Professional Documents
Culture Documents
How AI and Machine Learning Improve Enterprise Cybersecurity
How AI and Machine Learning Improve Enterprise Cybersecurity
www.stellarcyber.ai sales@stellarcyber.ai
scanner again). Anomaly Detection is good Combining Supervised
at detecting things that are different, but not and Unsupervised Learning
necessarily always malicious. This is a problem
Supervised learning has shown more success
that security analysts still struggle with today.
in security applications, but it requires easy
access to large sets of labelled data, which are
The Rise of Big Data very difficult to generate for cyberattacks such
After 2000, developers and researchers began as APT (advanced persistent threats) and zero-
creating anti-spam, anti-phishing, and URL day attacks targeted at enterprises. Therefore,
filtering systems based on supervised learning. we cannot easily apply supervised ML to solve
In supervised learning, decisions are learned all cyberattacks.
from a set of labelled data. The labels specify the This is where unsupervised learning comes back
normal case and perceived threats. One such into the situation. We need to develop more
example is a URL classifier. First, large datasets advanced AI/ML that can be unsupervised or
of benign URLs and malicious URLs are used to semi-supervised (e.g., through adaptive learning)
train a URL classifier. Then, the URL classifier is to solve the additional cybersecurity challenges.
deployed and matches the URLs extracted from Adaptive learning (human-guided analysis)
incoming e-mails, and for each input URL, the coupled with unsupervised learning improves
URL classifier will produce a label to tell whether your ability to detect those APTs and zero-day
it is benign or malicious. A supervised learning exploits. Unlike in supervised learning, where
algorithm analyzes the data and produces we need to label a large number of attack cases,
an inferred function (i.e., this traffic behavior adaptive learning leverages limited guidance
matches this input data, therefore it is bad), from humans to drive the direction or preference
which can be used for mapping new examples. of the anomaly detection to produce more
Early filtering systems using supervised learning accurate results.
were based on relatively small datasets, but
datasets have grown in size and sophistication A New Direction: Connecting the Dots
with the advent of Big Data. For example, Gmail One of the big problems with simple anomaly
employs an Internet-scale dataset to train nits detection is the volume of false positives, and
classifier to improve accuracy. Such a large even if the results are indeed accurate, the
scale, using Big Data and huge computation results are lacking context for a security analyst
resources, enables Google to train more to quickly evaluate the impact to the security
sophisticated models. posture and gear resources towards them.
Big models (in terms of the number of One way to address this issue is by correlating
parameters) based on Big Data, such as deep multiple events (dots) and then evaluating
learning models, have gradually become more whether or not the correlation indicates a strong
popular. For example, supervised ML has signal for a cyberattack. For example, one ‘dot’
been successfully used in anti-virus signature might be an executive logging into the network
generation for years, and in 2012, Cylance began at 2AM, and while this alone might be seen as a
offering next-generation anti-virus systems false positive, it wouldn’t be enough to trigger an
based on datasets other than signatures, such alert. However, if the executive is seen logging
as anomalous traffic behavior. The advantage in at 2AM from an IP address in Russia or China,
of ML-based methods compared with simple and it is running a PowerShell command the
signature matching is that the ML-based method executive should not know, it would trigger
might find similar but not exactly identical cases, an alert, because enough dots linked together
while signature matching looks for exact the providing the context indicate that it is more
same pattern. like an account takeover, and some hacker is
www.stellarcyber.ai sales@stellarcyber.ai
pretending to be the executive, but logging in constitute a threat. This approach significantly
at an usual time and from an unusual place reduces false positives and helps analysts
to do unusual things. identify APTs or zero-day attacks more quickly.
One fundamental new trend in ML/AI With Graph ML, we can correlate and group
community is to let the ML algorithm deal alerts into incidents, which will significantly
with graphs. Graphs with nodes and edges are reduce the number of cases which need to be
perfect for tracking relationships and expressing investigated individually. Furthermore, with the
contexts. However, traditionally, graphs are correlation and grouping, incidents have more
considered as discrete data structures. On the details and graph ML also can help provide a
other hand, in order to apply gradient descent ranking or score to let the SoC team better
optimization for ML, usually the data needs to focus on significant incidents more quickly. The
be continuous and differentiable. In recent years, resulting incident graphs are also a natural way
there are quite a few new breakthroughs on ML to present the attack context with a timeline.
to deal with graphs. Such techniques can be With these approaches, SoC efficiency can
called graph representative learning or Graph be fundamentally improved to cure alert
ML in short. Applying such techniques into fatigue problems.
products, Stellar Cyber’s Open-XDR platform
correlates multiple events and evaluates
whether, when looked at together, they
Stellar Cyber’s Open XDR platform delivers Everything Detection and Response by ingesting data from all tools,
correlating incidents across the entire attack surface, delivering high-fidelity detections, and responding to threats
automatically through AI and machine learning. Our intelligent, next-gen security operations platform greatly reduces
enterprise risk through early and precise identification and remediation of all attack activities while slashing costs,
retaining investments in existing tools and accelerating analyst productivity. Typically, our platform delivers a 20X
improvement in MTTD and an 8X improvement in MTTR.
www.stellarcyber.ai | sales@stellarcyber.ai
www.stellarcyber.ai sales@stellarcyber.ai