Asia's Source for Enterprise Network Knowledge

Monday, May 27th, 2019

Security

Is machine learning the key to solving cybersecurity problems?

Is machine learning the key to solving cybersecurity problems?

Cyber threats have become more sophisticated and evolve faster than ever before, easily bypassing conventional cyber defences. Hence, the need for security skills and security technologies to evolve. One promising development, according to CrowdStrike, is machine learning.

“What we are witnessing today is the increased effectiveness and application of machine learning for prevention and detection,” says Mike Sentonas, Vice President of Technology Strategy, CrowdStrike. “Utilising machine learning to solve cybersecurity problems is one of the truly promising developments in our field. It enables us to scale the knowledge of skilled human analysts to large data sizes and to increase the scope of analysis to levels of complexity beyond human cognition. It also addresses the big data challenge.”

In an interview with Networks Asia,Sentonas emphasized that CrowdStrike’s mission remains simple: to stop breaches and, thus, plan to continue to extend its malware prevention capabilities with machine learning and behaviour-based analysis that offer customers the most advanced threat protection available.

The following is the excerpt of the interview:

With the rise of the digital economy, more companies are rushing to get their apps to market with seemingly no regard for cybersecurity. What’s your take on this? Has the digital economy changed the way enterprises should look at security?

Today’s markets are more fast-paced than ever before, so it’s no surprise that companies want to expedite the app-to-market process. The same goes for other business functions or services, including on-boarding new employees, deploying more endpoints in the enterprise, etc. In general, companies are aware of the cybersecurity challenges of this digital age, however the need to be agile and to be first-to-market in many cases takes precedence over security.

Another interesting change is that cyber threats are more sophisticated and evolve faster than ever before, easily bypassing conventional cyber defences. It can be virtually impossible to cover all angles and fortify against every potential vulnerability from an app creator’s point of view. At the same time, securing your intelliectual property and the ‘secret sauce’ behind the technology is just as critical for the success of the application as time-to-market.

Has IoT and the data generated made security analytics easier for the CISO? How automated can security become and can we leave security to automated defences? 

Automating key security functions is not new in the cybersecurity industry. What we are witnessing today is the increased effectiveness and application of machine learning for prevention and detection. Utilising machine learning to solve cybersecurity problems is one of the truly promising developments in our field. It enables us to scale the knowledge of skilled human analysts to large data sizes and to increase the scope of analysis to levels of complexity beyond human cognition. To your point, it also addresses the big data challenge.

Cloud-based architectures can significantly augment the efficacy and coverage of machine learning. Algorithms can be infused with the collective knowledge of a crowdsourced community where threat intelligence is aggregated and updated instantly. At CrowdStrike, we believe that prevention should be enhanced with detection and response and proactive hunting for threats.

Malware has always been the bane of organisations. Recent measures such as air-gapping are being implemented by the Singapore government to combat the threat. Just how effective are current defences at stopping malware?

Malware-based attacks continue to be a significant issue for all organisations and legacy security technologies are continuing to struggle to be effective in dealing with new attack techniques. More importantly, organisations are starting to realise that threats are more than malware attacks. In fact, more than 60 percent of intrusions are malware-free. In the example of air gapping a network, this will certainly make it harder for malware, however you would also need to stop all USB port functions, printing, internal sharing at the cost of convenience and being effective in the workplace.

Whilst this can be perceived to be a knee jerk reaction, increasingly, we are witnessing how dealing with daily signature updates and searching for indicators of compromise, which is by definition a rebranded signature-based approach, is no longer effective and organisations are becoming frustrated that their legacy technologies continue to be bypassed.

Who is Crowdstrike and how do Crowdstrike’s offerings work?

CrowdStrike was founded in 2011 with a mission to fix a fundamental problem: stopping breaches that existing legacy-based security technologies could not.  To this day,CrowdStrike’s mission remains simple: to stop breaches. We are the only company that has successfully unified next-generation antivirus and endpoint detection and response (EDR) and managed hunting through a fully cloud-based, API-driven platform. This  allows customers unrivalled capabilities to stop existing and emerging threats.

Our focus as a company remains squarely on building out and continually investing in the Falcon platform to ensure it remains the most compelling, effective, and innovative next-generation endpoint protection solution on the market.

CrowdStrike’s machine learning capabilities continue to set the industry standard, CrowdStrike was the first company to integrate its signatureless machine learning engine into the industry standard VirusTotal. This follows on from earning a 100% efficacy rating on its first public test according to results published on July 28th by SE Labs, which is a member of the Anti-Malware Testing Standards Organization (AMTSO). CrowdStrike scored a 100% rating for detecting both known and unknown samples of malware with a false positive rate of zero percent.

While no silver bullet solution exists that achieves perfect results like this in every test, we take great pride in this accomplishment and plan to continue to extend our malware prevention capabilities with machine learning and behaviour-based analysis that offer customers the most advanced threat protection available.

The underpinning layers of innovation that enable this type of comprehensive, behavioural-based detection are truly revolutionary. Falcon uses the patent-pending CrowdStrike Threat Graph to analyse and correlate more than 18 billions of events a day and in real-time, providing complete protection and five-second visibility across all endpoints. The Threat Graph technology enables unprecedented investigation, response and proactive hunting capabilities for partners and customers.

Is it true that senior management sees the number of attacks stopped by cybersecurity software as some form of ROI and a measure of how effective the software is?

Estimating ROI on security investments is certainly not easy and most organisations try to look at measuring costs avoided (or reduced) by not having a breach. This means you need to answer some tough questions including: assessing the impact of a breach, how much this would cost, measuring the cost of incident response and getting the organisation back up and running.

Traditionally, such ROI measurements are met with a fair amount of questions. However, such scepticism is on the decline as I’ve witnessed. It is important to use reporting metrics such as the number of exploits, vulnerabilities, zero days and spam. However, they should not be looked at in isolation, as it is not effective, and in many cases, is meaningless to executive management apart from just encourage a climate of fear. The context must be considered as every organisation is different and it is important to measure the threats and risk that affect the specific organisation and understand whether the organisations’ security programme can meet these challenges. More recently, the focus is moving to measure incident response volume including the average time it takes to respond, the average time it takes you to detect an attacker in your network and how long it takes to mitigate this threat.

Are humans still the weakest links in any cybersecurity defence system?

Even with the best defences in place, no organisation is completely foolproof. We often become the weakest links because social engineering is meant to exploit patterns in the way we operate.

Does that then mean that all employees should be cybersecurity experts?

No, it doesn’t make business sense and it shouldn’t be the case. Of course we should continue to educate our users but at the same time they should be empowered by tools that can detect and resolve cybersecurity threats or intrusions. These tools should be smart and, at the same time, simple to use.