Tools based on machine learning (ML) can be an essential element of a dynamic and powerful security platform. The technology can be used in various task areas, for example to detect malware and network anomalies, categorize user behavior, prioritize vulnerabilities and also to accurately predict future attacks. ML-based automation relieves employees by minimizing manual effort.

Supervised and unsupervised learning - the main components of ML

In the supervised learning methodology, prepared data sets are used to help the algorithm distinguish between harmful and harmless data. After analyzing the input data with a predefined target variable, it can make predictions and precise recommendations. According to Palo Alto, this is the most important type of ML. Supervised learning is used to classify threats: a solution can independently identify potential threats from the data sets if they have similar characteristics to the historical data.

In unsupervised learning, on the other hand, the algorithm independently explores the structure of the data without obtaining known target values in advance. It then groups these (clustering). In this way, unsupervised learning can provide cyber security teams with an overview of normal and abnormal behavior.

Generative AI (GenAI) expands the spectrum of machine learning by integrating both supervised and unsupervised learning. This technique utilizes the data analysis and predictive capabilities of supervised learning, combined with the pattern recognition and exploratory nature of unsupervised learning. GenAI can be used primarily in areas such as source code interpretation, policy analysis, forensics or pentesting.

Data is the key

To ensure that ML algorithms are executed correctly, a large amount of high-quality data must be entered. These data sets should represent the threats expected for the particular organization so that the ML tool can learn the patterns and rules. Data from different sources that do not interact well with each other and have gaps are difficult for a machine to evaluate. Data should therefore always be up to date.

ML is predictive, not deterministic

ML deals with probabilities and outcome probabilities. This means that it uses available data and previous results to predict potential outcomes in the future. This makes ML predictive. Although the predictions are not deterministic, they are usually very accurate - and available much faster than after a human analysis.

Rules for regression, classification, clustering and association

Depending on the type of problem to be solved, there are different methods of ML such as regression, clustering and association analysis. The aim of regression is to produce a continuous output or prediction. In the field of cyber security, it can be used for fraud detection. Classification and clustering divide data into groups or categories, with clustering grouping specifically on the basis of similarities. In classification, the algorithm arranges or groups observations into predefined categories in order to distinguish spam from harmless data, for example.
Association rule learning uses previous experience with data to recommend a particular result much faster than a human would ever be able to. If an incident occurs on a website, for example, solutions can be offered automatically.

ML and its limits

ML algorithms are extremely efficient at recognizing patterns and making predictions. However, they also require a lot of resources and are still often quite error-prone, as the data sets are limited in scope - so ML tools can also reach their limits.

Cooperation between man and machine

To increase the performance of ML-based algorithms in cybersecurity, humans and machines must work together. While ML algorithms can perform data analysis, this does not replace the duty of cybersecurity teams to stay abreast of the latest technological breakthroughs and changes in the threat landscape. New ML techniques applied in the cybersecurity environment can only flourish when they are seamlessly integrated into the process and technology landscape. For example, there is very little added value in identifying threats even faster if they can only be blocked or remedied days later. It is therefore crucial not to get caught up in the hype when it comes to ML, but to check in which areas the use of ML-based solutions actually makes sense.

"Machine learning has become an integral part of cyberspace: ML-based solutions help to close existing data silos in companies and the associated potential security gaps and ensure end-to-end security. Above all, they enable security teams to act proactively instead of reactively - and thus stay one step ahead of the threat situation." Sergej Epp, Chief Security Officer Central Europe at Palo Alto Networks.