Machine Learning in the SOC—Part 2: Identify Your Use Cases

by in Security

You don’t have to have been in the cybersecurity industry for long to feel the effects of “buzzword fatigue.” In our world, terms like artificial intelligence (AI) and machine learning seem to be everywhere. At every industry conference, the vendors to your left and to your right will claim to use these technologies. For buyers, the ubiquitous use of these terms leaves them wondering: If everyone is using AI, how do I decide which solution to use?   

 The answer is two-fold: First, recognize that not all machine learning is created equal, and second, make sure you understand your use cases.   

When you see “machine learning” on a vendor’s feature list, it’s likely that the vendor is using a type of machine learning known as supervised machine learning. This type of machine learning relies on large labeled datasets to train a model. So, as the name suggests, some “supervision” is required. Supervised machine learning has become a popular approach because it is very effective at quickly identifying known cybersecurity threats, such as malware, since we have decades’ worth of data on malware and signatures (i.e. plenty of labeled data to work with). 

Unfortunately, some threats, such as insider threats or targeted outside attacks, don’t have neatly labeled datasets for us to use to train models, which means that supervised machine learning just isn’t feasible. For these more complex threats, a different approach known as unsupervised machine learning is better suited. Unlike supervised machine learning, unsupervised machine learning looks at patterns within unlabeled datasets.

This type of machine learning is an excellent match for anomaly detection, and it’s exactly what powers Interset user and entity behavioral analytics (UEBA)Interset combines unsupervised machine learning with an additional layer of math to automatically compare and pinpoint behavior that’s out of the ordinary. This allows us to quickly look through billions of events and identify a small list of real threat leads for a SOC team to focus on investigating.   

UEBA is well-suited for detecting threats that are subtle and “fly under the radar”—threats that traditional, rules-based security approaches often miss because they don’t follow known patterns of attack. We work alongside a variety of organizations on a daily basis and see that customers are dealing with very complex security use cases. We see organizations struggling to detect threats like:  

  • Data exfiltration or IP theft, where someone removes files from your network.
  • Persistence, where someone uses sophisticated techniques to gain access to your system and remain inside for an extended period of time.
  • Defenseevasion, where someone is trying to get around your defenses and avoid being seen.  
  • Zero-day vulnerabilities, where the threat isn’t known yet.
  • Discovery, where someone has infiltrated your systems and is trying to get the lay of the land and gain information about the operating system, hardware, security software, accounts, etc. 

These types of threats can be incredibly complex to detect and almost certainly require the help of machine learning. This is where understanding the different types of machine learning can help tremendously. If you understand the problem you need to solve, you’ll be in a much better position to select the right tool for the job.   

Of course, keep in mind that there’s no single best algorithm that can be a silver bullet for all your security needs. Deep learning, neural networks, Bayesian methods all receive widespread attention, but the best algorithm for the job at hand depends on the specific dataset and use case. Start at the beginning and make sure you’re covering all of your bases.     

Learn how Micro Focus can protect your business by arming your SOC with powerful machine learning by visiting, or see our new SecOps video, "Use Cases for Machine Learning in the SOC."

 Read the first entry in this blog series: Machine Learning in the SOC—Part 1: Speed Up Your SecOps. 


Security Operations