Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

12/12/2016
11:55 AM
Rutrell Yasin
Rutrell Yasin
Slideshows
Connect Directly
Twitter
RSS
E-Mail

5 Things Security Pros Need To Know About Machine Learning

Experts share best practices for data integrity, pattern recognition and computing power to help enterprises get the most out of machine learning-based technology for cybersecurity.
6 of 6

#5 Machine Learning Can Provide Pre-Execution Protection Against Malware

Companies employ a variety of techniques to protect their IT infrastructures from malware, such as traditional signature-based detection, sandboxing and now Machine Learning. Machine Learning is one of the techniques used by CrowdStrike and other security vendors to provide pre-execution protection against malware, notes CrowdStrikes Sven Krasser.

For example, a CrowdStrike tool can determine the presence of malicious code without relying on signatures, detecting both known and unknown, or zero-day malware. With machine learning you can create an engine or algorithm that understands what makes something zero day or malicious. As opposed to signatures, machine learning allows analysts to look at all the data coming in on an incident and quickly make decisions immediately upon detection, Krasser says.

Another growing concern for companies are advanced persistent threats (APT) wherein an unauthorized person gains access to a network and stays there undetected for a long period. The intention is to steal data rather than to cause damage to the network or organization.

In dealing with APTs, you need to realize you are up against humans. They only need to get on one machine on the companys network and then move laterally onto others, Krasser says. The risk is in the persistence of the threat, so just detecting the threat is not enough.

Companies must constantly monitor for these types of attacks, so techniques that transcend machine learning need to be applied, although ML can still be part of the defense against APT attacks. CrowdStrike, for example, employs an indicators of attack detection approach for endpoint systems, which focuses on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.

For instance, an attacker might deploy a spear phishing attack, persuading a victim to click on a link or open a document that will infect the machine. Once compromised, the attacker will silently execute another process, hide in memory or on disk and maintain persistence across reboots of the system. The next step is to contact with a command and control site, where the attacker informs his handlers that he awaits further instructions.

IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes he is trying to achieve. They are not focused on the specific tools the attacker uses to accomplish his objectives. By monitoring these execution points, gathering the indicators and consuming them via a Stateful Execution Inspection engine, analysts can determine how an actor successfully gains access to the network and infer intent.

Protecting an organizations IT infrastructure requires looking at the broader picture beyond just machine learning. That is why enterprises need a cocktail of solutions, Krasser says.

Image Source: CrowdStrike

6 of 6
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
JonKim
50%
50%
JonKim,
User Rank: Author
12/15/2016 | 3:02:27 PM
Insightful
Insightful, thank you for sharing.
gopinathmohan861
50%
50%
gopinathmohan861,
User Rank: Apprentice
12/14/2016 | 10:11:16 AM
Machine Learning - Useful points
First of all, a big thanks for the article. The informations (5 security pros) mentioned in this article very useful. As AI and ML is going to rule future world, we need to consider these security pros.
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4128
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the ID Vault service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the ID Vault service.
CVE-2020-7335
PUBLISHED: 2020-12-01
Privilege Escalation vulnerability in Microsoft Windows client McAfee Total Protection (MTP) prior to 16.0.29 allows local users to gain elevated privileges via careful manipulation of a folder by creating a junction link. This exploits a lack of protection through a timing issue and is only exploit...
CVE-2020-15257
PUBLISHED: 2020-12-01
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that...
CVE-2020-9114
PUBLISHED: 2020-12-01
FusionCompute versions 6.3.0, 6.3.1, 6.5.0, 6.5.1 and 8.0.0 have a privilege escalation vulnerability. Due to improper privilege management, an attacker with common privilege may access some specific files and get the administrator privilege in the affected products. Successful exploit will cause pr...
CVE-2020-9117
PUBLISHED: 2020-12-01
HUAWEI nova 4 versions earlier than 10.0.0.165(C01E34R2P4) and SydneyM-AL00 versions earlier than 10.0.0.165(C00E66R1P5) have an out-of-bounds read and write vulnerability. An attacker with specific permissions crafts malformed packet with specific parameter and sends the packet to the affected prod...