In a digital threat landscape where businesses are constantly playing catch-up with new attack vectors and vulnerabilities, the best defense they have is the same thing that makes them such an appealing target for hackers: a mountain of data. Sure, you’ve got endpoint protection and encryption software. And you’ve got your IT and security departments overseeing infrastructure and network monitoring platforms in order to run incident response on any malicious activity or intrusions. But, beyond these reactive measures, other enterprises and security vendors are employing artificial intelligence (AI) to take a proactive approach.
By using machine learning (ML) algorithms and other AI techniques to identify data patterns, vulnerable user behaviors, and predictive security trends, companies are mining and analyzing the wealth of data at their disposal to hopefully stop the next breach from happening.
“We have giant collections of files: petabytes of files we know are not malicious and petabytes that happen to be malicious,” said Rick Howard, Chief Security Officer of enterprise security company Palo Alto Networks. “ML is teaching programs to find the malicious part, without us having to list all the factors they’ve been looking for.”
Howard was part of a recent panel called “Securing Breakthrough Technologies – The Next Five Years,” in which the panelists discussed the evolving challenges facing the security landscape, and how ML and automation are changing the way we identify and respond to threats. The panel was part of a recent cybersecurity summit held at the Nasdaq MarketSite in New York City’s Times Square in honor of National Cyber Security Awareness Month (NCSAM). It was hosted by Nasdaq and the National Cyber Security Alliance (NCSA). Event sponsors Cisco, Dell, Palo Alto Networks, and ServiceNow, cybersecurity company Tenable, and Wells Fargo provided panelists to the summit.
Automating Your Defenses
AI is ever-present in modern software. Virtual assistants, chatbots, and algorithm-driven recommendations pervade consumer applications and online experiences. Meanwhile, businesses are applying ML and other AI techniques to every bit of data they collect—from customer relationship management (CRM) and sales data to every click and preference that comprises user behavior.
Security data is just like any other data set you feed into ML models. The more data you give it and the better you train it, the more accurate the AI will be at not simply identifying patterns but extracting the right information to give you a predictive edge. Successfully adopting AI techniques requires a clear vision of the problems you’re aiming to solve. When it comes to incident response, it’s important to know what ML is and what it isn’t, according to Renaud Deraison, co-founder and CTO of Tenable.
“Machine learning means training [an AI] a million times with a million variations so the next time a computer encounters a situation, it knows what to do,” Deraison said. “This doesn’t make it able to invent something. We’re not at the stage where we can say ‘okay computer, just protect me.'”
The goal is for AI-infused cybersecurity software to completely automate prediction, detection, and response. Ron Zalkind, CTO of Cisco Cloudlock, discussed how Cisco’s Umbrella cloud security platform resolves DNS [domain name service] issues by applying ML to its massive database of consumer and enterprise activity to identify when a bad actor is attempting to flood a DNS with a distributed denial-of-service (DDoS) attack. Using an example like the historic Mirai botnet DDoS that hit DNS provider Dyn last year, Zalkind said the idea is to resolve that DNS query as a bad destination and automate locking in order to cut off traffic from the malicious domain.
From left: NCSA Executive Director Michael Kaiser, ServiceNow Security CTO Brendan O’Connor, Palo Alto CSO Rick Howard, Dell’s David Konetski, Cisco Cloudlock CTO Ron Zalkin, and Tenable CTO Renaud Deraison.
The sad truth is, hackers and adversaries are winning. Brendan O’Connor, Security CTO at ServiceNow, said we’ve seen tremendous innovation in prevention and detection but that the security industry has lagged behind when it comes to automated response. AI is helping vendors make up that ground.
“When we look at how we do response today, it fundamentally hasn’t changed in the past 10 years,” said O’Connor. “The most harmful breaches happening aren’t ninjas dropping from the ceiling like Mission Impossible. We’re not forcing attackers to get better or adapt. If a vendor has been unable to patch [a vulnerability] for 30 or 60 or 90 days, they haven’t rotated credentials and passwords. An attacker can just download a tool from the internet and exploit an old vulnerability.”
O’Connor and Howard agreed that oftentimes attackers are simply using a more advanced class of technology. Modern malware botnets are highly resilient and difficult to take down one computer or node at a time. Attackers have embraced the cloud and are using it as a platform to attack businesses. “Cyber-adversaries have automated their processes, and we’re still dealing with that as humans in a back room,” said Howard.
ML fights automation with automation. Algorithms analyze vast data sets to look at the prevalence of a flaw, its ease of implementation, and a host of other factors. This analyzing helps enterprises prioritize which one of the many patches they need to deploy should be focused on first.
The Future of Predictive Security
Automation and predictive analysis in cybersecurity have been around for a long time. But advances in AI over the past several years have changed how this works throughout a company’s entire tech stack. After the panel, PCMag caught up with Dell’s David Konetski. He is Fellow and Vice President of Client Solutions in the Office of the CTO. Dell has been doing AI and ML research for years, for things such as predictive failure analysis, systems orchestration, and device management. Konestki explained how Dell’s AI efforts have evolved as well as some of the innovative work the company is doing in predictive security. The work involves malware analysis, user behavior analytics, and anomaly detection.
“We were one of the first to do predictive failure analysis,” Konestki said. “We realized there’s a lot of instrumentation in the boxes, and management systems get a tremendous amount of data about what’s going on in the network. Shouldn’t you be able to tell when the battery or hard drive might be failing?”
Predictive failure analysis started with corporate customers before being rolled into Dell’s customer services, with additional automation such as email triggers telling a customer to order a new battery while it’s still covered by their warranty. In the security world, that predictive ML is now applied to advanced threat protection (ATP). In 2015, Dell partnered with AI-based threat protection company Cylance to go beyond simply tagging a file as malicious. Instead, they look at the DNA of a file to determine its intent before it ever runs.
“We’ve taken our data protection capabilities and have advanced that environment to now protect data at the point of origin, as it moves, and put some access control around it so that you now know, as an IT person, where all your data is being used in the world, by whom, and how. That’s never been possible before,” said Konetski.
“How do you do that? You look at the behavior of the software,” Konetski continued. “Is the software doing things in a strange or malicious pattern? That was the first generation of behavior analytics. And now the next generation becomes looking at not only that but your personal behavior or the machine’s behavior, depending on whether it’s IoT or personal computing. The AI is looking for anomalous behavior that might be okay, but as a CTO, if I’m accessing all of our customer data, I may get flagged with an alert like ‘Do you realize what you’re doing, yes or no?’ And that way, the user gets trained and knows that the system is watching.”
That next step involves using AI with user behavior analytics to more proactive stem cybersecurity risks from inside an organization. Human error is often the source of breaches and vulnerabilities, be it a default password, a successful spear-phishing attempt, or in the case of the recent Amazon S3 outage, a typo.
For a company such as Dell that needs to address vulnerabilities in the entire hardware and software stack, focusing on the user and leveraging AI to stem potential threats at their source is a more efficient way to put that data to work. It’s not just about what the ML algorithms are detecting externally and the predictive threat mitigation capabilities AI provides. The other side of this is turning that data into natural, internal reminders for employees within your organization.
“Whether it’s consumer or enterprise, if I can give you a little alert and say ‘Are you sure you want to make that next click? We’ve detected a pattern that has been identified as potentially malicious.’ That’s user behavior analytics combined with knowledge of attack patterns,” explained Konestki.
Dell is also working to use the context of the user and the machine to make smart decisions about what you have access to. A managed enterprise solution launched this year called Dell Data Guardian has what Konestki called “early” access control capabilities that will evolve into a more in-depth way to protect network infrastructure. Imagine AI knowing who you are, what device you’re on, where you are in the world, and classifying that data with ML to make smart access control decisions.
“So today, if you’re in an Eastern European country trying to get access to data in Austin, Texas, there’s something funny going on. Simple things like that we can do today,” said Konestki. “Going forward, maybe I only want to give you read-only access. Maybe I want to give you remote access so I’m hosting an application in my data center and I’m just going to give you a view through an HTML5 browser. Maybe I see you’re on your corporate device behind the firewall and everything is patched so I give you a key.
“The important part, and what AI and ML enable us to do, is to do all of this transparently to the end-user. So, when you’re looking for access to that file, you don’t realize we have all these controls in the background; it all looks seamless to you.”