Man + Machine Cybersecurity: Machine Learning is Essential to Fighting Attacks
Something is materially broken with web application security and, as a result, critical attacks are being missed. According to a new report from Kaspersky Lab, 73 percent of corporate network breaches in 2017 were achieved via vulnerable web applications. There are a variety of factors contributing to the problem: resource constraints, concerns over false positives and the sheer volume of the attack surface.
The good news is that machine learning can be applied to help overcome these issues and strengthen application security.
The bad news? Most companies are failing to harness the full power of machine learning.
Despite today’s heightened security environment, many organizations continue to employ legacy web application firewall (WAF) technologies that rely on binary signatures or rules to thwart malicious activity. These rules are almost always out of date and blocking individual IPs can only get you so far. Hackers increasingly have access to multiple IPs and can easily pivot to another as soon as they are blocked. Some attacks, such as “credential stuffing,” are run from botnets as large as 50,000 IPs to avoid triggering account lockout procedures.
In addition to these security pitfalls, this antiquated, binary approach can actually negatively impact the business by inadvertently blocking non-threatening entities, including prospects or customers. That’s why it’s critical for companies to deploy next-generation technologies that provide the context needed to accurately identify sophisticated threats — without sacrificing a seamless user experience or returning endless false positives.
Machine learning can be leveraged to cut through the ever-growing stream of cyber-attack “noise” by classifying the events that require action. Unfortunately, most of these draw on statistical models which, in the ever-changing internet environment, prove ineffective. Full AI models are even more complicated, requiring large and accurate training and testing sets, and are unable to protect against new zero-day attacks.
Therefore, I propose a hybrid model whereby machine learning techniques are combined with other proven and tried technologies such as contextual signatures and behavioral analysis. Where a legacy WAF would automatically block any activity classified as abnormal, a hybrid approach drawing on machine learning applies an additional layer of intelligence to determine whether the activity is truly a threat or simply a benign variance—a typo or a new character, for example.
A next-generation WAF also enables organizations to utilize legacy approaches with a higher degree of success. For example, even if old school signatures are used as an indication of something malicious, machine learning allows companies to be much more intelligent in their approach. The technology can be used to profile the application itself, determining tech, webform locations and other dimensions. Dynamic signatures can then be crafted to detect abnormal behavior applicable to the respective application. After all, WordPress attacks against a Drupal application engender much less concern than a targeted, complex attack against a business-critical application.
Then there is the attacker dimension. Machine learning can route questionable entities through a series of interactions, or “interrogation” techniques, to determine whether they are malicious in nature. Not all attackers are created equal, however—some may attempt a known, zero-day attack at every opportunity while others may engage in a complex, targeted attack comprising web application attacks, phishing and other forms of social engineering, while still others may “probe” for vulnerabilities with more benign methods. As such, the type of interrogation technique varies based upon the attack actor and their observed behavior.
Employing machine learning with behavioral analysis allows organizations to track the behavior of each attacker and assign unique risk profiles. If the exhibited behaviors do not combine to reach a defined risk threshold, they are not blocked. This greatly reduces the likelihood of false positives and also prevents legitimate, customer and potentially revenue-impacting traffic from being blocked.
The above are just a few ways in which machine learning and behavioral analysis can help organizations shore up application security. So why have so few companies adopted the technology’s benefits?
In my experience, it’s largely due to some chief misconceptions that can be easily cleared up:
- Resource Burden: Traditional WAF solutions require a significant amount of manual threat analysis, but this time-intensive effort is all but eliminated by machine learning and other next-generation WAF technologies. In addition, deploying these solutions can help organizations reduce the number of point products in their security environment by addressing content management, load balancing, DDoS, bot mitigation and other concerns via one integrated platform. As such, companies make a critical mistake when they view next-generation WAFs as yet another tool to manage. The right technology can actually alleviate their pressing resource challenges rather than add to them.
- Trust: The prevalence of false positives associated with legacy WAFs has made many organizations distrustful of the technology. However, as outlined above, machine learning and behavioral analysis offer an entirely new and more effective approach to blocking.
Overcoming these and other barriers to invest in machine learning, behavioral analysis and similar emerging technologies is a fundamental step in fixing the broken link in web application security. A recent Ponemon survey found that, while 73 percent of organizations surveyed use a WAF, 80 percent were compromised in some way. By deploying machine learning and the other capabilities inherent in next-generation WAFs, companies can enhance their application security environment and thwart even the most advanced, persistent threats. As such, it’s vital that organizations embrace machine learning today as an essential part of their security strategy.
Andrew Useckas is CTO of Threat X.