With the rate of malware rapidly escalating – and given the impact that malware has in an incredibly short timeframe – being able to respond quickly to emerging threats is protecting an organisation’s network and data.
For example, the infamous WannaCry ransomware, which affected everything from small businesses to train stations, and even hospitals, had the impact that it did because it spread like wildfire; in just five days it had been detected in 250,000 places across 116 countries.
The speed at which malware can spread is a real challenge for organisations; by the time a new piece of malicious code has been discovered and analysed, it might have already infected a significant number of computers or networks.
For its part, the security industry is investing deeply in machine learning and artificial intelligence to address this challenge.
Machine learning operates by analysing thousands upon thousands of pieces of data to, over time, “learn” the difference between benign pieces of code and malware. This structure also means that a security solution that involves machine learning can learn to detect what is likely to be malware, even when it is a completely original or remixed piece of code. It’s the latter capability that is so critical in the modern IT environment, where new pieces of malicious code are being created frequently.
Forward-thinking organisations have seen the value that machine learning can offer to IT security. According to a recent study, almost half of all organisations (47 per cent) have already deployed machine learning solutions, and a further 23 per cent are engaged in pilot projects (. The key concerns that these organisations have – and are hoping that machine learning security solutions can address – is the kinds of malware that signature-based detection systems struggle with, such as zero-day exploits of new and unknown vulnerabilities (31 per cent) and fileless attacks that employ weaponised content (29 per cent). Ransomware is high on the list too, with 23 per cent of organisations expressing concern about it.
Machine learning is all about the data quality
Machine learning solutions cannot simply be deployed fresh into a live environment. The nature of the technology means that it needs to be exposed to a great deal of data before deployment so that once it is in a live environment, it doesn’t spend a period of time where it is ineffectively learning to differentiate between healthy data and malicious code.
“You can’t have a good machine learning model without that existing data,” Hilary Sanders, data scientist at Sophos, said. “We are getting that data from our old signature based detection methods and our analysts, and we have a massive database of benign files and malicious files, and we are using those files to teach machines. It’s not a case of it being on the customer’s desktops and learning from scratch, it is about leveraging the back-end and learning before deploying.”
Data is going to be an even more critical battlefield for security vendors. The more comprehensive and robust the vendor’s database is, the more effective its machine learning solution will be in detecting threats in real time.
Sophos certainly sees machine learning as a significant part of its future. At the start of the year, Sophos acquired Invincea for $100 million, a machine learning specialist security vendor, which was launched to address the rapidly growing zero-day security threats that are proliferating on the Internet.
“Invincea is leading the market in machine learning-based threat detection with the combination of superior detection rates and minimal false positives,” Kris Hagerman, CEO at Sophos, said in a press release at the time. “Invincea will strengthen Sophos’ leading next-gen endpoint protection with complementary predictive defences that we believe will become increasingly important to the future of endpoint protection and allow us to take full advantage of this significant new growth opportunity. We are proud to welcome the Invincea team to Sophos and look forward to introducing the benefits of this advanced technology to our customers and partners worldwide.”
Sophos is already developing comprehensive and robust products that incorporate machine learning into them. One of the additional benefits of machine learning as a technology is that it doesn’t require additional skillsets or training on the part of the user. For example, the Sophos XG Firewall offers what machine learning promises – the ability to block unknown threats, automatically respond to incidents and expose hidden risks, while also providing users with complete transparency and an easy-to-manage control centre. Sophos Sandstorm, meanwhile, is a Cloud-based service that operates seamlessly with other Firewall, UTM, Web Appliance and Email Appliances, while offering the additional layer of security from machine learning, and, as a Cloud service, also providing the ability to work remotely with partners to manage the application.
Only machine learning can scan a new file and determining whether it’s malicious or not. It’s not technology that will replace existing approaches to security, but with the emergence of fast-moving malware attacks – attacks that are increasingly difficult to respond to before they’ve caused significant damage – machine learning will be the best defence moving forwards.