Researcher Proposes Using Machine Learning to Improve Network Defense
The Black Hat Conference late in July will include a presentation by a security researcher about a project aimed at using machine learning to improve security monitoring and event detection.Getting the most out of mountains of log data can be trying to say the least. In a conference where many are focused on defeating security, independent researcher Alexandre Pinto wants to find ways to make defending enterprise networks both smarter and easier. At the upcoming Black Hat conference in Las Vegas, Pinto plans to discuss how machine-learning algorithms can be used to help organizations get more value from their logs. "The amount of security log data that is being accumulated today, be it for compliance or for incident response reasons, is bigger than ever," said Pinto. "Given a recent push on regulations such as PCI and HIPAA, even small and medium companies have a lot of data stored in log management solutions no one is looking at. So, there is a surplus of data and a shortage of professionals that are capable of analyzing this data and making sense of it." SIEM (security information event management) functionality relies too much on very deterministic rules, he added. For example, a rule might state that if something happens in a network "X" amount of times, it should be flagged as suspicious. The problem is that the "somethings" and the "Xs" change between organizations and evolve over time, he said.
"But this is not exclusively a tool problem," he said. "I have seen really talented and experienced people be able to configure one of these systems to really perform well. But it usually takes a number of months or years and a couple of these SOC [security operations center] supermen to make this happen. I used to run teams like these in my previous position, and I understand the challenges involved."