comes in,” Sweet said. He was speaking as part of a panel discussion, “Fighting code with code,” which focused on applications of machine learning and artificial intelligence.
Machine learning tools are good at narrowing tasks for human operators and simplifying decision-making, computers aren’t ready to replace people – at least not yet.
For one thing, experts agreed, machine learning is only as good as the data it has to work with.
“You can have machine learning with a 99% accuracy. But if that’s working on millions and millions of events, you still have a giant number of false positives,” said Kevin Mahaffey (@dropalltables) of the firm Lookout Security. “Ninety nine percent accuracy can have you blocking Google in an organization.”
Mahaffey said that organizations that make the best use of machine learning tools use them in very limited fashion after exhausting proven, deterministic techniques like blocking traffic from known-malicious IP addresses.
“They start by pulling all the data into one place, doing visualization and simple automation, and then they consider machine learning,” he said. “You can’t just throw machine learning at a dirty data set and expect magic.”
Still: the changeable nature of information security is well suited to machine learning, the experts agreed. Adversaries change their tactics to avoid detection, or adopt new tools and techniques that might trip up rules-based detection.
Increasingly, machine learning and computer automation is replacing low-level tasks that have been performed by humans. Jay Leek, the Chief Technology Officer at the firm Blackstone told the audience at Structure Security that computer automation, powered by machine learning, could soon replace much of the low-level, or “Tier 1” computer security work, like helping users who have been locked out of their account or escalating certain kinds of alerts generated by network monitoring and security tools like antivirus and intrusion detection sensors. Leek said Blackstone was “laser focused” on finding ways to automate low-level, “routine tasks” done on a regular basis.
The experts took pains to separate machine learning, which has many applications in information security, from artificial intelligence – technology that seeks to mimic the workings of the brain – where applications are currently more limited. The two terms are frequently used interchangeably, but actually refer to different things entirely.
[See also: “Will AI Kill the Infosec Star?”]
For one thing, artificial intelligence is not deterministic and, thus, is highly dependent on – and shaped by – the information that is fed to it. Microsoft found this out the hard way in March when its AI-powered Twitter bot, Tay, was trained to spout racist, anti semitic and homophobic slurs in response to questions within hours of going public. In the context of information security, that means security based AI could be forced to ignore important information or draw incorrect inferences from data, based on how it was trained.
The best applications of machine learning, at least in the short-term, may be in limiting the data that humans have to consider before making higher level decisions that take into account complex and abstract notions like “risk” and an organization’s security posture and business priorities.
In the meantime, companies that want to bend machine learning to solving security problems need to avoid the “shiny object problem” said Sweet of CloudPassage. “You’re taking in all this data but you have no idea what question you want to answer,” he said.
A wide range of technology firms – both established and start-ups – are looking at applications of machine learning, artificial intelligence and expert systems to computer security, partially driven by a severe talent shortage in the industry.
IBM, for one, plans to train a new, cloud-based version of its Watson cognitive technology to detect cyberattacks and computer crimes. As part of its training, IBM fed Watson a dictionary of information security-specific terms such as “exploit” and “dropper” and programmed it how to identify and respond to cybersecurity incidents.