In January 2016, Microsoft published a blog post detailing how it is leveraging machine learning within Azure Security...
Center. Specifically, Microsoft uses machine learning in the cloud to enhance its threat detection and simplify security management. Mark Russinovich, Azure's CTO, gave a presentation at the 2016 RSA Conference describing the company's machine learning efforts, providing more detail around the staggering quantities of security data Microsoft processes on a daily and monthly basis.
Given the security industry's focus on machine learning right now, it's key that security professionals have an understanding of what it is, how cloud environments may better enable machine learning, and what it means for improving the state of information security overall. In a nutshell, machine learning focuses on pattern recognition and behavioral event and information analysis to allow computers to "learn," or modify processing instructions and software behavior, without being explicitly programmed to do so. In the realm of information security, this will translate to large-scale data analytics and processing of security events, with the major goal of building better understanding of security behaviors and event baselines that could lead to more effective incident triage, event prioritization and response tactics.
How cloud can improve machine learning
Cloud service environments hold much promise for building and leveraging machine learning capabilities. To truly process and analyze millions or even billions of events -- and extract some useful security intelligence -- security analysis and correlation algorithms will need to operate at massive scale, which cloud-based infrastructure -- large numbers of virtual machines operating in concert -- can provide. To develop a true cloud-based machine learning environment, organizations will need to process huge amounts of information, and analytics engines of this magnitude may be prohibitively expensive to develop and maintain in-house.
Most of the major cloud providers have been building and using huge numbers of systems with complex query interfaces and reporting overlaid on them to provide machine learning in the cloud for some time. Google Cloud Machine Learning Platform has been used to perform photo and voice recognition, as well as mail content matching, and developers are able to access the platform as of March 2016. Amazon Machine Learning offers visual wizards and query generation tools that can then be accessed via APIs for billions of predictions daily. In addition to Microsoft's platform, there are several other providers offering machine learning options, including IBM Watson and Hewlett Packard Enterprise's Haven OnDemand.
To date, Microsoft is the only major provider actively touting the security benefits of its machine learning platform. The key to machine learning in the cloud for security is having more data, and numerous diverse data sets that represent possible outcome and incident scenarios that algorithms can learn from and generate predictions based on. Microsoft is currently focusing primarily on authentication and logon data and events generated through its strong ties to Active Directory users and Microsoft-centric identity services, looking for anomalous use of accounts and privileges. They are also focusing on very cloud-specific use cases, such as abuse of Azure APIs and location-based activities that may be malicious for specific accounts. Other cloud providers are likely to follow suit, although they may not have the depth of enterprise integration that Microsoft has given its ties to Active Directory data.
Machine learning in the cloud seems like a beneficial technology, both for operations and security teams -- is it? Today, machine learning looks promising to help sift through staggering quantities of data and start predicting likely malicious attacks and threat vectors. However, any machine learning approach is driven by its analytics engine and defined algorithms, and these will need scrutiny to ensure they don't introduce any bias into the analysis process. Over time, it's likely that more cloud providers will tie their machine learning capabilities to security benefits just like Microsoft, so the time is right for security teams to educate themselves on machine learning in the cloud and get more familiar with how it may play a role in security data processing in the future.
Learn more about the essentials of machine learning methods
Discover how machine learning can improve online experiences
Evaluate the key factors for machine learning cybersecurity products