HUMANS TO MACHINES

THE SHIFT IN SECURITY STRATEGY WITH MACHINE LEARNING

INTRODUCTION
In reference to the Equifax data breach, Larry Ellison, co-founder of Oracle Corp, said, “We are losing the
cyber war.” He went further to assert “the battle can’t be between the attacker’s machine versus our people.
The battle should be machines versus machines,” referring to how machine learning can transform IT
security strategy by adding intelligence to machines and turning them into powerful defense systems.

Maintaining IT security is more of a challenge than it ever has been with the exponential growth and complexity
of modern enterprise IT estates, the increasing rate of change of those estates and the explosion in threat
sophistication. The Chief Information Security Officer (CISO) faces new security threats from machine-powered
cartels and nation-states on a daily basis and must continually implement cutting edge strategies and
technologies to protect company data, intellectual property, and the very survival of the enterprise.

To business leaders who don’t understand IT security, a CISO can be deemed as succeeding only when
“nothing happens”—i.e. no breaches occur, no data loss is suffered, no malicious code spreads in the
company network and business agility and speed are not sacrificed in the process. But the hard truth is that
ensuring “nothing happens” without affecting business agility means a lot is happening behind the scenes
that demands a completely new approach to threat monitoring and updating an organization’s security
posture in response to those threats.
 INCREASED SECURITY
CHALLENGES FOR THE CISO
In the herculean efforts to ensure security across hybrid networks, virtualized data center environments,
and transactions from remote devices, a CISO faces a number of significant challenges ranging from people
to process to technology.

Incomplete Data
Traditional approaches to security focused on subsets of the available telemetry because that is what
humans could process. But the net result of this focus is that security analysts are left with incomplete data
that leads to sub-optimal decision making.

Slow Detection and Response to Threats

Threats are moving at machine-speed, but we are analyzing and reacting at human-speed. Whether due to
a lack of hard-to-hire resources or a pre-disposition to rules-based monitoring, initial responders to a security
threat often miss today’s signals entirely, which means the advanced attack can remain undetected for long
periods of time.

Too Many Security Alerts

Without advanced technology to evaluate threats in context, cybersecurity teams are simply overwhelmed
by the number of rules-based alerts, many of which only prove to be false alarms. Manually addressing
these alerts is inefficient and costly.

Cloud Security
As networks continue to grow and companies move more IT services to the cloud,
securing the traditional network perimeter has become irrelevant. Furthermore, the
unsophisticated governance provided by many cloud providers means many of these
properties are ripe for human error which leads to security breaches – and the attackers
know it.

Complexity of Securing Hybrid IT

From Shadow IT stemming out of cloud SaaS implementations to on-prem-to-cloud
integrations and APIs, a company’s migration to the cloud can cause a lack of visibility,
leading to a number of unsecured platforms that put sensitive data at risk.

Unknown Threats
There are tools and policies to detect and respond to known threats. However, the changing
threat landscape and the new consumerization of IT is creating new attack vectors. Shadow
IT, IoTs, connected devices, blockchain, and even your toasters are getting smarter and have
vulnerabilities. One of the ways to future-proof this is to convert those unknwn threats to
known threats, so we can leverage existing people, process, and technology to fix them.
Anomaly detection, risk scoring, and kill chain management are some of the ways to detect
unknown threats and make them into known, manageable threats.

Threats are moving at

machine-speed,
but we are analyzing
and reacting at
human-speed.
 FROM HUMANS TO MACHINES:
The Shift in Security Strategy

An enterprise—and its IT infrastructure and networks—no longer exist in a secure, self-contained building.
Global networks, a mobile workforce, outsourced data centers, private and public clouds. All of these
realities mean IT security professionals must shift their security strategies.

Rather than working on increasing the complexity of network security policy, IT organizations need to
focus on how users access a company’s most valuable assets: databases, applications, data and servers.
When criminals breach a network, they target weak user access controls as a means to acquiring valuable
information assets. Current security practices leave the enterprise vulnerable to attacks from inside and other
attack vectors that bypass the perimeter. CISOs face the growing imperative to rebalance security resources
to protect corporate information from the inside out.

IT security strategy must evolve to focus on:

Securing What Matters

Internal Threats Intellectual property
Compromised users Customer data
Weak user access controls Financial data
Applications

The challenge in spotting these types of threats is inherent to their very nature: they come from the
inside. These “low and slow” attacks look like legitimate traffic and can go undetected by traditional
network intrusion systems. Recognizing these attacks requires context and learning over time along with
sophisticated pattern recognition beyond the ability of human analysts. Traditional intrusion detection
systems are no longer good enough since they rely on rules. Newer approaches use intelligent algorithms
that can find patterns even without knowing exactly what patterns to look for.

The challenge in spotting these types of threats

is inherent to their very nature: they come from the inside.
Machine learning brings a new level of sophistication
to cybersecurity threat prediction, prevention, detection and response.

INTELLIGENT SECURITY:
Machine Learning in Action
Machine learning is not a new technology, but, previously, it was applied largely to basic data processing
and optimizing system infrastructure performance. The current groundbreaking application of machine
learning is in its utilization for database automation, marketing automation/personalization and IT security.
Such applications have become possible due to advancements in compute power, enormous storehouses
of data and the realization of artificial neural networks that can be “trained” or “learn” how to identify and
classify patterns then make determinations or predictions in relation to the task at hand.

Machine Learning in IT Security

Machine learning brings a new level of sophistication to cybersecurity threat prediction, prevention,
detection and response.

Current intrusion systems watch for certain signatures and patterns in data from known threats that have
already been identified by security experts. Newer intrusion detection systems equipped with machine
learning employ models that process massive amounts of data and identify patterns that a static set of
instructions might miss, then provide probabilistic conclusions about the validity of a threat.

Specifically regarding internal threats around user identity, machine learning uses the wealth of data it
is processing to define a baseline for typical user behavior in relation to one’s role in the company and
historical activity which serves as a “norm” against which deviations can be measured. If a user exhibits
behavior outside of those well-established expectations, that behavior can be flagged as an anomaly.

The power of machine learning in detecting IT security threats comes in its ability to learn, recognize
and make judgements without being programmed specifically for every possible situation or tactic
cybercriminals might employ.

In the evolution of IT security, enterprise businesses require intelligent systems that provide visibility into
potential threats, send alerts only when necessary, and learn from threat patterns and apply those learnings
to ongoing threat detection and prediction.
NEXT GENERATION IT SECURITY:
ORACLE SECURITY SOLUTIONS
Between the growing sophistication of cybercriminals’ tactics and the monumental advancements in the
technology that can detect and thwart intrusions, IT organizations require a new strategic approach to
security. Oracle provides a security platform for the future-state, enabling visibility, detection, and response
wherever users, applications, or data reside.

Oracle’s built-in next-generation intelligence automatically identifies risk and understands even the most
sophisticated threats in real time. Built on top of Oracle’s industry-leading Identity and Access Management
capabilities, Oracle Security Cloud Services are fully identity-aware understanding the full context associated
to users, applications, data, and even specific sessions and adapt quickly to changing conditions.

Oracle’s Identity Security Operations Center (SOC) is an identity and context-aware intelligence and
automation solution. The Identity SOC takes advantage of modern data analysis tools such as advanced
analytics, machine learning and sophisticated data science techniques that allow identifying and
investigating threats in near real-time. It employs behavioral analytics to detect suspicious behavior
indicators of an attack and attack path modeling to predict the potential path an attacker can take to escalate
privileges. Identity SOC also includes automated orchestration and incident response.

Let’s look at three use cases on security and how Oracle’s machine learning is appled to solve them.

1
SUSPICIOUS USER ACTIVITY
Oracle implements specific machine learning (ML) algorithms optimized to detect nuanced
suspicious user activity. Specific threat models are pre-built on those algorithms to baseline
specific user behavioral attributes and detect anomalies from those baselines. For example,
OOTB models are provided to baseline the IP addresses users typically come from, what
geolocation they come from, what assets they access, the hour of day they are usually active,
the frequency of logins and much more. These nuanced anomalies are important towards
catching more evolved threats as early as possible.

When anomalies are detected, Oracle can automate remediation steps entirely and/or give
analysts an opportunity to select from relevant playbooks based on the nature of the threat.
For example, if the threat is user centric and suggests an account may have been hijacked,
then a password reset can be enforced automatically through pre-built integration templates
with Oracle IDCS, IDM and 3rd party identity systems. If a threat is asset specific and suggests
new malware, then an AV update can be pushed to the endpoint.
2
ROGUE USER/HIJACKED ACCOUNT
This nuanced machine learning focuses on individual attributes of user behavior, which is critical to early
threat detection and towards stopping today’s sophisticated threats before they go big and wide. However,
in a world where users often use personal, unmanaged devices, some threats will invariably penetrate
enterprise networks. It is therefore equally critical to focus machine learning on aggregate or composite
user behavior.

To that end, Oracle employs a different group of algorithms and predefined models that baseline the
entirety of user actions (building on and leveraging its highly efficient categorization of security events and
cloud native deployment model). Once those composite baselines are in place, Oracle clusters users based
on common aggregate behavior: where them come from, the internal assets they access, the cloud services
they access, the time of day they operate, etc. This approach has three broad, critical, and unique benefits:

• By simply exposing who users behave like, Oracle instantly uncovers potential anomalies.
For example, if the results show that Alice, an IT admin, has recently been behaving more like
Finance power users, it may be a hijacked account or even an insider threat.

• ML fundamentally starts with baselining behavior, and many of today’s security analytics solutions
start with a flawed assumption that users operate strictly or primarily within directory/IDM defined
group boundaries and use that as a basis for baselining. This introduces a lot of false positive
output from ML because, in fact, users operate across groups. So a better starting point is to
understand and expose the natural clustering of user behavior through machine learning and
use those natural matrixed groupings to develop baselines.

• This approach can also uncover very common problems spanning the security/identity domain
divide such as excessive privileges that are abused. For example, Bob moves to a middle office
compliance role but Oracle may reveal that his asset access profile continues to overlap with his
previous HR role. Not only is he abusing residual privileges, but it was an omission on the part of
IT to simply expand privileges to the new role rather than also eliminating ones no longer needed.

3
SQL QUERY ANOMALY DETECTION
Oracle uniquely goes data deep when it comes to machine learning. A vast majority of
corporate data resides in databases and is accessed through SQL queries. Yet, machine
learning from other solutions stops at the host tier. So if a DBA’s credentials are hijacked
and malware from his/her endpoint is used to query a DB, then other solutions will not flag
anything because it is normal for that DBA to access the DB host from his or her machine.

Oracle goes down to the data access level for both structured and unstructured data. In the
case of DBs, Oracle actually parses SQL statements and baselines the queries by user, group,
DB, and application. It then evaluates any new SQL queries against that baseline to detect
potential anomalies. As a result, Oracle not only catches threats that other solutions miss,
but it also cuts noise by being context aware, which means it can reduce the risk level of an
anomalous query against a sandbox DB which does not contain actual customer sensitive
data. Conversely, it can raise the score of an anomalous query against a critical table in a DB
that is on a watchlist.

As with its other security focused machine learning, Oracle offers several auto-remediation
templates for SQL anomaly detection as well, including actions at the identity, offending endpoint,
target DB level and also closely integrates with its own DB firewall product for policy enforcement.
 CONCLUSION
Oracle security solutions work together to provide holistic security across the extended
enterprise to minimize risk, protecting against even the most advanced threats and
providing CISOs confidence in their organization’s overall security posture.

Start your journey to the cloud.

8
START YOUR FREE TRIAL TODAY