Machine Learning in Cybersecurity: CyberArk
Cyberark is an Israeli cybersecurity company that specializes in Privileged Account Management. Among their customers are 50% of the Global Fortune 100 . CyberArk helps to protect organizations from external actors who have acquired insider credentials, and malicious insiders themselves . In both instances, attacks have penetrated the perimeter of an organization. Cyberark helps organizations construct the design of a castle such that the most critical pieces of information are housed within multiple sets of walls. They also help organizations with the systems and processes – like guard patrols – to catch bad behavior early. Cyberark locks up and encrypts credentials in “digital vaults.”
Cyberark helps companies navigate the tradeoff between convenience and security. The more people with local “admin rights” to install software, malware, add users, etc, the riskier the status of the organization. Cyberark’s traditional value prop was focused in laying out the architectural infrastructure maximize these tradeoffs.
Machine learning comes into play in using analysis to detect cyber threats and zero-day attacks (industry lingo for right away) automatically. You can use machine learning to monitor behavior like a referee of a soccer game. Because there are so many simultaneous “players” generating vast amounts of data simultaneously, machine learning is paramount to learning what sort of behavior is normal vs. risky. With this backstop in place, an organization can allow more users convenient access, with the capability to identify immediately when an employee or attacker with stolen credentials is behaving in a very strange manner.
An example will help illustrate. Edward Snowden was a malicious insider. He managed to download NSA documents as an inside contractor and leak confidential documents. Had the NSA used machine learning protections, their algorithms would have identified that Snowden was engaging in very unusual behavior on endpoints in downloading a massive amount of data unrelated to his assigned work. The algorithm would have flagged this right away, and perhaps automatically revoked Snowden’s credentials and thus his ability to access the network.
Cyberark is continuing to evolve its offering to keep up with the bad guys. Learning what behavior is “normal” vs. abnormal requires monitoring thousands of employees, sifting through millions and millions of bytes of data, and “knowing” what type of behavior is abnormal and riskiest is also a prediction challenge best suited for machine learning. As the company expands its client base and coverage, the algorithms will improve over time.
In the short term, Cyberark is further building out the capabilities of its machine learning algorithms to identify threats. It has made several acquisitions in the space over the past few years, including (1) CyberIntel, which specializes in threat detection (2) Viewfinity, which simplifies the processes involved in privilege management (better suited for smaller customers). [2 and 3]
Currently, Cyberark uses 13 different indicators to help “score” threats [Exhibit 1] . They must continue to build out their threat scoring capabilities – improving accuracy and updating the indicators as the bad guys evolve – to improve the accuracy and adapt to a dynamically changing enemy.
The future of IT security is that the volume of applications and other software programs is exploding exponentially, as the process of developing and deploying software is getting much faster thanks to the cloud and an increasingly available off-the-shelf toolbox that can be used by developers. CyberArk should continue to focus its R&D and acquisitions on protecting not just against individuals, but against managing software applications and machines. The future of hacking will increasingly come from attacking machines who improve via machine learning by predicting what techniques are most efficient and effective at evading attention.
Their latest major acquisition in March 2017 of Conjur ($42M) hints at where the future is heading and is a step in the right direction. Conjur provides software that automates tasks in managing machine identities, and managing connections between machines . But Cyberark needs to be investing more in this area to defend against the sophisticated attacks of tomorrow.
One more radical idea would be to hire reformed ex-hackers (ideally from the Israeli / US military so that they can be trusted) to get into the mind of the criminals, test and build out more solutions.
As companies prepare for a world in which attacks are enhanced by machine learning and carried out by machines, and the defenses are provided by machines, what are the risks that the arms race of cybersecurity will accelerate out of our control? From a societal standpoint, is investing more and more in defenses creating stronger and more sophisticated attackers? A parallel would be the way that antibiotics lead to stronger diseases, forcing the entire human population into an arms race against bacteria. What role should regulation play in this arms race?
1. “Cyberark September Investor Presentation.” Cyberark Investor Relations. 11/12/2018.
2. “Cybertinel acquired by CyberArk Software.” Crunchbase. 11/11/2018. https://www.crunchbase.com/acquisition/cyber-ark-software-acquires-cybertinel–4d1e30b3
3. “Cyberark Completes Acquisition of Viewfinity, Inc.” Cyberark Website. 11/11/2018. https://www.cyberark.com/press/cyberark-completes-acquisition-of-viewfinity-inc/
4. “Webinar: Machine Learning Prevents Privilege Attacks at the Endpoint.” Viewed 11/13/2018.
5. “Conjur, Inc. Acquired by Cyberark Software.” Crunchbase. 11/11/2018. https://www.crunchbase.com/acquisition/cyber-ark-software-acquires-conjur–d920145b#section-locked-marketplace
6. “CyberArk Investor Calls for Q4’17 – Q3’18.” S&P Capital IQ.
7. “Pass the Hash.” CyberArk Website. 11/11/2018.