Machine learning-powered cybersecurity depends on good data and experience

According to IDG’s 2020 Cloud Computing Study, 92% of organizations have at least some sort of cloud footprint in regard to their IT environment. Therefore, traditional cloud security approaches must evolve to keep up with the dynamic infrastructure and challenges that cloud environments present – most notably, the inundation of data insights generated within the cloud.

Machine learning-powered cybersecurity

More than one-third of IT security managers and security analysts ignore threat alerts when the queue is full. This is a common issue that is driving the high demand for machine learning-based analytics, as it helps security teams sift through massive amounts of data to prioritize risks and vulnerabilities and make more informed decisions.

However, a word of caution when using machine learning-based technology: the age-old garbage-in, garbage-out applies to security-focused machine learning engines. If your data is bad, then your machine learning tools will be insufficient, making your security infrastructure vulnerable to attack and putting your organization at risk for a wide-spread security breach.

Strive for a security strategy that is rooted in data science

Machine learning-powered cybersecurity must also go beyond good data and incorporate extensive industry experience and defined rule sets to harness the power behind these security insights. By having a security strategy firmly rooted in data science driven by human expertise, organizations will have complete visibility into the security and compliance risk of their cloud environments.

The most effective machine learning-based security solutions collect and effectively make use of high-quality telemetry to deliver risk visibility across the entire cloud infrastructure stack to include the application layer, containers-as-a-service (CaaS), Kubernetes orchestration, container runtimes, host machines, and so on.

The continuous collection of this data will set your machine learning-based cloud security strategy apart. Working with a trusted partner to effectively gather the raw telemetry needed to gain a full forensic view into potentially risky behaviors taking place in your environment serves as the foundation for advanced analytics and timelier insights, and the benefits of this approach are twofold.

First, it massively expands available context, driving more meaningful insights and speeding security investigations. Second, it offloads the operational burden of managing large security data sets, reducing the human and technology costs of engineering these systems in-house.

Applying rules and machine learning to drive detection methodology

Surfacing meaningful security and compliance insights from massive amounts of data requires multiple detection methods. These can be behavior-based alerting rules, IP reputation scoring, and machine learning-driven anomaly detections. The most effective solutions use a combination of these methods, enabling security teams to:

• Monitor the known – the power of a rules engine: Alerting rules and machine learning must exist together to detect both known and unknown threats and anomalies. Rules capture risk within well-known behavior patterns within your environment. You define what you care about in advance, and rules monitor and alert on these patterns, reliably, every time suspicious behavior is detected. This consistency is essential when watching for insider threats or providing a complete history of system access for a compliance audit.
• Monitor the unknown – machine learning for anomaly detection: machine learning techniques excel at surfacing unknown risk within your environment. They excel at learning and baselining behavior to uncover anomalous activities, most notably suspicious activity that would be virtually impossible to predict when setting alerting rules. To that end, machine learning-powered anomaly detection can add valuable context to complement rules. For example, with machine learning-powered anomaly detection, security analysts can be made aware of suspicious trends, resulting from a wide range of activities that, in and of themselves, may not trigger an alert. But when these activities are grouped and looked at holistically, they can uncover significant security and compliance vulnerabilities and threats.

To summarize, rules alongside machine learning will allow users to detect both known and unknown threats from anywhere in their infrastructure, but human expertise also plays a critical role. In fact, it’s how users interact with alert dismissals, escalations, or rule modifications that influence the security strategy.

(Rules + machine learning) + human expertise = A hardened security posture

With telemetry collection and risk detection, you have two key components of your cloud security strategy. The third component is the human element, i.e., seasoned security and IT operations professionals’ expertise.

Even with modern security technologies and techniques, you cannot expect to remove humans from the loop. Computers are good at doing math, but humans must contextualize that math and make a decision properly. Security professionals remain essential in alert validation, gathering context, and determining risk remediation actions.

An machine learning-based layered approach for intelligent cloud security

For modern cloud environments and on-premises infrastructure making the transition to the cloud, security and compliance require behavior-based alerting rules, machine learning-generated insights, and human expertise. These elements must work together to deliver high-precision detection that maximizes security coverage for known and unknown threats, providing the context needed to quickly detect, investigate, and respond to risk.