Bob Klein, Machine Learning Expert at BluVector (Acuity Solutions): Nick’s Newsletter No. 35

Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.

This week I got some pretty exciting news. I received and accepted an offer to work at JMI Equity in Baltimore, starting in late February (I graduate in December). JMI is a growth equity shop that’s been around since 1992 and specializes in enterprise software. The analyst role is primarily a sourcing role and it looks like I’ll be able to work significantly with the security team.

I wanted to say THANK YOU SO MUCH to all the people (and there were a lot of you) who helped me on my job hunt. This is a great opportunity for me and I’m really excited to get to work. Now back to the newsletter.

This week I spoke to Bob Klein, a data scientist and software developer for theBluVector product of Acuity Solutions (Acuity is an entity within Northrop Grumman). Bob completed his Bachelor of Science in Mechanical & Aerospace Engineering from Princeton and then completed his Master of Science in Aerospace, Aeronautical and Astronautical Engineering from MIT. Bob recently gave a presentation at Black Hat entitled Defeating Machine Learning: What Your Security Vendor is Not Telling You. Bob and I discuss machine learning in BluVector and in security in general in the interview below.

How were Acuity and BluVector formed?

BluVector is a network security platform that’s been in development for several years. BluVector, which is Acuity’s flagship product, was “inspired” by a set of malware genome research projects for “not-to-be-disclosed” government agencies 4.5 years ago. Acuity Solution Corporation, a wholly owned subsidiary of Northrop Grumman Corporation, was founded earlier this year to bring BluVector to market.

Can you explain what BluVector does?

BluVector is a security appliance that sits at the network level – it monitors traffic and issues alerts, and is built for in-memory analysis of high volume web traffic on network data links. BluVector provides static analysis at line speeds, and we integrate with other malware analysis engines such as sandboxes that can provide dynamic analysis as well. The biggest problem that BluVector tries to solve is detection of zero-day threats. I work on “Hector” which is the piece of BluVector that uses machine learning to identify file-based attacks of numerous types, e.g. PDF, Microsoft office document, or executable.

What makes Hector different than other machine learning platforms?

The term “machine learning” is thrown around pretty liberally and the reality is that machine learning in security doesn’t just mean one thing. I will say however, that properly applied machine learning in security is a huge step forward. We’ve developed what we call “In Situ” learning, which describes how we deploy machine learning in Hector.

In-Situ learning started with the theory that you need to look at your defenses from the hacker’s perspective. The problem is that most of the existing machine learning deployments are the same, and so once a hacker breaks through one, he can break through all of them. Take the following analogy; if each user is a building, the security vendor is a locksmith and the security solution is the lock. The locksmith is selling identical locks to everybody. Once a hacker breaks through one, he has access to the whole city.

This may be a bit extreme, but this is essentially how the security industry has functioned for a while, and now people are doing this same thing with machine learning (although the locks are a bit fancier). With BluVector we’re offering different locks and we’re changing our locks. This is what we mean when we say we’ve developed a “moving defense.”

My impression was that machine learning inherently implied “moving defense” because as more attacks try to penetrate its defenses, it continuously adapts and gets smarter. Is that accurate?

This is a common misconception. Incremental algorithms continuously update themselves, whereas batch algorithms require that all training be performed at once.. Most machine learning applications out there today are using batch algorithms. Vendors curate these large data sets, run them through their algorithms in a lab, and push out updates to their customers.

What potential applications of machine learning in security are you excited about?

It’s hard to say because machine learning seems to have applications in virtually every field; if you can find a new data source you can find a new application. However, one interesting application involves threat intelligence. Threat intelligence feeds aren’t intended to be used out of the box; they need to be “massaged” a little bit. If one user uploads malware to Dropbox for instance, certain feeds might label as malicious. Machine learning could potentially go through these feeds and separate the signal from the noise.

You have an amazing resume, you studied Mechanical and Aerospace Engineering at Princeton and you got your master’s in Aeronautics and Astronautics from MIT, where you studied machine learning algorithms. You could’ve worked anywhere. Why’d you choose Northrop Grumman?

I’ve always had a passion for aviation. At Princeton i didn’t know whether I wanted to study aerospace or computer science, however the aerospace program is pretty broad and the Control Theory major in the aerospace program incorporated both aerospace and computer science. It’s hard to describe without getting too technical, but at the highest level, control theory is about applying certain controls to a system to achieve a desired output. At grad school, I studied machine learning at a high level. When I finished, I was very interested in applications of machine learning in the real world and I jumped at the chance to come to Northrop Grumman, where I helped develop BluVector. I’m excited to help bring it to market at Acuity Solutions Corporation.

The News:

Taking Stock: Ranking the Next Billion-Dollar CyberSecurity Markets

  • Menlo Ventures’ Venky Ganesan lists breach analytics, automated incident response and mobile security among his picks for the next major cybersecurity markets.

Teen Who Hacked CIA Director’s Email Tells How He Did It

Obama Won’t Seek Access to Encrypted User Data

  • Obama backs down on his push to require companies to build in “backdoors” that would allow the government access to encrypted information. The administration acknowledged that building these backdoors would create an opening that hackers could exploit.

a16z Podcast: Dell + EMC — Why the Python Just Ate the Cow

  • A16Z’s Peter Levine, Actifio Founder and CEO Ash Ashutosh, and Cumulus Networks Co-founder and CEO JR Rivers all seem to agree that the Dell-EMC deal makes sense for a few reasons; 1-the deal brings together two of the top technology sales forces in the world and there’s no shortage of cross selling opportunities, 2-if Dell wants to continue to exist selling low margin products, they need to focus on volume and become the WalMart of their space.

Trend Micro Acquires HP TippingPoint

  • HP is selling the IPS provider for $300M in advance of HP’s split.

A new company is launching a product that puts a dollar value on cyber risk

  • PivotPoint Risk Analytics, which launched this past week, will tell organizations how much a potential breach would cost, and how adding different security products or controls may alter that figure.

Cytegic Secures $3 Million in Second Angel Financing Round

  • The Israeli company provides cyber risk management and analysis products.

illusive networks Raises $22Mn to Fund Cyber Deception Technology

  • The round was led by NEA with participation from Bessemer and Citi. The company protects against targeted attacks by creating an “alternate reality” full of unreliable information to hackers that breach network perimeters.

Unrelated to Security:

Watch Out, VCs: Chris Farmer Plans To Massively Disrupt The Industry

  • The former General Catalyst Venture Partner has created the investment firm SignalFire, which has a data analysis engine that tracks the companies and sectors that engineers are flocking to, and those that they are running away from.  Farmer talks a big game, saying there’s “no VC anywhere that has close to this fire power.”

The subprime ‘unicorns’ that do not look a billion dollars

  • Using the example of Theranos, legendary investor Michael Moritz argues that although it’s easier to give the illusion of invincibility as a private company, “a light will eventually illuminate dark places.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s