At RSA Conference 2019 Dena Bauckman, VP product management, Zix, explored email attack threat evolutions and how machine learning can be used to better detect email-based attacks.
“Today, attackers are getting more targeted, and they’re not sending out bulk campaigns anymore,” she said. Email attack campaigns are becoming more intricate and “we need a better way of identifying those threats when they are constantly changing. That’s where we started to see that machine learning can really help us in that area.”
Bauckman defined machine learning as “the ability to teach a machine to do something that humans do naturally, and that is learn from experience.”
She added that there are two different types of machine learning techniques used in threat detection: supervised and unsupervised machine learning.
With supervised machine learning, you feed the system with a large sample of email threats so it can analyze attributes of email threats. Then, the system builds a model to predict future email threats. Email traffic is fed through the system and the model assigns a probability that an email is a threat, and then rules can be defined to handle potential threat scenarios.
With unsupervised machine learning, you feed the system normal email traffic and it learns over time what normal email communications look like. The system can then identify anomalies in email communication and data can be analyzed with other network and system behavior to identify threats.
To conclude, Bauckman said that “machine learning does automate our ability to identify threats, and it goes beyond and builds on top of the other capabilities that we have.”
It also “allows us to have our limited resources of the human threat analyst focus in on the big, new evolving threats.”
However, Bauckman was quick to point out that machine learning on its own is not enough, and it must be used as a piece of a multi-layered defense approach. “It is not a panacea.”