Fighting cyber with cyber

Deep learning threats demand deep learning solutions.

A new era of cyber threats and cyber security

Researchers have long pondered the ever-proliferating amount of information with which we are bombarded and how we can most efficiently manage, store, understand, and utilize it.

Every day, every hour, every second, individuals, companies, and governments generate and share vast quantities of facts, opinions, figures, and statistics. And the volume is expanding exponentially. Data–big and small, structured and unstructured–is inescapable and essential.

And it’s under siege.

Credit reporting agencies, health care organizations, financial service providers, social media and email platforms, electrical grids, transportation systems, our elections–no corner of the economy is insulated.

With the rapid growth of cloud-based and open source applications, cyber security has taken center stage in virtually every industry.

These innovations and a host of others have created a new risk matrix, placing greater priority than ever on deterrence and protection. Consider that a business experiences a ransomware attack—think “WannaCry,” which locked down computers in more than 150 countries in 2017–every 40 seconds and is expected to increase to every 14 seconds by 2019. Deputy Attorney General Rod Rosenstein has characterized ransomware as “a new business model for cybercrime.”

Unfortunately, most legacy IT infrastructures were not designed to meet the demands of this new environment and many companies are struggling to adapt, not just in terms of architecture and tactics, but also with internal controls and policies.

Security professionals are exploring cognitive technologies and artificial intelligence, particularly deep learning, to be better anticipate and defend against cyber threats. Bad actors are implementing the same tools to increase the sophistication of their attacks. The good guys need to stay a step ahead.




Cyber attacks in high-target sectors show utilities and government at most risk

Drowning in data

This explosion in the number of connected devices boosts productivity, collaboration, and drives innovative thought, but it also escalates the potential breach points.

Microsoft Azure AD, a cloud-base directory for managing identity and access, has millions of accounts and sees billions of logins every day. No human, or group of humans, can reasonably make sense of that much data, mine it for patterns, and look for threats and vulnerabilities with consistent speed and precision.

The pace of change has been so rapid that security advances have not adapted fast enough. There is login data, customer interaction information, transactional data–basically, event-based data from across the entire enterprise. How can you prevent, detect, and respond to security incidents while also using that data to provide actionable insights to your business partners?

Cyber security professionals need to be able to go back to their business partners and say, “Based on the data we’re observing, these are the things you should be aware of and protecting against.” The issue extends beyond IT and cyber security. It’s a business imperative for the entire supply chain.

Many companies are wrestling with this in connection with the small amount of experienced data talent they have on staff. Organizations are spending so much time and energy thinking about how to spread around the few engineers and data scientists they have that the goal of developing and deploying a flexible, targeted cyber security plan has largely gone unfulfilled.

We are seeing a significant shortage of data scientists and specialists across virtually every industry. As a result, we see most businesses deploying this talent–to the extent they have it–to solve myriad business problems, rather than working on critical cyber security use cases, such as anomaly detection.

Security in the spotlight

With all the promise of advancements in artificial intelligence–new solutions in genomics and medicine, safety, and transportation–there are darker implications. That same technology is also available to bad actors looking to mislead, destroy, and steal.

Confidence among CIOs in their organization’s cyber preparedness is steadily declining, while the number of serious attacks is increasing.

The threats are becoming more sophisticated, and current cyber defenses are not enough. According to the Harvey Nash/KPMG CIO Survey 2017, 89 percent of CIOs are actively investing in digital innovations, but only 21 percent feel well-prepared in terms of cyber security. Not surprisingly, more than half (52 percent) are devoting increasing budget dollars toward technology platforms and tools designed to help the organization predict, detect, and combat threats.

It’s a definite concern and major challenge, but it’s also an opportunity for security professionals to partner with their organization’s IT group and CISO. This ensures the entire enterprise understands and is positioned to manage the risks while realizing the benefits of automation and cognitive advances.

Security leaders have an obligation to identify and protect the organization’s “crown jewels” –key business processes, intellectual property, enterprise and customer data, and market offerings. This process is complicated by automation-related risks that were previously nonexistent.

Historically, cyber security began as a somewhat passive endeavor (firewalls, antivirus software, malware protection). But with more than 250,000 new malware strains emerging daily and 60 percent of mid-sized organizations across 10 countries agreeing their current defenses are insufficient, today the focus is evolving to include proactive, adaptive prediction.

Hackers and other bad actors are discovering and attacking system weaknesses that may be a decade or more old. These vulnerabilities must be addressed. For many organizations, it comes down to a lack of talent/manpower, time, budget, or understanding of the nature of the threats–typically it is a combination of these challenges.

Deep learning: Bright promise, dark risks

One strategy security professionals are exploring more and more to address today’s ever-growing threats centers on artificial intelligence techniques—deep learning in particular.

The conventional wisdom has long been that computers learn best by following logical, deterministic rules. As technology, progressed, researchers, principally University of Toronto computer scientist Geoffrey Hinton, explored a simple proposition: that computers learn like the human brain–using intuition, rather than rules.

This notion became the groundwork for deep learning, which is a subset of machine learning, in which the machine is trained by numerous data inputs to make probabilistic predictions, rather than being programmed by humans.

Also referred to as “neural networks,” deep learning identifies and learns from patterns, much like some processes in our brains, which organize information across an intricate network of neurons that communicate across cortical pathways. Deep learning employs layered neural networks to quickly recognize abstractions in large volumes of often unstructured data and make precise assessments.

The fascinating and frightening thing about the deep learning branch of artificial intelligence is that it can enable the machine to learn without human supervision. More complex perhaps is that, just as we don’t truly understand how the brain works, often we are unable to determine how exactly neural networks learn to do what we want or, even more troubling, how it learns to do the opposite.

A multi-layered neural network defines its own pattern and, depending on the sophistication of the application and the programmer, makes decisions and executes solutions on the fly. At a high level, this explains how deep learning powers autonomous vehicles. The car takes action based on an interpretation of its surroundings and the behavior of everything around it.

From a cyber security perspective, deep learning as a technique is evolving to be smarter and more adaptive, but there remain limitations, particularly in relation to how these systems manage unpredictability. It may still be something of a black box, but we’re only at the beginning of this story in terms of threat detection and deterrence but the optimism around deep learning appears to be well founded.

Deep learning takes advantage of large data sets to learn and improve over time

A deep learning system’s output becomes more accurate as it receives more data. Deep learning utilizes a set of analytical layers, where each successive layer performs more generalizable learning tasks until a pattern is identified. This work is performed in fractions of seconds.

Rules based

Humans define all connections andpaths between input and output

Machine learning

Humans define the features that represent possible connections from input to output, but machines learn the optimal path

Deep learning

  • Subset of machine learning where hidden layers represent non-human created paths from input to output
  • To learn how to make correct decisions, the hidden layers attempt to generalize, at increasing levels of complexity, over input features
  • These layers are referred to as "hidden" simply because they are in neither the input nor the output layers
  • Currently, the generalizations made by the hidden layers are not directly interpretable by humans    

Combat deep learning threats with deep learning solutions

The applications for deep learning are invaluable and seemingly limitless across the global economy, with examples ranging from brain cancer detection and weather forecasting to energy usage fluctuations and autonomous vehicles. The fact that Google, IBM, Facebook, Twitter, and Salesforce have all acquired deep learning start-ups over the past several years is testament to the potential viability of this field.

However, artificial intelligence-powered threats must be on radar. While 62 percent of cyber security professionals surveyed at Black Hat USA 2017, a leading information security conference, expect cyber criminals to ramp up their attacks using artificial intelligence over the next year, 32 percent said they do not expect artificial-intelligence-related attacks. This is surprising and a bit troubling.

How are bad actors getting their hands on such cutting-edge algorithms? There is an API economy forming. These advanced technologies are now largely accessible to anyone with a credit card via the cloud. Artificial intelligence APIs are on full display, and they can do virtually anything, from face and speech recognition to predictive modeling and sentiment analysis. Because of this broad accessibility, the emerging concern is that this technology may become a tool not only for legitimate, well-intentioned individuals, companies and organizations, but also for organized crime, terrorist groups, rogue nations, APTs, lone wolf hackers and others.

There are numerous ways these applications can be weaponized for malicious purposes, from penetrating databases to steal personal and corporate data and intellectual property to creating large-scale automated phishing campaigns. The technology can even change video to make minor variations to facial expressions that can alter the intent of the footage, but are otherwise undetectable. These schemes are incredibly difficult to defend against.

Bottom line, we believe it will take deep learning solutions to combat deep learning threats. In this sense, cyber security could ultimately be a key differentiator for enterprise IT innovation.

Security professionals have historically dealt with the challenge of “making sense” of the data they collect to shore up their defenses. Deep learning has the ability to correlate numerous data sources to identify patterns or anomalies that might point to malicious activities.


Companies are employing deep learning algorithms not only to help them identify security incidents, but to assess system-wide vulnerabilities. As a self-learning technology, deep learning offers the prospect of adaptive improvement as organizations strive to produce positive cyber security outcomes.

Protection through detection

As a cyber security tool, deep learning has been making particular progress in three areas:

Adversarial sample detection

This is a particularly interesting example because it demonstrates the use of deep learning itself to take on one of its biggest weaknesses, wherein false samples are introduced to make the system behave in an inappropriate or misleading manner. Research suggests that hidden neural layers can be activated to detect incorrect classifications caused by adversarial attacks.

Malware detection

While that research is still relatively new, much of the work has been focused on more typical cyber security areas such as malware detection. Most malware detection systems have required hybrid use of both standard machine learning and deep learning because the feature space has been much too large for deep learning to appropriately handle. However, recent advances demonstrate that in some cases, full deep learning approaches are better able to classify malware once it has been identified.

Network intrusion detection

Finally, network intrusion detection has long been a problematic area because of the requirement to predict what is essentially unpredictable. In the past few years, deep learning approaches have begun to outperform previous state-of-the-art methods for academic data sets, and while results remain relatively low, the promise of deep learning to either bolster traditional approaches or provide a possible unsupervised approach is apparent.



Think pragmatically—there are a lot of touch points

The key for senior security leaders and systems analysts across the corporate and government sectors will be to move from being reactive to being proactive and adaptive.

They must be mindful of the overall architecture of their networks. As mobile and the cloud expand as enterprise options, data is changing hands more and more, increasing the risk of breaches. It is critical to consider the security implications at every touchpoint.

How do organizations make their information ecosystems adaptive? There’s a lot of learning that needs to happen on a continuous basis. The ability to contemplate large data sets, make inferences and then apply that thinking to your security model is a full-time job, and, in a big data world, the limitations of the human brain become exposed quickly.

Next steps: where do we go from here?

Deep learning represents an opportunity for organizations to augment and build out security capabilities to protect, enable, and sustain the business.

We suggest starting with this strategic plan:

  • Identify & Strategize – Set your security risk profile and policy
    • IA security risk and capability gap assessment
    • Establish policies
    • Target state architecture
    • Technology rationalization
    • Target state organization and process
    • Implementation roadmap
  • Implement and Protect – Build a framework to manage cyber risks
    • Security solution selection to address capability and risk gaps
    • Agile design and implementation of process and solutions
    • Organization and governance
    • Integration with existing solutions and processes
  • Operate and Detect – Monitor and improve your security controls
    • Define and implement operational processes
    • Configure and tune detection and alerting thresholds and policies
    • Perform one-time and ongoing audits
    • Ongoing IA security and risk assessments
  • Respond – Effective cyber security incident response
    • Design process, technology, and people changes to help ensure appropriate response for IA incident
    • Conduct triage and forensics response processes
  • Recover and Remediate – Incident recovery, awareness, and learning
    • Design and implement resilience and recover measures for critical systems and data
    • Help ensure ongoing learning and improvement
    • Conduct awareness training