Automating Cybersecurity

Machine learning moves to the front lines of defense against an expanding threat surface.

Recent events drive home the reality that cyber risks are growing more devious and complex, while the culprits behind them act with impunity. To keep the upper hand, CISOs need a way to leapfrog the mechanisms in use by bad actors.

The extraordinary rate of automatically generated information compounds the challenge. Machines such as sensors, location trackers, webcams, smart vending machines, and other types of devices use automation to create vast amounts of data that we need to protect. Our digital interactions also are growing more automated. We can touch a screen or use a voice command to trigger data access—and to create new data that’s processed and often stored in that same device.

In short, mountains of data are being automatically generated, but most organizations are still using outdated security products to protect it. Those products rely on humans to correlate and filter an overwhelming volume of alerts from a variety of separate systems so they can make critical risk decisions. This is a process that no longer scales and leaves organizations increasingly vulnerable. And when manual systems don’t scale or integrate well, chinks in the security armor appear, inviting malware to slip through and resulting in costly breaches.

Fighting Automation with Automation

At Juniper, we believe that the effective protection of businesses with growing volumes of data should be fueled by automation. In fact, we see security as one of the best uses for automation in the networking industry. That’s because the most effective way to stop a threat is to convert it as quickly as possible from an unknown to a known threat, and then to a widely known threat. Automation is pivotal to doing that rapidly.

Machine learning, which enables that automation, is an approach to achieving artificial intelligence (AI)—human intelligence exhibited by machines—using algorithms to learn from data and make determinations and predictions. Machine learning algorithms need massive amounts of data to learn and provide accurate outputs. How data-rich a system is, then, will determine how likely you will be able to thwart a security incident before any damage is done.

We advocate that, at a minimum, cybersecurity measures should be augmented with automated machine learning. Why? Cybercrime is poised to be a $2 trillion problem by 20201. Even if humans could keep up with the data volumes and the risks, there’s a dearth of talent able to deal with them. Nearly 1.5 million Sec-Ops jobs will go unfulfilled because of a lack of skillsets by 20192. And Enterprise Strategy Group indicates that 45 percent of organizations report a problematic shortage of cybersecurity skills today, more than any other area within IT3.

In addition, many organizations deploy standalone security products for different kinds of protection and then struggle to manage the point products that often won’t integrate with one another. As a result, more emphasis is being placed on managing multiple security products than on actually defending an organization or proactively preparing for the next assault.

Valuable information that we need to quickly identify and stop malicious activity is already being collected by the telemetry in our networks. Augmenting security solutions with intelligence that can quickly identify anomalous behavior and automatically create countermeasures before damage is done is what’s needed to effectively protect our people, data, and infrastructures today.

Outwitting the Malware

Traditional antivirus programs are widely used to detect and neutralize threats that have already been discovered and have a known signature. In fact, in the cases of the most damaging advanced persistent threats (APTs) of 2015, all the victim companies had up-to-date antivirus systems4. Clearly, antivirus is not up to the task of defeating the sophisticated exploits surrounding us today, and many organizations have deployed advanced malware defense products into their already complex security environments.

It’s our view that conquering the explosive wave of cybercrime requires taking advantage of machine learning in cybersecurity solutions. Machine learning uses algorithms to analyze data, learn, and then predict. A “narrow” form of AI, machine learning can operate at scale to rapidly process and correlate millions of variables simultaneously to learn what is normal in network traffic patterns and usage and what is not. What the machines learn can be used to identify malicious behavior and stop impending attacks. Machine learning, then, promises to better equip us with the weapons we need to win the war against cybercriminals by predicting what they will do next.

Consider ransomware, such as the recent example of WannaCry. Most ransomware encrypts or otherwise corrupts an organization’s data—and holds it hostage for cyber payment—faster than any human possibly could. An advanced malware defense solution augmented by machine learning can analyze traffic, find the exploit that carries the ransomware, provoke that ransomware into revealing itself, tag the content as malicious, contain it, and then use that learning on future traffic to determine threat levels.

That’s not to say that the traditional security products don’t have their place. They do the brute-force filtering of all the known bad traffic that attempts to enter a network, and they’re still an essential component in fighting cybercrime. We believe in deploying machine learning on a variety of both new and existing tools that work together as a system in the cloud so that they can be changed and updated quickly, in a highly scalable manner, as new threats emerge.

Integration Is the Name of the Game

Integrating machine learning across all threat prevention products in a security solution is key. Such solutions would continually and dynamically learn to identify normal behavior in software structure, software behavior, and network traffic patterns. Millions of variables and data points can be analyzed at once to flag anomalous behavior that could signal an impending breach.

We advocate combining traditional signature and rules-based detection with machine learning to catch known threats as well as unknown and still-undetected malware. To this end, combining static analysis of malware signatures and dynamic analysis to identify new threats results in fast and precise protection. We recommend deploying these solutions in the cloud, to take advantage of the vast computational power that collectively resides there, and also so that the machine learning models can be quickly updated, retained, and applied to the ever-changing threat conditions. This way, cybersecurity solutions can quickly detect and stop new threats prior to their being identified or analyzed by the industry at large.

Machine learning doesn’t completely remove the need for human judgment. However, it can scale the knowledge of skilled security analysts to large data sizes and risk landscapes. And it can be integrated with other security processes to let each of them scale appropriately as the volume of data and the complexity of analysis increase with time.

Learn more about this topic in the resources for this article.

1 Source: Forbes, January 17, 2016.
2 Source: CSO Magazine, July 28, 2015.
3 Source:
4 FireEye M-Trends Report, 2015