Use AI to beat the bad guys
As we enter the back half of 2021 there are two top cybersecurity headlines, and they’re both sobering. One, even large organizations now suffer cyberattacks as a near-daily fact of life -- not just mid-sized businesses with resource-strapped SOCs (Security Operations Centers), which historically felt the most pressure.
Two, prevention-forward defense strategies no longer inspire confidence. Malicious, innovative use of AI to find and exploit fruitful attack vectors sees to that. AI has rendered many old go-to defenses less effective, namely firewalls and SIEM (security information and event management) solutions. The third headline, however, is cause for optimism. AI works for cyber defense, too. In the current environment, if you are not leveraging AI to defend your organization, it isn’t optimally defended. Period. I see AI as our greatest ally to create a secure future.
The Bad Guys Will Get In
An AI-assisted cyberassault can change its attack vector with dizzying frequency. Cloud networks, distributed workforces, and the plethora of personal devices across the modern enterprise simply present too many potential entry points. Bottom line: a motivated, skilled, and persistent cyberattacker will always find a way inside your systems. There are simply too many available pathways.
The first and traditional line of defense, the company firewall, is no match for these ever-changing, AI-driven threat behaviors. In many ways a firewall is like having a regular seasonal flu shot to protect against a unique virus. Real protection requires a targeted vaccine. A generic defense against a specialized, intelligent enemy lends a false sense of security.
To mitigate the cavalcade of recent breaches, we need to change our mindset. The real security solution is to accept that breaches will happen and pivot to limiting the damage they cause, relegating them to relatively minor inconveniences, not the catastrophic events many recent breaches have become.
Finding Needles in Haystacks
With the assumption that hackers will find their way inside a target system one way or another, the next question is: how do you find the proverbial needles in the haystack? SIEM solutions have historically been assigned that task. But a single haystack is a poor metaphor for the modern enterprise. It’s more like the whole farm. From the cloud to IoT devices to the various users and their devices, a myriad of resources and connections complicates things exponentially. It is no longer an effective defense to pipe all your data into a SIEM and hope for correlated threat detections to pop out -- not that they ever materialized for most enterprises anyway.
The unfortunate reality is that most SIEM deployments are merely expensive log collection solutions that chip away at compliance mandates. Even when organizations can manage all the soft costs of SIEM, the reality is that SIEM correlation alone isn’t up to the task of defending the enterprise.
SIEM is increasingly being displaced by task-optimized AI/ML-based threat detection and response solutions that better address today’s security operations challenges. After all, why reinvent the wheel in the SIEM when modern, effective alternatives are faster, better, and cheaper? AI techniques can perform analysis at speeds and scale that humans alone simply cannot achieve, creating detection capabilities that have long-term utility and high accuracy. By leveraging AI-driven behavioral models and machine learning, a threat detection and response platform will improve efficacy far beyond SIEM capabilities.
AI-enabled security solutions pinpoint affected assets by logging telemetry from the cloud, threat intelligence, and other sources and interpreting high-fidelity metadata from packets collected from the wire. Unlike SIEM-based solutions, AI can move across environments and track an attack, monitoring real-time cloud and network behaviors and feeding analysts actionable security intelligence. This makes AI the candidate to execute defense missions previously envisioned for the SIEM (plus a significant number of new ones), with greater efficacy and at lower cost.
Empowering AI to Be the Hero
Leveraging AI and the cloud together enables detection of complex and subtle attack tactics, such as hiding malware within legitimate communications. Recognizing such enemy moves at speed is beyond the practical realm of manual analysis. It requires significant prior knowledge of the attack type and operating location, which is usually unavailable. Static signatures can only ever point to specific instances of known threats, but AI platforms can automatically detect hidden attacker behaviors and in-progress threats -- and respond instantly to prevent in-progress threats from becoming data breaches.
To support and help AI learn, threat researchers identify targeted threat behaviors and provide examples, data scientists build and test models, and together they curate datasets for model training. With these resources, an AI tool is well equipped to recognize known patterns to identify threats rapidly.
Even greater value is found in deployment of unsupervised AI models that learn purely from local, direct observation. When given access to anonymized security-specific metadata from several companies using one platform, an AI-powered security solution can learn to distinguish what "normal" traffic looks like using neural networks to autonomously analyze and identify the subtle malicious indicators. With the use of huge datasets of anonymized/encrypted traffic via the cloud, AI can learn the differences between normal and malicious activity -- independently, without requiring human input.
Cyberattacks are the new normal, but damage of the kinds seen so far in 2021 can be mitigated in future if we change our mindset. We need to stop thinking in terms of "preventing cyberattacks" or "keeping attackers out." Prevention is a losing battle. But for an enemy intruder, penetrating a target environment can be easier than actually harvesting valuable information from the inside. Well-trained, well-supported AI solutions can make it harder still to make cybercrime pay.
Over time, I am confident the advantage will shift to the defenders.
Hitesh Sheth is the president and CEO of Vectra. Previously, he held the position of chief operating officer at Aruba Networks. Hitesh joined Aruba from Juniper Networks, where he was EVP/GM for its switching business and before that, SVP for the Service Layer Technologies group, which included security. Prior to Juniper, Hitesh held a number of senior management positions at Cisco. Before Cisco, he held executive and engineering management positions at Liberate Technologies and Oracle Corporation. Hitesh started his career as a Unix programmer at the Santa Cruz Operation. He holds a BA degree in Computer Science from the University of Texas at Austin.