Foresee: Human and Machine Learning Working TogetherLearn how Secureworks is leveraging human intelligence and machine learning to deliver better visibility, insights, and threat detection and prevention capabilities. By: David Stevenson
Over the 20 years that Secureworks® has been providing managed security services, our team of analysts has built up a huge amount of expertise in assessing and taking action on many different cyber threats. Secureworks initiated a project several years ago, Foresee, which was designed to maximise the quality of our service to our clients, and allow us to leverage our human expertise as far as humanly possible, and even beyond. Foresee is the result: our machine learning platform which currently assesses, classifies and takes actions on many potentially malicious events every day.
Although machine learning capabilities have been around in other industries for a few years now, Secureworks elected to make use of the most valuable resource that we have available to us: our analysts who live and breathe security for our clients, day-in, day-out. Foresee learns from how our human analysts assess events; what they do with them; and then applies that learning to other similar events that we receive, automatically.
Foresee machine learning is "supervised" which is techno-speak for "starting with a set of training events that have previously been assessed by our analysts and asking Foresee to learn to replicate those decisions using Artificial Intelligence techniques." Foresee is even more nuanced however, assigning a probability whether each event is benign (e.g. output from logs) or not benign (potentially a threat), and referring those that are not benign to a human analyst for a quality check.
Because Foresee's in-house developed technology learns how analysts' decisions are made, and attempts to replicate those decisions, Foresee gives the benefits of two worlds: analyst expertise and the speed and accuracy of machine learning. This cooperation between person and machine goes even further however; in order to provide a further layer of quality control to our machines, we double-check events manually before we alert our clients, to ensure that even if our machine learning models occasionally encounter an issue, we can ensure that clients are not inconvenienced unnecessarily.
Other machine learning techniques include unsupervised learning, where a training set exists (such as security events) but where there is no record of how an analyst has previously assessed and classified each event. However, with unsupervised learning, the machine has to figure out how to structure, assess and determine the correct outcome on its own – which is more difficult. Therefore, these alternative techniques tend to be more difficult to train and can lead to less accurate results.
Thanks to the magic of machine learning, our Foresee technology can make decisions even when the event is not identical but is similar to events seen in the training set, based on statistical probability. This capability of machine learning, known as "generalization," ensures that the maximum number of events can be classified correctly.
Foresee has proven to be a highly valuable asset to Secureworks and our clients, ensuring that our analysts are best utilised and focussed on the malicious events that really matter.