In my last blog post, I sounded the death knell for indicators of compromise (IOCs) — attributes that implicate an item as being associated with cybercrime. IOCs written for one environment rarely transfer into new environments without lots of false positives and false negatives because what’s abnormal (and therefore an IOC) for one system or user might be completely normal for another user or system, or even for the same user at a different time of day.
But, as I noted, this is exactly the kind of problem that machine learning excels at! That’s why SecureAuth is working to incorporate machine learning into our adaptive authentication engine and make it even better. As I promised, here are more details.
Machine learning will enable us to monitor behavior over time and spot deviations. Consider “normal” time of day. Is it odd when someone VPNs into the corporate network 2:00 in the morning to write a blog post? An IOC has to say either “Yes” or “No” — but the answer is clearly “It depends.” Has this person logged in during the night before? Do they normally write blogs? Do other people in the company with similar behavior portfolios also VPN in during the wee hours? (That last part is important: Normal isn’t just about how you normally behave, but also how others like you behave.)
In my case, a 2 a.m. VPN connection on Sunday night is normal because I promised the blog would be done Monday morning and I’m always doing things at the last minute. Abnormal would be me logging in from my office desk at 8 a.m. tomorrow! Try to write an IOC to find that behavior. But that’s just the kind of thing machine learning can do oh so well.
SecureAuth’s adaptive authentication already analyzes behavior. For example, our geo-velocity check can ask, “Given the time since your last authentication, could you have physically traveled to your current location?” But imagine adding in machine learning. Then we could ask, "Have you or anyone at your company exhibited similar travel patterns (time of day + day or week + location) over a given time span?”
For example, this might be the first time you've ever logged in from Santa Cruz on a Tuesday, but a co-worker did the same thing last Tuesday, and you logged in from the nearby Irvine office yesterday. So instead of denying your authentication request outright, machine learning — unlike an IOC — can say "Hmmm," step up with two-factor authentication, and note the new normal.
By leveraging machine learning, SecureAuth is working to take authentication from a rules-based system to a behavior-driven workflow that enables us to find anomalies — without creating more management overhead. Look for machine learning to revolutionize the way we authenticate users and verify identities to deliver even stronger identity access management.
If you’re interested in learning more, I invite you to check out to SecureAuth’s presentation at Black Hat 2017 - you can find all the details here. And watch this space for more on the future of machine learning and authentication.