Proving the Case for ML in Phishing Protection, with IRONSCALES

25 April 2022

Should you retrain, cross-train employees in data science?

Cybersecurity teams have always had to adapt to new attack methods and change the tools they use to fit the organization’s processes better. A prime example of adapting to fit ways of work is the increased preponderance of cloud-based business services and applications. If most of the company’s work takes place on web-based SaaS platforms, perimeter-based cybersecurity protection loses importance, and CISOs start to look at cloud-based zero-trust frameworks, for example.

Similarly, as more companies move their workflows to Google Suite or Office 365, the secure email gateway that protected the on-prem email server and clients gets mothballed in favor of ICES (integrated cloud email security) solutions.

At the same time, agent-based endpoint protection that uses heuristic scanning or rule-based algorithms with pushed/pulled updates are proving more ineffective against very, very smart phishing attacks that exploit weaknesses in every device’s “biological interface.” User education in online hygiene may have a role in solving that problem, but even seasoned cybersecurity veterans reading these pages will know that they too have, in a moment of inattention, clicked the odd suspect link.

To keep one step ahead of the money-making machine that is hacking, cyber security professionals look to multiple tools that close off attack vectors and use a new generation of products that use machine learning algorithms to help flag anomalies more effectively.

Exhibiting a problem inherent in any area of nascent technology is that AI or ML are more often “deployed” by marketing departments than they are hard-coded into applications or services. The badge of “powered by AI” should always be taken with a pinch of salt. Thankfully, cybersecurity is one area where machine learning can be proven to be effective and is not subject to wild claims of its abilities. Or, at least, a lot less likely to be subject to that type of claim.

Machine Learning Cyber Security

Packet-level traffic inspection, for example, can form a coherent learning corpus for ML algorithms, especially when they come with pre-built sets of statistically sound data that describe “typical” network activity.

In predictive analysis, machine learning is known to be less effective: the cybersecurity vendor that can predict the nature of and prevent the next big zero-day attack will certainly shift some product.

But to revisit the biggest source of cybersecurity headaches and the source of most successful attacks: human error. Big ransomware attacks have made too many headlines over the last twelve months, as phishing emails get more sophisticated. There’s even evidence that the investment of time and energy hackers spend on hand-written, individualized emails is a worthwhile endeavor for the criminals. Against motivated attackers, can machine learning help prevent phishing emails from ever reaching their targets?

A few weeks ago, we spoke to Eyal Benishti, the CEO of IRONSCALES about precisely this subject. Its platform’s tight integration with Office 365 means that end-users get seamless protection in their working environment, and security teams deploy IRONSCALES with just a few clicks. The basis for the machine learning algorithms that the platform uses is nicely laid out by the company’s Technical Lead for ML in this blog post (warning: contains uncensored code examples: non-data scientist beware) but shows empirically that ML can be made to be effective on phishing emails.

To save readers from an afternoon spent researching the statistical and programming methods from the blog post, here’s a quick prĂ©cis: the IRONSCALES algorithms firstly identify emails that exhibit some anomaly, then categorize those that are suspect. Unfortunately, due to the correlation between spam senders and phishing senders, often the same people and facilities, an extra layer of textual analysis takes place on message bodies that can safely predict whether an email is offering fake Rolexes or something much more malign.

But perhaps the final nail in the coffin of the ML skeptic should be IRONSCALES’ open admittance that its platform (and by inference, every other cybersecurity platform) can only offer so much protection. User training and education still play a critical role for that last percent or less of malware that will get through whatever defenses a company may erect. As you might expect that education is offered by IRONSCALES to all its clients, alongside its software cybersecurity solutions and an active user community that upstreams profiles of the threats it’s received.

At a time when we can buy refrigerators that are “powered by AI,” finding a cybersecurity company that’s happy to prove its case for self-improving threat detection is refreshing. We suggest you read the blog post (linked again here), and if it’s too opaque, you can contact IRONSCALES here: they also specialize in human interaction.


IRONSCALES