Our solution presents some key features for accelerating cyber investigations: data exploration through visualization, collaborative investigation sharing module, automatic reporting and ... a lot of Machine Learning.
It seems important to us to explain in more detail our vision of Machine Learning and how we use it to support analysts in their daily work.
Why Machine Learning exists?
Today's machines are good at automation. They can execute tasks faster, millions of times and with precision. Algorithms and programs are essentially lists of tasks with some logic. Explain to a machine what you want to do, and it can run it millions of times on millions of machines.
However… what if you don't know how to solve the problem, or can't express the solution? Programming isn’t for the faint of heart.
Enter Machine Learning, when programs are designed to learn to solve problems. Basically, how can we automate learning?
The ultimate dream of Machine Learning is to have a system which can automatically learn what normal activity looks like, or what a cybersecurity incident looks like, and can automatically react to stop them. This means that most Machine Learning has focused on the detection stage and is detached and autonomous from cyber teams.
The question is: can you have truly unsupervised Machine Learning in cybersecurity to categorize events into a good or a bad category and react accordingly?
In fact, Machine Learning can help a lot but it’s not yet 100% autonomous. It can always make mistakes. We haven't succeeded yet in building a system which only finds real incidents (no false positives) and that never misses anything (no false negatives).
In some domains, mistakes can be made and the impact is "lessened". But in cybersecurity, the wrong mistake could be fatal, especially if it’s replicated at scale.
In cybersecurity, people are still crucial to oversee detection, filtering out false positives and hunting for new threats. They are also essential for responding to incidents. After all, who would, in one hand supervise an automatic detection system and at the other trust at 100% an automatic response system?
But today, Machine Learning models are difficult to oversee. For example, when do you know it has learned enough? Or how do you know what it has learned?
Machine Learning as a cybersecurity copilot
At Malizen, we believe in Machine Learning! However, we believe in the partnership between Machine Learning and human intellect. The key for us is the ability of Machine Learning to support and accelerate humans, not replace them.
Our approach is to learn from analyst’s decisions, to only make recommendations with context so that people can understand them faster, then agree or object and so speed up the process. We are designing a technology which can learn from successes to teach newcomers faster and optimise the detection phase. This approach makes it possible to support junior analysts to be operational more quickly and easily. This isn’t a luxury in a context where organisations are facing a shortage of cybersecurity talent and must be able to train newbies in cybersecurity.
Our technology also identifies what can be automated away, so people can focus on their core expertise and make the right decisions. Let’s take some examples …
As we know, in all threat hunting investigations, knowing where to start and avoiding blind spots could remain complicated. Our copilot suggests the analysts the types of data to explore for each step of the investigation even for the first one. The aim: to speed up cyber investigations.
The MITRE ATT&CK framework is very effective in describing a complete attack. There is no longer any doubt about that. However, it’s sometimes difficult for an analyst looking at a point of interest in his investigation to determine what technique or tactic the attacker is using. This is where our Machine Learning based-copilot comes into play to propose the most relevant techniques and tactics according to the progress of the investigation. Let analysts focus on identifying anomalies in their datasets to speed them up on standardised classifications.
Our developments in Machine Learning are continuous and our copilot is learning every day from the users of the platform. Always with one objective in mind: simplify to speed up cyber investigations!