WHITE PAPER | A Layman’s Guide to AI and Machine Learning

A Layman’s Guide to AI, Machine Learning

and Its Importance to Endpoint Security

Making Sense of an
Evolving Technology

Written by
Hal Lonas, CTO, Webroot
David Dufour, SVP Engineering, Webroot
George Anderson, Product Marketing Director, Webroot
Introduction as knowledgeable about how this technology works, or how it helps their
customers either?
“Progress is impossible without change,
The phrase we hear a lot from our customers is ‘it just works’. MSPs focus on
and those who cannot change their minds ‘real-life’ issues (not the how or why, but the what). They want to know, does
cannot change anything.” the technology really work or not?

– George Bernard Shaw

Beginning around 2007, traditional endpoint security was becoming

ineffective. Stopping infections was based around finding a user with an
infection (patient zero), creating a detection signature (inoculation) and
then updating every device to stop any further infections (eradication).
The ineffectiveness was a direct result of the volume, variety, and velocity
of infections. These factors completely overwhelmed the ‘patient zero’
approach. There were simply too many patients and not enough inoculations.

While patient zero vendors valiantly did more, and managed to stop whole
‘families’ of infection using heuristics and advanced signature detection
techniques, the fundamental problem didn’t go away. Too many devices However, given the amount of ‘hype’ surrounding AI and machine learning,
were getting infected and the cost of remediation was so significant that it’s worth knowing a thing or two about these efforts.
organizations were creating remediation re-imaging budgets just to cover
infection costs. Artificial intelligence and machine learning are not the same thing.
Marketing campaigns and news articles blur the line and often confuse
As an industry, endpoint protection vendors needed to change their minds people into thinking that they are. They are not, and it’s important to
and do something new to change the game. Webroot was the first vendor to know the differences so you can understand how each helps to make your
do so by introducing a totally new cloud-based way of countering malware cybersecurity stronger.
with machine learning at its core.

In October 2011, Webroot launched Webroot SecureAnywhere® in the US What is artificial intelligence?
retail consumer market. It was the first of the so-called ‘next generation’ Artificial intelligence interacts with people, for instance emulating a human
endpoint security solutions, with a revolutionary architecture designed to as a ‘chat bot’. The AI component is that interactive component—the
harness machine learning and high automation to handle the volume and thing you can touch, feel, and see. AI technology is very nascent in its
variety of attacks customers were facing. cybersecurity application and we expect great things from it in the future.
There are of course many hurdles still to be overcome in making a computer
Our considerable experience selling antivirus solutions meant we knew we
act like a human. Right now the programming is restricted to applications
had to change how we thought about predicting, preventing, detecting and
like driverless cars, but that is a defined set of circumstances and a
remediating malware – and the best ways to do all of that given the threat
singular application being programmed, and still it has involved a lot of
landscape we faced. This brief guide will, we hope, provide you with both
software engineering.
a snapshot of what Webroot does today to harness machine learning to
predict, prevent and protect you against malware, plus give you a better True AI would be far more self-learning in its interactions. A good way to
understanding of why this technology is being put to use by next-gen vendors define it is that AI is the creation of software running in a machine that
to try to differentiate themselves in a crowded endpoint security market. can ‘think and act independently’ and, in doing so, completely emulate a
human being.
Computers Replacing Humans
Webroot has been ‘doing machine learning’ for more than a decade, What is machine learning?
and we do consider this a major key differentiator for our own and our You can think of machine learning as artificial intelligence’s nerdy cousin.
threat intelligence partners’ solutions. In fact, it’s highly likely your Machine learning models are designed to analyze data collected behind the
current organization is benefitting from Webroot machine learning via our scenes, with no human interface. Machine learning is the heavy science.
BrightCloud® Threat Intelligence services as we contribute near real-time It’s where all the data crunching takes place.
threat intelligence (TI) data to over 85 other network and security vendors.
A good way to think of machine learning is as a subset of AI focused on
However, for many small to medium-sized businesses (SMBs), that doesn’t using, as some vendors call it, ‘math’. But in reality we are talking about
really seem to matter. They have probably heard the terms artificial algorithms that self-learn and improve their findings and results without
intelligence (AI) and machine learning (ML), but aren’t sure how these being explicitly programmed to do so. Machine learning is now used
advancements are keeping them safe. Then, the many managed service extensively in cybersecurity, but has an effective and proven track record
providers (MSPs) we help to provide SMBs with security services are not with only a few vendors.
2
What about deep learning? Because of Webroot’s very early adoption of machine learning, we have
To be thorough, we need to mention deep learning. It’s another major fully harnessed a fifth-generation machine learning approach to analyze
technology that Webroot uses. Deep Neural Nets have been around and produce rich sources of contextual threat intelligence that directly
since 1975, but only started to emerge around 2007 with the increased increases the accuracy and capabilities of our own and other vendor
availability of affordable and powerful hardware. This subset of machine partners’ security protection.
learning is about improving the ‘training’ of machine learning models further It’s All about Data
by mimicking the human brain with multi-layered neural networks to get
‘better’ models. When it comes to machine learning and AI, it’s important that your vendor
has experience and access to both current and historical data. Webroot is
The best and only way to counter malware today fortunate that, for a company of our size, we have a disproportionately large
If you strip away the superfluous, the issues Webroot and others are trying access to both historical and current data to feed our models.
to solve using machine learning are clear. Malware and other threats are Webroot analyzes half a trillion security events per day, linking and pushing
constantly evolving, their volume is mostly increasing, and the ability to them through our models to enhance our analysis. We have a lot of access
predict and stop zero-day threats is essential. to information that new players in the cybersecurity space simply do not.
Machine learning is currently the best and, from Webroot’s perspective, only Data quality and volume are both vital to training up a model, but so is the
way to tackle these issues. With the right quality and quantity of data you processing power to make it actionable in a timely way.
can train and use machine learning to learn directly from data and predict the Webroot uses AWS as our primary Infrastructure as a Service (IaaS) partner.
likelihood of malware, a behavioral anomaly threat, and lots more. We are currently their tenth largest data business worldwide. We also access
Machine Learning is the best way to do this, as it adapts automatically to the San Diego Supercomputer Center at the University of California that lets
changing and evolving environments, a trait that’s so essential when todays’ us leverage up to 1 terabyte of RAM and 40-50 computing nodes for help
attacks are polymorphic and in constant change to avoid detection. Lastly, with our modeling.
it’s an issue of scale. Because, unlike humans who are limited in capacity, Out of all of this, Webroot publishes over 1,000 machine learning models per
get tired, make mistakes and get overcome by volume, machine learning is day that have typically used over 10 million data points and 20-50 million
tireless, highly scalable and makes far fewer mistakes. model parameters.

Why is that rate of modelling important? Well, timeliness is what allows us

1st Generation and our threat intelligence partners to consume and directly benefit from
Bayesian our machine learning models and provide our business customers with
2nd Generation better cybersecurity.
Support Vector Machines (SVM) Being actionable is an important Webroot edge, too. It’s pretty easy to tune
3rd Generation new models, but not so easy to deploy the models in a way that allows
Maximum Entropy Discrimination (MED) customers to get meaningful, actionable data from them. Deploying models
in the cloud allows us to react much more quickly than if we had to deploy
4th Generation them to endpoints.
Active Learning Combined with MED
What can be Achieved Today – Hype vs Reality?
5th Generation For everyone reading this guide, this is generally what we’ve heard:
Active Feedback Combined with MED and Active Learning

“Almost all of my technology decisions are

Fifth-Generation Machine Learning
based on whether it reduces headaches
Advanced machine learning using multiple sources means objects like and is an innovative tool for my customers;
URLs, IPs, files, apps and other data components are now classified far
faster and more accurately than could be done by any human army of
so if machine learning does that, I’m all for
threat researchers. It allows Webroot to generate and host hundreds of learning more. I’d be happy to read up on
classification models to cover different threat types and content languages.
It allows us to publish millions of updates every day on new threats and it, but my customers don’t have time to
reputations of existing URLs, IPs, apps and files.
read or care about it.”
Machine learning’s biggest plus is that it’s so highly automated. It requires
minimal human interaction to produce the highly accurate and timely threat
intelligence outcomes that our customers need across multiple threat
vectors, often in milliseconds.
3
At Webroot, we believe artificial intelligence and real machine learning are What You Need to Ask – Endpoint Security Vendors
able to help all of our MSP, business, and threat intelligence partners in the So what sort of questions should you be asking and how can you test the real
following key areas: benefits of machine learning technology against all of the buzz?
»» Real machine learning and artificial intelligence help create new 1. Ask questions about the data they learn from
prediction, prevention, and detection capabilities for the security stack How does the vendor get their data? Do they have historical data to track
while at the same time decreasing costs and reducing the time to detect the behavior of a website or URL from the last 60 days, year, or 10-year
and remediate threats. period? How is the data fed into the security solution(s) they offer? How
»» Real machine learning helps detect emerging, unexpected threat behaviors many attributes or “features” in machine-learning speak do they collect
quickly, thereby helping security teams, or security orchestration solutions, and use to classify things?
take action. 2. Ask questions about update frequency
»» Real machine learning delivers considerable value toward personnel While quality of data is paramount, so is the time it takes to turn that
augmentation by building on the skills of human analysts (e.g., it can data into something useful and actionable. In cybersecurity, time is of the
automate remedial tasks, or simply work around the clock while employees essence. So, how often does the vendor update their machine learning
go home and sleep). models? Ideally this should be done at least daily, if not multiple times a
day. The longer the period between model updates, the larger the window
Hype vs Reality of vulnerability and the opportunity for spectacular failure
Unfortunately there is no shortage of hype around AI and machine learning. 3. Ask questions about the depth of machine learning defenses
Here are a few of the ‘fake news’ items we’ve heard recently: they offer
Does the solution only offer protection against files or processes? If so,
“Sixth-generation artificial intelligence.” you probably want other security protection layers in place.
There’s no such thing. There is, however, a fifth generation of machine According to Verizon’s most recent Data Breach Incident Report 2018.
learning, and some companies like Webroot are testing sixth-generation “JavaScript (.js), Visual Basic Script (.vbs), MS Office and PDF10 tend
capabilities as well. to be the file types found in first-stage malware. They’re what sneaks
in the door. They then drop the second-stage malware. In this case, it’s
“Data sources don’t matter.”
predominantly Windows executables…Once the first unwelcome guest
Actually, the source of data does matter. You know not to trust just any old is in, it’s much harder to catch the rest before they execute and wreck
fly-by-night vendor of anything to give you a solid product. You have to do the place.”
your research and ensure a certain level of quality and reputation. The same
Malware vectors in the same report were 92.4 percent email, 6.3 percent
should hold for threat intelligence vendor and the data they use and deliver.
web and 1.3 percent other, so phishing and the depth of the other web
“It doesn’t matter how long a company has been doing machine defenses provided are critical too.
learning.” 4. Ask how they handle unknown files and internet objects, and when
and how threat researchers interact with the machine learning
How long a company has been working with machine learning and artificial
We’re not yet to the point where machines can run without human
intelligence is crucial. Quality models take time to tune, and historical
oversight. Human threat analysts need to review unknowns, edge cases,
data helps guide predictive assessments to prevent emerging and as-yet-
and models’ overall behaviors. This is how they fine-tune the algorithms.
undiscovered threats. You can’t spin up a new model and expect it to be
Their oversight helps avoid false positives. Threat researchers should be
effective in a week, or even a month. Maturity is a good thing.
thought of as machine learning’s teachers.
This is by no means an exhaustive list of the misinformation out there, but it 5. Ask how the product handles a threat that does get through
should provide you a good start against snake oil salesmen. Unfortunately, Does it track what took place on the computer? Can it roll the computer
there is no silver bullet in cybersecurity. No single technology will stop 100 back to a pre-infected state? What is the extent of the remediation? For
percent of threats. instance, one well known vendor uses the Volume Copy Shadow Service
(VSS) as the remediation back-up, a Windows area that is commonly the
Employees are going to click on malicious links and use recycled or easy-to-
first place erased by ransomware or malware!
guess passwords, and cybercriminals are going to continue coming up with
highly creative ways to get around defenses. After all, the threat landscape This is again not an exhaustive list, but it’s a good start. The thoughts to
is unpredictable. hang to when considering AI and machine learning are:
However, don’t be afraid to ask questions of your vendors to see how »» Data quality, history, and volume are all key to training up an effective and
machine learning and AI are embedded into your security solutions to help efficient model.
protect customers and streamline your business. At the end of the day, you
»» Consumability, getting fast and easy access to the models, is vital so the
are providing a lifeline to your organization or security clients.
security solution is providing timely and actionable protection.

4
Conclusion
It’s pretty easy for vendors to claim they use machine learning in some
way. It’s not as easy to collect the right data, get accurate machine
learning deployed, work out how to train and update models, tie in
humans, and to allow customers to glean immediate and meaningful,
actionable data from them.

For that reason Webroot believes in a cloud-based machine learning

approach with always-on prediction, prevention, detection and remediation.
We did not want to be tied to the old self-contained antivirus model where
every machine is an isolated island protected by a static defense. That
simply means you breach one, you breach them all!

By monitoring continuously and collectively in real-time, everyone benefits

from everyone else’s data immediately. This is particularly relevant in a world
where everyone and everything is connected to the internet and events are
happening at internet speed. Even if that internet connection is not possible,
having alternative protection built-in that allows that device to run safely and
securely until it reconnects is a highly secure way to operate.

For the past nearly seven years, Webroot has been effectively and efficiently
protecting millions of consumers and hundreds of thousands of businesses
using machine learning to predict and stop malware and lots of other threat
vectors. The success of our approach is validated by the trust of not only our
customers and their clients, but also many other security and networking
vendors who rely on our machine learning and threat intelligence to help
protect millions of their customers too.

About Webroot
Webroot was the first to harness the cloud and artificial intelligence to protect businesses and individuals against cyber threats. We provide the number one security solution for managed service providers and
small businesses, who rely on Webroot for endpoint protection, network protection, and security awareness training. Webroot BrightCloud® Threat Intelligence Services are used by market leading companies
like Cisco, F5 Networks, Citrix, Aruba, Palo Alto Networks, A10 Networks, and more. Leveraging the power of machine learning to protect millions of businesses and individuals, Webroot secures the connected
world. Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity® solutions at webroot.com.

World Headquarters Webroot EMEA Webroot APAC

385 Interlocken Crescent 6th floor, Block A Suite 1402, Level 14, Tower A
Suite 800 1 George’s Quay Plaza 821 Pacific Highway
Broomfield, Colorado 80021 USA George’s Quay, Dublin 2, Ireland Chatswood, NSW 2067, Australia
+1 800 772 9383 +44 (0) 870 1417 070 +61 (0) 2 8071 1900

©2018 Webroot Inc. All rights reserved. Webroot, SecureAnywhere, BrightCloud, FlowScape, and Smarter Cybersecurity are trademarks or registered trademarks of Webroot Inc. in the United States and other countries. All other trademarks are properties of their
respective owners. WP _ 110718 _ US 5