Machine learning security offers many advantages over signature-based detection, but the technology can be as difficult...
to explain as it is for malware to beat.
During an interview with SearchSecurity, Brett Hansen, executive director of data security solutions at Dell, offered insight into his company's investment in machine learning security and its partnership with advanced threat protection startup Cylance Inc. In part one of the interview, Hansen discussed the problems with traditional antivirus and antimalware programs relying on signature-based detection methods.
In part of two of the interview, Hansen talks about the advantages of machine learning for smaller businesses, why it's a struggle to discuss the technology behind it, and how machine learning security serves as a better defense against ransomware attacks and other emerging threats. Here are excerpts from the conversation with Hansen.
Is the move to machine learning security more about the shortcomings with signature-based detection and the frustrations people have had with it, or the benefits and value of machine learning?
Brett Hansen: With smaller businesses, we don't have an answer for that yet, because we just launched Dell Data Protection | Threat Defense for small businesses. I'm optimistic, based on the conversations I've had with customers, that they are very aware of the shortcomings with their current solutions.
Two of the challenges with machine-based learning is that, A, it sounds too good to be true, and, B, it can be really difficult to explain. I can use metaphors, and I can talk strategically at a high level. But I can't really discuss the math behind it. There are a handful of people that it would make sense to. So, that's one of the challenges we have -- it's a 'trust us' type of discussion.
The good news is it's easy for us to show the efficacy. So, we'll download live malware code and run against our system and whatever competitor you want to choose. And I've done it dozens and dozens of times. And we're 99%-plus. I've seen one or two things [that] may slide by. Those things are typically agents to download future executables, which we will catch. If I see a signature-based AV/AM [antivirus/antimalware product] beat 60%, I'm usually surprised. And this isn't super-sophisticated polymorphic malware or fileless attacks; this is the stuff you can get off the web.
Brett Hansenexecutive director of data security solutions, Dell
There have been reports that threat actors are now adapting their approaches to go after machine learning security technology and trick products into false positives. Are you seeing hackers trying to game machine learning systems or throw them off track somehow?
Hansen: We're starting to see it happen, but it's in relatively modest proportions. We almost see it as a compliment -- the fact that we're forcing the attackers to change their strategy. And let's face it, that hasn't happened a lot over the last few years. So, it's a sign that they're concerned about it, which I see as a positive. And what they're trying to do is use false positives to subvert the machine learning.
To date, it really isn't effective, because I'm looking at the executables. So, you can cause me to look at what looks like a piece of bad code, and it turns out to be innocuous, but it's still a piece of code dropped by someone who was trying to do something malicious.
And you would need a lot of those innocuous samples to try to throw off the machine learning system, correct?
Hansen: Yes. So, we have to acknowledge that the hackers will continue to adapt and evolve. It's too big of a business not to. There's hundreds of billions of dollars at stake. And it's the biggest crime activity around.
Again, the good news is they're going to have to change the fundamentals of how they do things to have any chance of defeating machine learning. Because what we're seeing today is people taking the same attacks they've used for years and making some modifications to camouflage them.
So, in order to circumvent our techniques, you're going to have to take that underlying code and make some significant modifications. So, for example, with ransomware, it's really hard to disguise what you're doing there. You're going to have to go and contact an outside network. You're going to have to drop additional agents on the system and go to the memory. That's really hard to disguise when you're talking about the underlying code.
It's more than modifying a few pieces of code; it's about changing the entire approach. And we know the vast majority of attacks come from one person writing ransomware code, and then thousands of 'entrepreneurs' pick it up, modify it, and go and use it. There are very few really sophisticated, new developments going on here.
Why are machine learning-based products so important for small businesses?
Hansen: I think they are the ones that need it most.
If you think about it, today, there is endpoint detection, response, prediction and prevention. And what you really want to be in is prediction and prevention, because that's identifying the threat before it executes and stopping it. But, today, the bulk of the activities are in detection and response.
The other axis is we have automated solutions and we have manual solutions. The bulk of activity is on the manual solutions. Yes, you may have a local solution that looks for behavioral issues, but then you have to have a team that then analyzes that data to make sure you're not missing anything or reacting to false positives. So, we're in a state of detecting and responding with expensive manual approaches. And that doesn't work for a small business. So, what our suite does is move us downstream with a fully automated prediction and prevention solution. Small businesses are the ones that are least-equipped to deal with a breach, and respond and mitigate it.
We've also seen a few instances -- though, there are probably many more -- where more capable attackers are using small businesses to compromise larger businesses. It's the Target story with the HVAC vendor. But it's become more sophisticated now, where attackers are finding out who your suppliers and contractors are, and through compromising them, they can compromise you.
From what you've seen, are smaller businesses taking a more proactive approach with cybersecurity?
Hansen: The good news is the companies that are in the more risk-prone areas -- defense, technology [and] those kinds of industries -- tend to be a little bit more proactive about having security.
The bigger challenge is -- and, again, this is a new product, and we're just starting to roll it out to customers -- is this. Companies say, 'Well, I've been using (insert company name) for seven years, and I haven't been hit yet, so why do I need you?' There's a lot of, 'It hasn't happened to me yet;' or, 'This seems to be working;' or, 'I'm too small to get hit.'
Now, thankfully -- and I use that word cautiously here -- ransomware is increasing people's awareness. It's positive to see mainstream media picking this up and telling the story -- and hopefully increasing people's awareness of threats. But, yes, there is a lot of ostrich heads in the sand with small businesses. We still have an awareness gap. We have this perception that the companies that get breached are Target, JPMorgan, Anthem and OPM [Office of Personnel Management], and it's not me. But ransomware is such an indiscriminate attack that it's probably more likely to hit a small business.
The fact is, the naïveté that exists with small businesses is unfounded. Small businesses are the most commonly breached businesses in the marketplace. The difference between a small business getting breached and a Target is: Target has turnover with some [of] its employees, and, yes, it cost the company a few hundred million dollars, but they're still doing very well.
With small businesses, a breach could be a business-ending event. And what they're left with for protection is the existing AV/AM solutions. They're left with McAfee, Symantec, Trend Micro, Sophos and others, which by their very nature are not very effective against the proliferation of new malware.
What other trends have you seen around ransomware attacks?
Hansen: One of the concerns is, because it's so easy to go and do this stuff, they might have a change of heart, or they may be incarcerated for some other crime. And so the ransomware is pushed out, it affects a lot of people, and when they go get their bitcoins to pay, they find the operation is out of business. So, we are seeing an increase in the number of organizations who try to pay the ransom, but can't find anyone to take the payment. That's a whole new pain, because now we're dealing with a situation where the company has encrypted documents and is willing to pay the ransom, but doesn't know how to get them back.
And, again, the good news with ransomware is that it has captured more of the public's attention. It has raised awareness about security. If I say ransomware, people perk their ears up. From an educational perspective, it's easily understood. If I start talking about Trojans and polymorphic attacks, people say, 'Who are you, and why are you harassing me?' But if I say ransomware, people get it and they know it's bad.
Read more on the basics of machine learning algorithms
Find out why machine learning systems require a failover plan
Learn what enterprises should know about cybersecurity readiness