RedLock’s Head of Data Science, Alok Tongaonkar, is passionate about applying machine learning to cyber security analytics and cloud threat defense. Prior to joining RedLock, Alok, was a Data Science Director at Symantec. There, he led the Center for Advanced Data Analytics (CADA), a next-gen security analytics unit which contributed to the development of new product lines as well as innovative features in existing products. Previously, Alok has led R&D teams at Narus/Boeing where he published over 20 peer-reviewed conference and journal papers on mobile and network security. He holds 9 patents in this area. He started his career working on mobile performance optimization at Qualcomm Innovation Center. Armed with a MS and PhD in Computer Science from Stony Brook University (New York), Alok spends his spare time reading, as well as playing badminton, table tennis and volleyball. We went 1 on 1 with Alok to better understand how machine learning impacts and aids securing workloads in public cloud computing environments.
Q: What is the role Machine Learning (ML) plays in cloud threat defense?
Alok Tongaonkar: To combat cloud threats, IT managers need to use tools that provide visibility into the network traffic, user activities, and configuration, as well as effectively monitor different entities and alert on any malicious behavior. Given the myriad number of ways that cybercriminals can attack cloud environments, it’s not possible to create rules or a one-off methodology to detect all attacks. This is where ML techniques can play significant role by modeling the typical behavior of compute instances and users, and detecting abnormal behavior based on various properties.
Machine Learning can be used to provide visibility into user activity with results easily visualized.
Q: Will ML always yield positive results?
Alok Tongaonkar: ML is a very powerful tool in the arsenal of IT managers in their ever-growing arms race against attackers. However, if it is not implemented correctly ML results can lead to a lot of false positives, i.e., incorrectly identifying benign activity as malicious, or missing malicious behavior, i.e. false negatives. Some of the steps that can help mitigate this are careful feature selection and incorporating user feedback as well as continuous learning.
Q: How is ML applied to cloud threat defense?
Alok Tongaonkar: ML techniques implemented on top of big data solutions are very effective in identifying spatio-temporal patterns in massive amounts of data. Hence, they can be used to detect malicious behavior, such as account hijacking, data exfiltration, brute force login attempts, and reconnaissance activity such as port scans or port sweeps. These actionable insights can reduce the number of events that an IT manager needs to review by many orders of magnitude. By focusing on the hundreds of alerts generated by ML analytics, instead of the millions of cloud events generated daily, managers can spend more time on the really critical issues, and the security of their organizations will benefit from it.
Q: Can you show us some examples of how ML is applied in the RedLock Cloud 360 platform?
Alok Tongaonkar: ML is used extensively within the Redlock Cloud 360 platform. We apply ML under the hood in a variety of features such as for classifying network entities, identifying network traffic directions, clustering user activities based on geo-locations, and identifying brute force attacks based on profiling user login patterns. We use ML to correlate signals of malicious behavior across different kinds of events (user activity, config changes, network traffic) to identify potential threats. We then combine this with sophisticated scoring models that assign risk and confidence scores highlight high risk entities and events. Organizations use this information to get a comprehensive view of their overall cyber hygiene.
Machine Learning is used to correlate signals of malicious behavior across different kinds of events to identify potential threats
Get a demo to see how RedLock can help you with: