The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on January 11, 2017

4 ways man and machine are teaming up to fight cyberthreats

4 ways man and machine are teaming up to fight cyberthreats
Ben Dickson
Story by

Ben Dickson

Ben Dickson is the founder of TechTalks. He writes regularly about business, technology and politics. Follow him on Twitter and Facebook Ben Dickson is the founder of TechTalks. He writes regularly about business, technology and politics. Follow him on Twitter and Facebook

With the use of data-centric business models and big data services on the rise, it is becoming increasingly harder to detect threats and data breaches.

Cybersecurity experts are finding themselves hard pressed to keep tabs on the reams of data that are being generated by their companies and organizations. Attackers on the other hand are finding it easier to hide their malicious packets in the flood of data that is being exchanged over corporate networks.

And with a widening talent gap plaguing the cybersecurity industry, there’s no sign of the odds tipping in favor of IT security any time soon.

A solution to this dilemma might be found in the use of machine learning, the hot trend that is taking the world by storm and is transforming numerous industries in ways that were previously inconceivable. Machine learning can complement and amplify human efforts and help detect and block cyberattacks faster and more efficiently than before.

Here’s how man and machine are teaming up to fight the complex security threats of the new digital age.

F-Secure rapid detection service

F-Secure is a Finnish company with a three-decade history fighting cyberthreats. Its most recent cybersecurity offering, the Rapid Detection Service, is aimed at reducing the time required to detect and respond to cybersecurity threats and data breaches. In general, it takes organizations several months to discover attacks against their networks. F-Secure hopes to cut that time to 30 minutes with RDS.

And machine learning is an important part of that effort.

RDS is a managed intrusion detection and prevention service that combines endpoint technology, advanced analytics, machine learning and human expertise. At its heart is F-Secure’s team of cybersecurity experts, who are monitoring client data and responding to events. But to be able to fulfill the needs of a large number of clients, the experts need to gather and analyze a huge amount of data.

The data is collected by on-site network monitoring software installed on workstations and network sensors            placed in different network segments. But before delivering the data to the security experts, F-Secure processes it through a host of proprietary threat intelligence and behavioral analytics engines, which use machine learning to analyze the data and determine normal behavior and identify outliers and anomalies. RDS’s machine learning engine uses near-real-time analytics, historical data and anonymized data gathered from its client-base to filter through the vast amount of data it gathers and to detect known and evolving threats.

With machine learning taking care of the bulk of the work, F-Secure’s team of experts are able to detect security incidents much faster than usual and inform their clients before the effects become catastrophic.

IBM Watson for cyber security

IBM has carved itself a nice reputation in the artificial intelligence industry for its flagship platform Watson, which is particularly known for its unique cognitive computing powers and language processing abilities. After having made successful inroads in a number of different sectors, the tech giant now wishes to dabble into the realm of cybersecurity with the latest flavor of its AI engine, which it will call IBM Watson for Cyber Security.

The idea behind IBM’s innovation is that much of the knowledge that can help fight new evolving threats lies in unstructured data such as blog posts, research papers, news stories and social media updates. It is a cybersecurity expert’s job to read and make sense of this information to keep the edge over attackers, a pretty challenging task given that around 60,000 security-related blog posts are being published every month.

IBM will take advantage of Watson’s unique capabilities in sifting through unstructured data to ingest thousands of cybersecurity documents per month and build up knowledge about all the latest security threats. The results will be combined with data already contained in IBM’s threat intelligence platform, X-Force Exchange, to give Watson the power to analyze, identify and prevent cybersecurity threats.

The company wishes to address the shortage of talent in the industry by raising Watson’s level of efficiency to that of an expert assistant and help to reduce the rate of false positives. Watson for Cyber Security will deploy to enterprise customers later this year as a service powered by IBM’s Bluemix cloud computing platform.

Until then, Watson has a lot of learning to do, which is why IBM has partnered with students from eight universities, including MIT, Penn State and New York University, to help the AI engine learn the language of cybersecurity and build its corpus of knowledge.


Nothing can sniff out a cybersecurity threat with the precision of human experts. But alone, humans are incapable of dealing with the huge amount of traffic that goes through company networks.

On the other hand, traditional artificial intelligence security tools are very fast at analyzing large traffic volumes. But unattended, they raise too many false alerts and dish out too many false positives that aren’t actual intrusions, resulting in alert fatigue and decrease in sensitivity.

This is what has led MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) to develop AI2, an adaptive cybersecurity platform that combines machine learning and human expertise to improve over time. The name stands for Artificial Intelligence + Analyst Intuition.

After being deployed, AI2 analyzes millions of network log lines every day and singles out suspicious events. The results are delivered to a human analyst, who overviews the data and provides feedback on legitimate threats while eliminating the false positives. The system in turn takes the feedback and uses it to fine-tune its monitoring.

The back-and-forth process between the human analyst and the machine learning engine repeats and with every iteration, AI2 improves its ability to identify actual threats. The model was tested with an e-commerce platform over a 90 day period, after which it was able to find 85 percent of attacks while considerably reducing the false positives.

AI2 can also help predict attacks by digging out patterns in methods used by hackers and assisting in figuring out their next step and the countermeasures that can stop them.

Massive Strixus

Massive Alliance is a cybersecurity startup that specializes in analyzing unstructured data. And it’s put this capability to good use in designing its latest security platform, Strixus.

Massive has developed an engine that intelligently probes the web and gathers data related to each of its customers. The research takes place at different levels, including the surface web (what you see in search engines), deep web (data from non-indexed pages), and the dark web (anonymous TOR-based networks and websites).

The collected data is then fed into a sentiment-based machine-learning engine that peruses through the unstructured data to discern the general emotion of the content. Strixus effectively goes through billions of online documents on a daily basis and is able to detect threats as they develop, including stolen data that appears in dark web markets, or social media campaigns aimed at damaging client brand reputation.

The complex mechanics behind the system include mathematical engines which produce adaptive models from threat actors and are able to detect when the behavior of those actors is likely to threaten the client.

At the end of the pipeline, security analysts make the final decision about which events are indicative of attacks and threats and should be acted upon. The combination allows organizations to take a proactive approach to cyberthreats and other risks, and to identify and swiftly remove harmful content before the damage is dealt.