{"id":29399,"date":"2018-11-12T19:18:04","date_gmt":"2018-11-13T00:18:04","guid":{"rendered":"https:\/\/digital.hbs.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/"},"modified":"2018-11-12T19:18:04","modified_gmt":"2018-11-13T00:18:04","slug":"symantec-using-machine-learning-to-improve-malware-research","status":"publish","type":"hck-submission","link":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/","title":{"rendered":"Symantec: Using Machine Learning to Improve Malware Research"},"content":{"rendered":"<p>Machine Learning (ML) has disrupted many industries \u2013 automotive, healthcare, robotics, and more<a href=\"#_ftn1\" name=\"_ftnref1\">[1]<\/a>. An interesting angle of this megatrend that has not been discussed in class is the way it affects cyber malware research.<\/p>\n<p>Traditionally, malware research is a labor-intensive task, requiring experienced and specialized researchers<a href=\"#_ftn2\" name=\"_ftnref2\">[2]<\/a>. Anti-viruses, the most common type of endpoint security product, protect customers using \u201csignatures\u201d, a set of rules that recognize malware. A researcher comes up with an idea, codes it, tests it for false positives and negatives and finally deploys it. Valuable signatures identify an emerging trend or anomaly and find a generic way to detect all types of such malicious behavior. Malicious actors constantly change their tools to avoid existing signatures, thus overconcentrating on a specific sample is futile.<\/p>\n<p>In recent years, the rise of cybercrime to $1 trillion USD annual losses pushed cybersecurity corporations to their limits<a href=\"#_ftn3\" name=\"_ftnref3\">[3]<\/a>. In order to effectively protect their customers, it was necessary to find a disruptive way to improve exponentially. A CB Insights research paints a macro-level picture of the race to acquire AI cybersecurity startups<a href=\"#_ftn4\" name=\"_ftnref4\">[4]<\/a> by tech giants, understanding the potential of the new trend.<\/p>\n<p>Symantec Corporation, a leading cybersecurity firm with a market cap of $14bn<a href=\"#_ftn5\" name=\"_ftnref5\">[5]<\/a>, adopted this approach with their Targeted Attack Analytics (TAA)<a href=\"#_ftn6\" name=\"_ftnref6\">[6]<\/a> platform for enterprise customers. In contrast to traditional methods, TAA is a cloud-based ML platform that helps Symantec\u2019s Security Operations Center (SOC) detect incidents and effectively resolve them. Early this year, Symantec exposed Thrip, a cyberespionage group, detected through a flag raised by TAA<a href=\"#_ftn7\" name=\"_ftnref7\">[7]<\/a>.<\/p>\n<p>TAA is essentially a new product development process for Symantec. Instead of relying on personal discovery of trends, an ML platform identifies incidents based on the huge data sources Symantec has access to: all its clients. As more incidents are analyzed, the model is retrained and improved. This new process type allows Symantec to focus its expensive resource \u2013 researchers \u2013 on needles that have been taken out of the haystack.<\/p>\n<p>Seeing the increasing challenges in the industry, Symantec decided to sell its Information Management division, Veritas, to The Carlyle Group<a href=\"#_ftn8\" name=\"_ftnref8\">[8]<\/a>, believing the split will help Symantec focus on its critical task \u2013cybersecurity. In the medium term, Symantec is leading an expansion effort, such as launching a new SOC in India<a href=\"#_ftn9\" name=\"_ftnref9\">[9]<\/a>.<\/p>\n<p>Taking the global context and Symantec\u2019s actions into consideration, I propose two ideas that could help Symantec on its quest to protect its customers. First, Symantec should develop a platform that will allow independent analysts to perform research based on Symantec\u2019s TAA platform. This platform will crowdsource the identification &amp; recognition of incidents to individuals who want to contribute to the world\u2019s safety, much like how Waze crowdsourced navigation. Privacy concerns should obviously be addressed, but this product could help Symantec skyrocket the number of trends and anomalies they detect. Using ML on the independent submissions could help Symantec researchers focus on significant trends that have already been flagged by a cheap workforce.<\/p>\n<p>Second, Symantec should strive to create data-sharing partnerships with the tech giants \u2013 Google, Microsoft and Apple. Symantec relies on their operating systems to provide value to its customers, but Symantec\u2019s products are handicapped \u2013 the tech giants give themselves favorable treatment and have more access to telemetry and relevant data. An example is Windows Defender Advanced Threat Protection<a href=\"#_ftn10\" name=\"_ftnref10\">[10]<\/a> \u2013 a service that Microsoft develops for its enterprise customers. To stay at the head of the cybersecurity industry, Symantec must position itself as a complementary solution that gives additional value over the baseline tech giant products. For that, Symantec needs more data.<\/p>\n<p>As we\u2019ve seen, in the recent years Symantec has successfully harnessed the ML megatrend to its own advantage. However, cybersecurity is a cat &amp; mouse game. Every technological advance by the defenders elicits a workaround by the attackers. How will attackers overcome the ML obstacle, and what should be the cyberdefense industry\u2019s next major step? (799 words)<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a> Daniel Faggella, \u201cArtificial Intelligence Industry \u2013 An Overview by Segment\u201d, Tech Emergence, September 16, 2018, <a href=\"https:\/\/www.techemergence.com\/artificial-intelligence-industry-an-overview-by-segment\/\">https:\/\/www.techemergence.com\/artificial-intelligence-industry-an-overview-by-segment\/<\/a>, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref2\" name=\"_ftn2\">[2]<\/a> Adam Kujawa, \u201cSo You Want To Be A Malware Analyst\u201d, Malwarebytes Labs, September 18, 2012, <a href=\"https:\/\/blog.malwarebytes.com\/security-world\/2012\/09\/so-you-want-to-be-a-malware-analyst\/\">https:\/\/blog.malwarebytes.com\/security-world\/2012\/09\/so-you-want-to-be-a-malware-analyst\/<\/a>, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref3\" name=\"_ftn3\">[3]<\/a> Kaspersky Labs, \u201cFrom a Hobby to an Industry\u201d, <a href=\"https:\/\/csr.kaspersky.com\/cybercrime\/en\/\">https:\/\/csr.kaspersky.com\/cybercrime\/en\/<\/a>, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref4\" name=\"_ftn4\">[4]<\/a> CB Insights, \u201cCybersecurity Exits Timeline: Activity Remains Strong As Tech Corporates Target AI Startups\u201d, May 31, 2017, <a href=\"https:\/\/www.cbinsights.com\/research\/cybersecurity-exits-acquisition-merger-timeline\/\">https:\/\/www.cbinsights.com\/research\/cybersecurity-exits-acquisition-merger-timeline\/<\/a>, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref5\" name=\"_ftn5\">[5]<\/a> Yahoo! Finance, NASDAQ:SYMC, <a href=\"https:\/\/finance.yahoo.com\/quote\/SYMC\/\">https:\/\/finance.yahoo.com\/quote\/SYMC\/<\/a>, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref6\" name=\"_ftn6\">[6]<\/a> Symantec, \u201cTargeted Attack Analytics\u201d, <a href=\"https:\/\/resource.elq.symantec.com\/LP=5847?cid=70138000001MFtXAAW\">https:\/\/resource.elq.symantec.com\/LP=5847?cid=70138000001MFtXAAW<\/a>, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref7\" name=\"_ftn7\">[7]<\/a> Security Response Attack Investigation Team, \u201cThrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies\u201d, Symantec, <a href=\"https:\/\/www.symantec.com\/blogs\/threat-intelligence\/thrip-hits-satellite-telecoms-defense-targets\">https:\/\/www.symantec.com\/blogs\/threat-intelligence\/thrip-hits-satellite-telecoms-defense-targets<\/a>, June 19, 2018, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref8\" name=\"_ftn8\">[8]<\/a> Symantec, \u201cSymantec Completes Sale of Veritas, Now Singularly Focused on Cybersecurity\u201d, <a href=\"https:\/\/www.symantec.com\/about\/newsroom\/press-releases\/2016\/symantec_0129_01\">https:\/\/www.symantec.com\/about\/newsroom\/press-releases\/2016\/symantec_0129_01<\/a>, January 29, 2016, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref9\" name=\"_ftn9\">[9]<\/a> Computerworld, \u201c\u2018SoC 3.0\u2019: Symantec beefs up Asia-Pacific cyber security with expanded Chennai SoC\u201d, <a href=\"https:\/\/www.computerworld.com.au\/article\/644630\/soc-3-0-symantec-beefs-up-asia-pacific-cyber-security-expanded-chennai-soc\/\">https:\/\/www.computerworld.com.au\/article\/644630\/soc-3-0-symantec-beefs-up-asia-pacific-cyber-security-expanded-chennai-soc\/<\/a>, August 1, 2018, accessed November 2018.<\/p>\n<p><a href=\"#_ftnref10\" name=\"_ftn10\">[10]<\/a> Microsoft, \u201cWindows Defender Advanced Protection\u201d, <a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp\">https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp<\/a>, accessed November 2018.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As cybercrime grows, the defenders found a new tool for their arsenal: Machine Learning. Symantec implemented a creative approach that harnesses the power of ML to detect sophisticated actors in cyberspace.<\/p>\n","protected":false},"author":11859,"featured_media":29400,"comment_status":"open","ping_status":"closed","template":"","categories":[4428,4430,845,346,344,4429,4427],"class_list":["post-29399","hck-submission","type-hck-submission","status-publish","has-post-thumbnail","hentry","category-antivirus","category-cybercrime","category-cybersecurity","category-machine-learning","category-product-development","category-signatures","category-symantec","hck-taxonomy-organization-symantec","hck-taxonomy-industry-information-technology","hck-taxonomy-country-united-states"],"connected_submission_link":"https:\/\/d3.harvard.edu\/platform-rctom\/assignment\/rc-tom-challenge-2018\/","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Symantec: Using Machine Learning to Improve Malware Research - Technology and Operations Management<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Symantec: Using Machine Learning to Improve Malware Research - Technology and Operations Management\" \/>\n<meta property=\"og:description\" content=\"As cybercrime grows, the defenders found a new tool for their arsenal: Machine Learning. Symantec implemented a creative approach that harnesses the power of ML to detect sophisticated actors in cyberspace.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/\" \/>\n<meta property=\"og:site_name\" content=\"Technology and Operations Management\" \/>\n<meta property=\"og:image\" content=\"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/dlanor-s-703975-unsplash.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"5456\" \/>\n\t<meta property=\"og:image:height\" content=\"3064\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/symantec-using-machine-learning-to-improve-malware-research\\\/\",\"url\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/symantec-using-machine-learning-to-improve-malware-research\\\/\",\"name\":\"Symantec: Using Machine Learning to Improve Malware Research - Technology and Operations Management\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/symantec-using-machine-learning-to-improve-malware-research\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/symantec-using-machine-learning-to-improve-malware-research\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/wp-content\\\/uploads\\\/sites\\\/4\\\/2018\\\/11\\\/dlanor-s-703975-unsplash.jpg\",\"datePublished\":\"2018-11-13T00:18:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/symantec-using-machine-learning-to-improve-malware-research\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/symantec-using-machine-learning-to-improve-malware-research\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/symantec-using-machine-learning-to-improve-malware-research\\\/#primaryimage\",\"url\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/wp-content\\\/uploads\\\/sites\\\/4\\\/2018\\\/11\\\/dlanor-s-703975-unsplash.jpg\",\"contentUrl\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/wp-content\\\/uploads\\\/sites\\\/4\\\/2018\\\/11\\\/dlanor-s-703975-unsplash.jpg\",\"width\":5456,\"height\":3064},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/symantec-using-machine-learning-to-improve-malware-research\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Submissions\",\"item\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/submission\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Symantec: Using Machine Learning to Improve Malware Research\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/#website\",\"url\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/\",\"name\":\"Technology and Operations Management\",\"description\":\"MBA Student Perspectives\",\"potentialAction\":[{\"@type\":\"性视界Action\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/d3.harvard.edu\\\/platform-rctom\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Symantec: Using Machine Learning to Improve Malware Research - Technology and Operations Management","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/","og_locale":"en_US","og_type":"article","og_title":"Symantec: Using Machine Learning to Improve Malware Research - Technology and Operations Management","og_description":"As cybercrime grows, the defenders found a new tool for their arsenal: Machine Learning. Symantec implemented a creative approach that harnesses the power of ML to detect sophisticated actors in cyberspace.","og_url":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/","og_site_name":"Technology and Operations Management","og_image":[{"width":5456,"height":3064,"url":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/dlanor-s-703975-unsplash.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/","url":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/","name":"Symantec: Using Machine Learning to Improve Malware Research - Technology and Operations Management","isPartOf":{"@id":"https:\/\/d3.harvard.edu\/platform-rctom\/#website"},"primaryImageOfPage":{"@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/#primaryimage"},"image":{"@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/#primaryimage"},"thumbnailUrl":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/dlanor-s-703975-unsplash.jpg","datePublished":"2018-11-13T00:18:04+00:00","breadcrumb":{"@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/#primaryimage","url":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/dlanor-s-703975-unsplash.jpg","contentUrl":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-content\/uploads\/sites\/4\/2018\/11\/dlanor-s-703975-unsplash.jpg","width":5456,"height":3064},{"@type":"BreadcrumbList","@id":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/symantec-using-machine-learning-to-improve-malware-research\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/d3.harvard.edu\/platform-rctom\/"},{"@type":"ListItem","position":2,"name":"Submissions","item":"https:\/\/d3.harvard.edu\/platform-rctom\/submission\/"},{"@type":"ListItem","position":3,"name":"Symantec: Using Machine Learning to Improve Malware Research"}]},{"@type":"WebSite","@id":"https:\/\/d3.harvard.edu\/platform-rctom\/#website","url":"https:\/\/d3.harvard.edu\/platform-rctom\/","name":"Technology and Operations Management","description":"MBA Student Perspectives","potentialAction":[{"@type":"性视界Action","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/d3.harvard.edu\/platform-rctom\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/hck-submission\/29399","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/hck-submission"}],"about":[{"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/types\/hck-submission"}],"author":[{"embeddable":true,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/users\/11859"}],"replies":[{"embeddable":true,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/comments?post=29399"}],"version-history":[{"count":0,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/hck-submission\/29399\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/media\/29400"}],"wp:attachment":[{"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/media?parent=29399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/d3.harvard.edu\/platform-rctom\/wp-json\/wp\/v2\/categories?post=29399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}