Cybersecurity Lessons Learned Using Machine Learning for Anomaly Detection
At Georgian, we invest in high-growth technology companies that harness the power of data and trust. We also build our own software that helps us identify and accelerate.
Just like magic, with cybersecurity you only notice when it goes wrong. And if something goes wrong for customers — like data breaches — it can be a very real cost to your business. So how do you ensure your cybersecurity practices can help you respond as quickly as possible?
Anomaly detection — looking at rare events or observations in your data that could be suspicious — is an important part of the cybersecurity process. Detecting anomalies can help you get ahead of potential cyber-risks, while also ensuring the data you’re working with is consistent (Working with inconsistent or poor data can make or break your AI project, after all!).
The magic of simple yet robust cybersecurity solutions can’t be understated for companies. Making cybersecurity a priority by identifying threats and protecting assets is key to building their clients’ trust, since they know their data is secure within your systems. To identify threats, we need to ensure we can detect anomalies, in any shape or form.
During the past year, the Georgian team supported several cybersecurity companies in our portfolio to help improve anomaly detection through machine learning. In this blog, we’ll share some considerations in using machine learning for anomaly detection in cybersecurity.
#1 Anomalies are not always threats
Anomalies in the data can arise due to many factors, e.g. holiday season, power outage, change in user behavior and more.
While machine learning and signal processing methodologies can be very effective at identifying anomalies, additional context is helpful to understand whether these anomalies are truly a threat.
After the automatic anomaly detection, these contexts can be implemented as rules on top of model prediction. When not possible, experts are usually needed to validate these anomalies.
Similarly, not every threat will show up as an anomaly.
Some attacks are done very meticulously, ensuring that the signals would not deviate from the norm. It is important to keep these points in mind and to treat automatic anomaly detectors as useful tools working in a bigger context.
#2 Start with simpler solutions
While deep learning models are very powerful and can handle many intricacies in the data, simpler rule-based solutions or statistical probabilities often go a long way.
On top of being naturally explainable — meaning the algorithm can be easily understood by a human — simpler solutions can be a first version that we can iterate on and improve over time.
For example, when assessing which events are anomalous, we can consider the probability of the event happening given the user, the working function of the user, time of day, day of week, etc. These simple statistical conditional probabilities can serve as a great first baseline.
#3 Capture human feedback to make a flywheel
When designing the workflow of anomaly detection in the product, thinking about how to incorporate user feedback is crucial. As we lay out in our principles of Applied AI, in our view, human oversight for the automated predictions from machine learning models ensures the model is performing like it is intended to perform.
It would not only provide quantitative measurements of how our anomaly detector is performing, but it can also help us build an anomaly detector that adapts overtime to changing anomalies.
We can incorporate user feedback to tune our rules’ thresholds, optimize our models’ hyperparameters or even train a classifier that detects anomalies.
#4 Handling no-label situations
In machine learning, the most common way to build a model is to provide data with features and labels, and train a classifier on top of this data. So, what should we do when we’ve started building an anomaly detector and there are currently no labels in the data?
We can start with rules or statistical probabilities that do not need labels and tweak them over time. Additionally, there are many machine learning models that work in an unsupervised manner (aka, they can learn from unlabelled datasets), and they can learn representations of what normal data looks like and detect when this representation deviates.
In practice, we have found it useful to list out different anomaly cases and simulate those anomalies to properly assess models’ performance or even to train a classifier and combine it with unsupervised methods.
#5 Speed and explainability are just as important as performance
Some of the most important aspects of anomaly detection are timeliness and scale. An anomaly detector is not useful if it takes time to infer and detect threats long after the attack occurs. In the world of cybersecurity, it’s critical to detect threats with very short latency to prevent further damage or attack.
The need for the anomaly detector to detect threats across hundreds, or even millions, of surfaces is now considered as a standard. As the digital world grows, there are many more attack surfaces that need to be covered and in our view, the ability to scale is a must-have for any anomaly detector.
Besides scale, another important factor is actionable explainability. Explainability allows users to make informed actions given a prediction; it also helps build trust with users, since they have a better understanding of factors involving the model’s decisions. With explainability, users understand which factors push the ML model to consider a situation anomalous, assess the validity and take the appropriate next steps to remediate the event.
Learn more on the Georgian Impact blog
As you use anomaly detection, you’ll discover the important contexts that define what constitutes an anomaly and when intervention is needed. Keeping humans in the loop will be key to ensuring your models and process continue to perform as they’re meant to, especially as you scale your product and there are more potential threat surfaces in your business.
We hope you’ve found these learnings on anomaly detection useful! If you’re interested to learn more about this topic, we recently published a few pieces related to this topic. Check out this blog for technical deep dive of time series anomaly detection.
Read more like this
Why Georgian Invested in Armis (Again)
Armis offers visibility, security and risk management to enterprises across the Internet…
Why Georgian Invested in Glooko (Again)
We are pleased to announce that Georgian has led Glooko’s $100 million...