Using the power of machine learning in effective network security
- Published: Friday, 14 July 2017 09:27
Derek Lin believes that the key to effective security is to take a people-centric approach, understanding each and every user’s normal or baseline behaviour. No easy task, but machine learning makes it possible.
The continued rise in both the volume and variety of cyber attacks has left many businesses scrambling for more robust IT security solutions. Properly securing the network is a fundamental part of overall business security, helping to protect against both external and insider threats. Many look to achieve this through the use of network traffic flow monitoring tools and security threat analysis based on the flow data produced. Despite this, security breaches continue to happen at an alarming frequency. Why? Because very few of the network monitoring solutions available today take into account one of the biggest risk factors on any network; the user.
By adopting a more user-centric approach to network security, businesses can answer some of the key questions that aren’t resolved by network monitoring tools alone. These include:
Who specifically is accessing the network?
The notion of being able to track who is accessing the network may seem simple in theory, but as business practices evolve, it’s becoming harder and harder to accurately achieve in practice. Most employees today have composite identities consisting of information from multiple accounts, applications, and repositories under their name. Even in a medium sized business, an employee’s identity can include a standard windows ID, as well as numerous other accounts for apps such as SAP, Salesforce.com and Oracle, just to name a few. Adding to the confusion is the rise of BYOD policies, meaning many employees also use personal devices on the business network as well.
As a result, effectively tracking every ID for each employee in one central location is extremely difficult. Further muddying the waters is the issue of shared accounts used by multiple individuals. How can any business tie these to a specific user if there’s no way of knowing who that user is? Without a way to answer to these questions, it’s impossible to know who is accessing the network.
Exactly what is being accessed?
Tracking exactly what assets and servers are being accessed on the network may seem like a fairly straightforward part of day-to-day network security but, unfortunately, it’s rarely the case. In many instances, a limited understanding of exactly what assets are on the network plays a major role, usually caused by a lack of centralised asset monitoring system being in place.
This is often down to IT security systems having been built up in a piecemeal fashion over time, resulting in a mass of different solutions ostensibly doing the same job, but all with limited functionality of their own. What this means is that IT may know what server is being accessed and which employee is accessing it. However, it’s unlikely the IT team would know what other information is on that same server, or how sensitive it is.
Is the individual displaying normal user behaviour?
Even if the IT team is able to effectively track who is accessing the network and exactly what they are accessing, the question of whether it is ‘normal behaviour’ for the individual in question can be extremely difficult to answer. This is because the context required to effectively assess user behaviour isn’t captured by network flow data alone. As such, it is often little more than educated guess work as to whether an individual is behaving within the confines of what is deemed ‘normal’, or if their actions are abnormal and therefore, suspicious.
Machine learning changes the game
While the term data science or ‘machine learning’ started as something of a buzzword within the IT industry, security experts are now waking up to its significant potential in helping to accurately answer key questions like those above. Using machine learning techniques, important connections between seemingly unrelated parts of identities can be discovered, allowing IT teams to create a detailed map of a user’s activity, even if various identity components are not explicitly linked.
For example, if an employee logs into the network from the office using his/her personal credentials, then later that day, logs in again remotely via a personal device from home using an admin account, these two actions would typically not be flagged as connected to the same individual. However, machine learning engines would not only be able to connect them using behavioural data, but also provide tracking for the employee’s actions over time, helping build up a broad view of his/her true network activity.
Machine learning algorithms can also be used to analyse trends and create behaviour baselines on a per-user basis. Doing so helps provide the much-needed context required to spot and flag any activity that deviates too far from what is considered acceptable or normal. Furthermore, different machine learning techniques can be used to build accurate network asset models that give IT teams a true picture of everything on the network. As a result, it is far easier to keep a close eye on exactly what is being accessed at any given time. As part of this, assets belonging to executives and board members can be tagged as ‘high-risk’ items, meaning they are subjected to greater scrutiny and/or more stringent security measures.
Finally, the amount of computing power necessary to make all this work is just a tenth of what it was just a few years ago, putting powerful machine learning platforms well within reach of businesses both big and small.
Effective network security isn’t optional; it’s essential
In a business environment where the threat of cyber attack is growing on a near daily basis, effective network security is essential. Adopting the right tools will help every business understand exactly who is accessing the network, what they are doing and whether they should be doing it. Machine learning will play a significant role in this, not only tying key information together in ways not previously possible through network traffic monitoring alone, but by providing IT teams with the context they need to make informed security decisions.