Machine learning holds great promise for security operations

Over the past two years machine learning has found its place firmly in the cybersecurity industry and its benefits are indisputable. Through machine learning, we’ve seen great improvements implemented into technology that can make tangible improvements to our cybersecurity posture.

Cybersecurity marketers have also gotten hold of machine learning and it has become the buzzword du jour in many respects. When you’re able to cut through the clutter, you will find that machine learning is more than just a buzzword and we should work to fully understand its benefits without overly relying on it as a silver bullet.

machine learning

What is Machine Learning?

Many people reference machine learning and artificial intelligence as if they are the same thing, when in reality they’re slightly different. Machine learning is a subset of artificial intelligence that focuses on computers having the ability to learn and predict outputs based on algorithms and statistics without being directly programmed to do so. One of the many ways this is used in cybersecurity is for the automatic identification of behavior-based anomalies.

Machine learning comes in two flavors – supervised and unsupervised learning. With supervised learning, the system is fed data sets to learn from so it can make intelligent decisions in the future, such as identifying malicious activity. With unsupervised learning, a system uses configured algorithms to understand what’s normal and alerts on behavior that changes or deviates from the norm.

We’ve seen the rise of machine learning come to fruition as the old school method of signature-based threat detection has lost its luster. With signatures, you’re only as good as your last signature and won’t catch anything new. There always has to be sacrificial lamb – someone that gets hit with a zero day or new threat – that spurs the cybersecurity industry to update what it deems as nasty and nefarious. Machine learning builds on what security practitioners have collectively learned and experienced with signatures (that methodology was an important stepping stone to get us to today) and helps eliminate many of the vulnerabilities that are inherent in signature-based methodologies.

Machine Learning Requires Security Analysts to be Successful

Skynet this is not. With all the potential machine learning holds, we can’t forget that these features still require human interaction in order have the greatest efficacy. Machine learning is not meant to replace analysts, but to supplement them and help equip them to make quicker and better decisions.

Additionally, like other emerging technologies, machine learning can be implemented to assist security analysts and engineers in being more proactive. Doing so includes adding processes and procedures to govern machine learning-based technology.

Security operations teams who will get the most out of machine learning are those who take a layered approach of good leadership guiding trained engineers who are enabled with efficient tools and proper governance. Machine learning fills a few of these criteria, but by itself it’s just a tool. What makes all the difference is putting these tools in the right hands to help automate tasks/incidents that would have never been seen without it to enable deeper insight and analysis.

Machine learning is awesome, it’s a game changer, but it’s not a replacement for your staff. It’s a force multiplier that allows security departments to alert on and detect threats with greater confidence to protect your data and systems.

Threat Actors Dig Machine Learning Too

Machine learning and threat actors

As with anything that works, we’ve seen threat actors take advantage machine learning’s sophistication by implementing aspects of it into their tools. This is shifting the way the bad guys implement attacks.

Over time, we’ve seen how quickly attackers have been able to easily bypass signature-based technology with evasive techniques. For a brief period, early white hat adopters of machine learning helped shift the playing field slightly in favor of the good guys. However, this didn’t last for long and attackers were quick to respond to the shift by attacking different vectors or implementing machine learning into their own techniques.

One example is evident in the latest strains of malware. New malware has been designed to abuse macros and memory more to limit the visibility of machine learning endpoint technology. We are also seeing attackers put rudimentary versions of machine learning into their own malware to learn about victims before dropping their payload or compromising data. Attackers aren’t stupid; they take notice of what works and how it can be adapted for their own gain.

How Security Operations Teams Can Leverage Machine Learning

The biggest proposition vendors with machine learning features make is that it can help security teams and their technologies adapt to the arms race that is happening in cybersecurity. In broad strokes, this is true, but let’s look at what this actually means.

machine learningMachine Learning for Prevention and Detection

Machine learning has arguably had the largest impact on prevention and detection technologies. The ability to continually and dynamically learn what’s “normal” in behavior, traffic patterns and usage across an organization’s environment helps machine learning-enabled tools to be more effective in finding and preventing new attacks. For security operations practitioners, this makes machine learning an important ally in the identification of threats and the proactive blocking of known bad activity so more focus can be placed on investigation and incident response.

machine learningMachine Learning for Incident Response

With machine learning, millions of variables and data points can be analyzed automatically to pinpoint anomalies that could be indicators of compromise. By ingesting threat intelligence and using a combination of both supervised and unsupervised learning security operations teams can use machine learning to make meaningful improvements to incident response programs. As an example, machine learning can be applied to illustrate similar anomalies that have arisen previously, thereby shortening the analyst’s investigation time, giving them important points of reference, and even potentially deploying the proper incident response playbook. Through these uses, security organizations can make real progress in driving down incident response metrics like MTTD and MTTR.

machine learningMachine Learning for SOC Management

Less-often talked about, but of equal importance, is the application of machine learning to day-to-day SOC management. Machine learning has the ability to not only get smarter about the activity that flows THROUGH your SOC, it can also get smarter about the activities OF your SOC. Maybe you have an analyst who is incredible at handling phishing cases and is able to investigate and remediate them faster than others on staff. Machine learning can enable your SOC management systems to get smarter about who on your team is best for handling a particular type of threat and automatically assign that analyst when the next case arises.


While you should always be wary of cybersecurity buzzwords, machine learning truly does have tremendous promise for security operations teams. The technology is giving SOC teams a leg up in many areas, including predictive and behavioral analysis, and it will continually change the ways we add visibility into our networks and systems, conduct investigations, respond to incidents and manage security operations.