Machine Learning: Still Playing Defense

The volume and sophistication of cyber attacks have clearly stretched cyber defenses past the capabilities of human minds. Organizations are now leveraging a growing array of Artificial Intelligence (AI) and Machine Learning (ML) technologies to raise the level of security of their network infrastructure. It’s worth understanding the advantages of an AI/ML approach to cyber defense, but at the same time, it’s important to recognize the overall limitations of “playing defense.”

For background, attackers have been easily evading traditional security solutions for years. It seems that almost every breach eventually makes it to the endpoint. AI/ML security tools can conduct behavioral analysis on network traffic and spot anomalies that suggest improper activities. For example, a well-tuned AI/ML security tool (and that’s already an assumption) might identify a suspicious pattern of file uploads. In self-teaching mode, it can establish that the pattern represents an anomaly and issue an alert to the security team. A person would never see what these machines can see.

As deep machine learning mimics the way the human brain thinks, endpoint security technologies like AV, SWG, and Firewalls have evolved using ML and behavioral analytics. This armed, endpoint systems with AI/ML can also detect and stop malware — even previously unknown variants — without relying on updates and signatures. Will AI and ML ever truly be enough, however?  Playing defense has proven, with the headlines we read every week, it is not enough. For total cyber resilience, enterprises need to move from a defensive, reactive model to a streamlined proactive approach. AI/ML can do a good job in the detection and response process, but these tools are still largely relevant after the fact. This is typically too late.

With the unprecedented rise in sophisticated malware techniques, enterprises must take steps to look beyond the layers of defense and take a proactive security approach. This is where isolation-based security can be considered. Isolation driven approach is based on the assumption that everything from the internet arriving at the end user’s browser is bad, and hence needs to be isolated at the initial point of contact. Malware cannot enter the infrastructure, as all the browsing related functions are processed within a VM container that is hosted outside the firewall. Isolation strategy thus ensures complete protection from advanced web-based malware while ensuring seamless end-user experience at the endpoint.

John Klassen

Sr. Director - Product Marketing