Graeme Dawes - Fotolia
I remember receiving my first spam email ever, 20 years ago. The subject was "Are you Bob from the chatroom?" and...
the contents included a link with some words encouraging me to click. Now, keep in mind, this occurred during a time when the internet was kinder, gentler and more naïve. You've likely had a similar experience. Over time, we've learned how to quickly spot spam, potentially harmful links and just plain old maliciously intended emails, right?
Just like you and I have learned by coming in contact with spam and phishing emails, machine learning for cybersecurity -- as a part of an endpoint protection plan -- takes the same path. By being exposed to countless "good" and "bad" emails, machine learning develops and evolves its own idea of what is likely to be OK or malicious.
The question is whether machine learning for cybersecurity (which, in essence, is a subset of AI) is truly effective and necessary as part of your endpoint protection
While your brain is a pretty impressive computer, your endpoint mixed with some AI designed to spot evil is potentially a far better choice. Machine learning as part of an endpoint protection program is extremely accurate in its ability to identify malicious files and behavior. It can track literally tens of thousands of relevant data points to spot alignment between files and activity with far fewer false positives.
Is machine learning for cybersecurity necessary?
It seems like just about every security vendor touts some kind of AI or machine learning embedded within their products. But do you really need this technology to have an effective defense? The answer lies in looking at modern methods of attack and seeing whether legacy methods of detection can be successful.
Three attack method trends have grown in popularity over the last few years:
- Evasive techniques: These malware techniques are designed specifically to avoid detection. Actions like checking the host environment to determine if the host is potentially hostile to the malware and performing fileless attacks using direct memory injection are just two ways malware keeps from being detected. Traditional heuristics-based and signature-based detection will fail to spot these.
- Botnet attacks: Rather than attempting to, say, hold a machine for ransom -- which involves a slew of specific actions to accomplish -- some attackers simply want to apply your computing power to cryptomining, participating in distributed denial-of-service attacks and the like. In these types of attacks, the specific behavior and artifacts left behind can be very different from those of malware seeking to, say, compromise an endpoint as part of a larger data-theft attack.
- Sophisticated attacks: It used to be a simple path to infection: Download the dropper, connect to the command-and-control server, download the payload, weaponize the payload, install and infect the machine. Now, it's much more complicated. One example: Open a PDF, click a link that downloads and opens a Word doc that uses a macro-less method to download the payload and launch it. Malware then uses memory hollowing to load itself into the memory space used by a known good process. These attackers are looking for more and more complex methods of attack to thwart being spotted via assumed malicious behaviors.
In all of these modern-day attacks, the legacy methods of detection -- especially those dependent on historical information, such as signature-based detection and heuristics -- simply won't get the job done. The beauty of machine learning for cybersecurity is right there in the name: It's always learning. This makes it a very necessary part of the defense.
Of course, the list of attack trends above will likely be obsolete in a few years, with attackers moving onto new methods of attack (one possibility: going after IoT sensor networks). But even so, machine learning for cybersecurity will be in place, analyzing each new attack, building its database of threat artifacts and behaviors -- improving its ability to defend and protect with exposure to each new attack.