There’s been a lot of “buzz” around machine learning, but despite what’s being said it’s not a panacea – the answer to all your protection problems. I’m not saying machine learning is not an important weapon to identify threats, but let’s be honest, its usefulness is targeted at specific points in the cyber kill chain (below) – and nothing is ever 100% effective by itself.
I think of the kill chain as the threat lifecycle: the threat comes in, deploys the payload, executes the payload then tries to communicate to its command or control center or exfiltrate information. The later in the kill chain you catch something the more damage it can do, so it’s advantageous to catch it as soon as possible, but the most important thing is that you catch it. It’s not unheard of for threats to linger in an environment for months collecting information or disrupting business.
As opposed to other protection techniques, one of the unique things about machine learning is that you have to teach it. It must be trained to understand what to look for to accurately identify a threat then constantly updated because new threats are always emerging. So a quality education is very important, otherwise it will flag threats that don’t really exist – in other words you get A LOT of false positives.
Quality education, in this case, means using vast amounts of rich data that is constantly refreshed with new global threat data. By rich data I don’t mean training your machine learning with known malware alone – it’s too easy for hackers to evade this technique. Training must be done using good and bad files with constant updates of the newest threats and Indicators of Compromise (IOCs). Really good machine learning uses very sophisticated algorithms and highly trained classifiers to be able to learn to spot the newest threats – but long term it really comes down to the quality of the dataset. To most accurately spot new or previously unknown threats, which is where machine learning has the greatest value, you need a constant supply of the best global threat data possible.
We should also be clear that there are different types of machine learning: reputation, behavioral, and attribute based. All of them have a place in identifying threats, and all should be a part of your endpoint protection solution.
But as I said above, nothing is ever 100% effective by itself. You want other weapons as a backup and for use later in the kill chain - the bottom line is you want that threat eliminated by whatever means possible. That’s why you can’t rely on machine learning alone as the answer to all your protection needs. You must make sure your endpoint protection solution can also effectively identify and eliminate threats during payload execution or when the threat attempts some form of outbound communication.
To sum it up – make sure you have the best protection against threats:
Ensure your solution is initially using the best and most varied dataset possible, from a global source, to train the machine learning
Ensure your solution is being constantly updated, again from a global source, to catch the most new and unknown threats with the fewest false positives
Acknowledge that machine learning alone is not enough, make sure you have weapons to protect you throughout the kill chain as seen below - Intrusion Prevention Services, proven signature-based technology, browser protection, device and application control, memory exploit mitigation, and capabilities to address custom packed malware.
Machine learning is an important weapon, but it’s not the ONLY answer.
Learn more about endpoint protection at http://go.symantec.com/sep