China vs. the machine (learning)

If American businesses want to curb the theft of their trade secrets and intellectual property by other countries, they are going to have to do it themselves. Experts say their best hope is machine learning

In the ongoing war against economic espionage – especially by China - the good news for the American private sector is that machine learning (ML) and behavioral analytics, are offering some promise of detecting hackers before they start exfiltrating trade secrets and intellectual property (IP).

The not so good news is that those businesses are not going to be getting much help from the government.

That, say most experts, is the reality, even after last September’s agreement between the U.S. and China that neither country would, “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

Even mainstream media organizations are reporting that the agreement has had little effect. The CBS TV news magazine “60 Minutes” devoted a segment of its Jan. 17 show – four months after the agreement – to the continuing theft of trade secrets and IP of American companies, labeling it, "the great brain robbery of America."

In the segment, Dmitri Alperovitch, cofounder and CTO of CrowdStrike, told correspondent Leslie Stahl that following the agreement between President Obama and Chinese President Xi Jinping, the hacking of U.S. companies continues. It has simply been transferred from the infamous Unit 61398 of the People’s Liberation Army that has hacked multiple American businesses including the New York Times, to an intelligence unit that is China’s version of the CIA.

“In effect, they said, ‘You guys are incompetent. You got caught. We'll give it to the guys that know better,’” Alperovitch said.

dmitri alperovitch

Dmitri Alperovitch, cofounder and CTO, CrowdStrike

CrowdStrike’s “2015 Global Threat Report” put it in somewhat more muted language, but the message was the same: The wording of the agreement, “was described by most analysts as extremely vague and largely open to interpretation,” the report said, adding that, “China has demonstrated that their operators will resume normal activities when scrutiny has diminished. The cyber agreements appear to be an attempt to appease the U.S. (and) avoid economic sanctions …”

Experts also say that even the highly publicized arrests last fall by the Chinese government of “a handful of hackers” connected to the catastrophic breach that exposed the personal data of more than 22 million current and former U.S. federal workers don’t really change things.

“The Chinese government has a history of sacrificing individuals for the good of the state,” said William Munroe, vice president of marketing at Interset. “Arrests, convictions and jail sentences create a justifiable defense that the Chinese are following the agreement while covering up their illicit activities.”

And, while the U.S. government has issued multiple threats over the past several years that it will impose sanctions on China if the cyber economic espionage continues, it has not imposed any yet and nobody expects it will.

“The Chinese economy is already weak, and sanctions would only hurt it more, which would directly affect the U.S. economy and jobs,” Munroe said.

william munroe

William Munroe, vice president of marketing, Interset

That leaves American companies essentially on their own to defend themselves, which has been the case since the beginning of the “great brain robbery.”

But, security experts say defensive tools are improving, in part thanks to broad awareness that perimeter defenses are not nearly enough, and also because of the growing technological capacity to collect and analyze data.

“There is a growing shift in the industry away from signature-based technologies, as they are not enough to detect and prevent today’s sophisticated adversaries,” Alperovitch told CSO. 

“Traditional detection technologies look for known sequences in files, and block those known to be associated with malware. The issue is that the signature for a given malware element can be quickly and easily changed – far more quickly than anti-virus vendors can adapt to the changes,” he said.

“This is why the combination of machine learning and behavioral-based detection and prevention is much more effective.”

There is still an ongoing debate over the value of ML. The research firm Gartner ranked ML among the top five technologies at the “peak of inflated expectations” in its 2015 Hype Cycle.

But Ariel Silverstone, a consulting chief security and privacy officer, told CSO in December that he believes ML is, “severely, significantly under-hyped.” Not only can it detect intrusions, he said, it can predict them, to the point where it is possible to ask the machine, “Will I be attacked next Tuesday from China at 3 p.m.?” and get an answer that has a better than 99 percent chance of being accurate.

Jason Tan, CEO and cofounder of Sift Science, agreed. “One of the key benefits to machine learning is its versatility and adaptiveness,” he said, “allowing organizations to harness vast amounts of data to predict all types of fraudulent behavior – including IP theft.”

Andrew Gardner, senior technical director, machine learning, at Symantec, is even more bullish. He said the major breaches of the past several years – Target, Home Depot, Sony, J.P. Morgan and others – “could soon be a thing of the past if security solutions gain predictive capabilities that empower the CISO.”

andrew gardner

Andrew Gardner, senior technical director, machine learning, Symantec

He said deep learning has helped his firm become three times more accurate in spotting zero days, “because we’re able to identify oddities sooner by connecting the dots between behavioral and contextual signals that could signal an attack is likely.”

Alperovitch cites similar experiences. He said machine learning has made it possible to collect “massive amounts of threat intelligence” through crowdsourcing, and then analyze it for what he called Indicators of Attack.

Those indicators make it much more difficult for an adversary to hide during the early stages – “reconnaissance, expansion and data-staging – of an attack", Munroe said.

In the past, attackers could hide their activities in the data logs of applications, directories, endpoint, net-flow and repositories, he said. But, “machine learning and behavioral analytic will find these activities hidden in billions of event logs, connect them and surface them to security investigators.”

That doesn’t mean everybody is using it, or knows how to use it. It also sounds expensive – possibly much too expensive for SMBs, but Alperovitch said it is becoming both more accessible and more affordable.

“The industry is gradually moving towards making entry-level options available,” he said, “whether it’s access to intelligence or technology solutions.

“Also, leveraging technologies like the cloud allows vendors to offer more cost-effective means to deploy security tools in a scalable way with minimum pre-existing infrastructure requirements. The cloud is a real game-changer.”

Munroe has a similar message. “Before the age of Hadoop and big data, most organizations did not have the data to feed a machine learning-based system,” he said. “But that has changed because even if you do not have this infrastructure you can use a cloud-based system.

That combination of machine learning and behavioral analytics tools, he said, is good enough to catch even nation state-sponsored hackers.

Dmitri Alperovitch, cofounder and CTO, CrowdStrike

“The combination of machine learning and behavioral-based detection and prevention is much more effective.”

William Munroe, vice president of marketing, Interset

“Arrests, convictions and jail sentences create a justifiable defense that the Chinese are following the agreement while covering up their illicit activities.”

Andrew Gardner, senior technical director, machine learning, Symantec

“We’re able to identify oddities sooner by connecting the dots between behavioral and contextual signals that could signal an attack is likely.”

Join the CSO newsletter!

Error: Please check your email address.

Tags China

More about ArielCrowdStrikeCSOGartnerGoogleHome DepotMorganSilverstoneSonySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts