Cyber Blog -

Fighting Cyber Threats with Machine Learning

Mikko Viitaila Microsoft

Author: Mikko Viitaila, National Technology Officer, Microsoft Oy

I’m sure you know someone like Alex, a sales person whose main responsibility is to engage with customers online and face-to-face. He spends a lot of time writing and replying to emails, conducting market analysis, searching the web for information, and engaging in discussions through blog posts and social media. He has a PC, a tablet and a smartphone, and to stay on top of things, he sometimes uses his own devices, not controlled by his employer. In his busy day to day business, the security policies and training content sometimes slip his mind and he tends to treat all emails similarly: opening them and clicking the links without questioning the source or purpose of the email. He is an easy victim for ransomware as well as social engineering techniques, and even worse, a targeted attack on his or his device’s credentials could have already taken place accessing his employer’s IT environment.

What if we could protect Alex even better or even prevent him causing unintentional risk for his employer?

Future vision: every employee and organization is safe

Traditionally security controls and tools have focused on identifying risks, protecting assets and detecting adversaries, and then responding to and recovering from these attacks. This is the basis of for example the NIST Cyber Security Framework with its latest update published earlier this year. In the very near future, the advances in machine learning capabilities, like deep learning and transfer learning, combined with the global infrastructure of public cloud services and the large amount of data available, it could be possible to better protect Alex and his employer from the threats described earlier.

The key to more efficient protection is machine learning models that learn. These models learn by collecting, monitoring and analyzing both users’ and their devices’, like Alex’s, actions and activities as well as irregular activities in the global cloud infrastructure. This data is then compared to lessons learned from previous attacks. Combining all this together, machine learning models can be taught to predict if something unusual and never before seen is happening. As a result, users and organization would be much better protected and a new element, predicting risks and threats, could be added to the NIST Cyber Security Framework.

With this prediction capability, mitigating controls can be applied to the user, his/her devices and the infrastructure even before something harmful happens. This may involve antivirus signatures, more secure configurations like stricter two-factor authentication requirements, tighter schedule or more rigorous runs of virus scans or forced security updates.

Would this prediction capability prevent a possible attack become successful? I believe that it will make it less probable.

Data and intelligence to beat cyber attacks

Machine learning is already being applied in cyber security, as the cyber security community largely agrees that traditional signature-based antivirus is not enough anymore in today’s world. Therefore, many security products already have embedded machine learning based detections. Additionally, the global cloud infrastructure provides new possibilities to detect threats before they escalate; a capability that already helped organizations to recover from outbreaks like WannaCry or MongoDB attacks in 2017. Despite some great progress, let’s not forget that this is a race. The adversaries also have the latest technology, techniques, and methods to evade these protections and detections.

We at Microsoft are in that race, too, to win for our customers. Machine learning capabilities are extensively used in our security solutions to protect our global cloud infrastructure. With solutions like Advanced Threat Analytics, Windows Defender Advanced Threat Protection, and Azure Security Center, we collect and organize vast amounts of security related information and events to the Microsoft Intelligent Security Graph, a giant, interconnected data structure. With the graph, we train machine learning models to protect our customers. And just this year, we made the intelligence of the graph available for our customers through an API to help them integrate this intelligence with their tools to stay safe. Together with our customers, we continue to fight cyber attacks, relentlessly.