China vs. the machine (learning)

If American businesses want to curb the theft of their trade secrets and intellectual property by other countries, they are going to have to do it themselves. Experts say their best hope is machine learning

robot keyboard
Credit: Thinkstock

In the ongoing war against economic espionage – especially by China - the good news for the American private sector is that machine learning (ML) and behavioral analytics, are offering some promise of detecting hackers before they start exfiltrating trade secrets and intellectual property (IP).

The not so good news is that those businesses are not going to be getting much help from the government.

That, say most experts, is the reality, even after last September’s agreement between the U.S. and China that neither country would, “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

Even mainstream media organizations are reporting that the agreement has had little effect. The CBS TV news magazine “60 Minutes” devoted a segment of its Jan. 17 show – four months after the agreement – to the continuing theft of trade secrets and IP of American companies, labeling it, "the great brain robbery of America."

In the segment, Dmitri Alperovitch, cofounder and CTO of CrowdStrike, told correspondent Leslie Stahl that following the agreement between President Obama and Chinese President Xi Jinping, the hacking of U.S. companies continues. It has simply been transferred from the infamous Unit 61398 of the People’s Liberation Army that has hacked multiple American businesses including the New York Times, to an intelligence unit that is China’s version of the CIA.

“In effect, they said, ‘You guys are incompetent. You got caught. We'll give it to the guys that know better,’” Alperovitch said.

dmitri alperovitch

Dmitri Alperovitch, cofounder and CTO, CrowdStrike

CrowdStrike’s “2015 Global Threat Report” put it in somewhat more muted language, but the message was the same: The wording of the agreement, “was described by most analysts as extremely vague and largely open to interpretation,” the report said, adding that, “China has demonstrated that their operators will resume normal activities when scrutiny has diminished. The cyber agreements appear to be an attempt to appease the U.S. (and) avoid economic sanctions …”

Experts also say that even the highly publicized arrests last fall by the Chinese government of “a handful of hackers” connected to the catastrophic breach that exposed the personal data of more than 22 million current and former U.S. federal workers don’t really change things.

“The Chinese government has a history of sacrificing individuals for the good of the state,” said William Munroe, vice president of marketing at Interset. “Arrests, convictions and jail sentences create a justifiable defense that the Chinese are following the agreement while covering up their illicit activities.”

And, while the U.S. government has issued multiple threats over the past several years that it will impose sanctions on China if the cyber economic espionage continues, it has not imposed any yet and nobody expects it will.

“The Chinese economy is already weak, and sanctions would only hurt it more, which would directly affect the U.S. economy and jobs,” Munroe said.

william munroe

William Munroe, vice president of marketing, Interset

That leaves American companies essentially on their own to defend themselves, which has been the case since the beginning of the “great brain robbery.”

But, security experts say defensive tools are improving, in part thanks to broad awareness that perimeter defenses are not nearly enough, and also because of the growing technological capacity to collect and analyze data.

“There is a growing shift in the industry away from signature-based technologies, as they are not enough to detect and prevent today’s sophisticated adversaries,” Alperovitch told CSO. 

“Traditional detection technologies look for known sequences in files, and block those known to be associated with malware. The issue is that the signature for a given malware element can be quickly and easily changed – far more quickly than anti-virus vendors can adapt to the changes,” he said.

“This is why the combination of machine learning and behavioral-based detection and prevention is much more effective.”

There is still an ongoing debate over the value of ML. The research firm Gartner ranked ML among the top five technologies at the “peak of inflated expectations” in its 2015 Hype Cycle.

But Ariel Silverstone, a consulting chief security and privacy officer, told CSO in December that he believes ML is, “severely, significantly under-hyped.” Not only can it detect intrusions, he said, it can predict them, to the point where it is possible to ask the machine, “Will I be attacked next Tuesday from China at 3 p.m.?” and get an answer that has a better than 99 percent chance of being accurate.

Jason Tan, CEO and cofounder of Sift Science, agreed. “One of the key benefits to machine learning is its versatility and adaptiveness,” he said, “allowing organizations to harness vast amounts of data to predict all types of fraudulent behavior – including IP theft.”

Andrew Gardner, senior technical director, machine learning, at Symantec, is even more bullish. He said the major breaches of the past several years – Target, Home Depot, Sony, J.P. Morgan and others – “could soon be a thing of the past if security solutions gain predictive capabilities that empower the CISO.”

andrew gardner

Andrew Gardner, senior technical director, machine learning, Symantec

He said deep learning has helped his firm become three times more accurate in spotting zero days, “because we’re able to identify oddities sooner by connecting the dots between behavioral and contextual signals that could signal an attack is likely.”

Alperovitch cites similar experiences. He said machine learning has made it possible to collect “massive amounts of threat intelligence” through crowdsourcing, and then analyze it for what he called Indicators of Attack.

Those indicators make it much more difficult for an adversary to hide during the early stages – “reconnaissance, expansion and data-staging – of an attack", Munroe said.

In the past, attackers could hide their activities in the data logs of applications, directories, endpoint, net-flow and repositories, he said. But, “machine learning and behavioral analytic will find these activities hidden in billions of event logs, connect them and surface them to security investigators.”

That doesn’t mean everybody is using it, or knows how to use it. It also sounds expensive – possibly much too expensive for SMBs, but Alperovitch said it is becoming both more accessible and more affordable.

“The industry is gradually moving towards making entry-level options available,” he said, “whether it’s access to intelligence or technology solutions.

“Also, leveraging technologies like the cloud allows vendors to offer more cost-effective means to deploy security tools in a scalable way with minimum pre-existing infrastructure requirements. The cloud is a real game-changer.”

Munroe has a similar message. “Before the age of Hadoop and big data, most organizations did not have the data to feed a machine learning-based system,” he said. “But that has changed because even if you do not have this infrastructure you can use a cloud-based system.

That combination of machine learning and behavioral analytics tools, he said, is good enough to catch even nation state-sponsored hackers.

Dmitri Alperovitch, cofounder and CTO, CrowdStrike

“The combination of machine learning and behavioral-based detection and prevention is much more effective.”

William Munroe, vice president of marketing, Interset

“Arrests, convictions and jail sentences create a justifiable defense that the Chinese are following the agreement while covering up their illicit activities.”

Andrew Gardner, senior technical director, machine learning, Symantec

“We’re able to identify oddities sooner by connecting the dots between behavioral and contextual signals that could signal an attack is likely.”

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.