Smarter Security Addresses Evolving Threats
Artificial intelligence and data analytics are improving the performance of endpoint security solutions.
- by Calvin Hennick
- Business and technology journalist | January 03, 2019
Cyberthreats are growing more ambitious every day. With the help of automation, cybercriminals can launch huge numbers of attacks capable of holding organizations’ data for ransom, disrupting business operations, exfiltrating sensitive information or even simply allowing malicious actors to lurk inside an environment and search for opportunities.
The situation has evolved to the point where organizations cannot reasonably expect to keep out all threats. In essence, a breach is inevitable.
Fortunately, security solutions are evolving as well. For years, organizations have deployed behavioral analysis tools capable of detecting zero-day threats alongside signature-based tools that stop known exploits. But now, cybersecurity vendors are also incorporating artificial intelligence (AI) and advanced data analytics to improve threat detection and accelerate incident response.
“As a defender, it’s an exciting time,” says Rick McElroy, head of security strategy for Carbon Black. “We’ve got new tools on our side that are hopefully putting us back in a position of advantage.”
Emerging security solutions go beyond passively scanning for malicious behavior — “training” to detect exploits by analyzing huge data sets, then actively hunting down (sometimes seemingly innocuous) network activity that fits suspicious patterns. “By bringing more data to the table, we can get false positive rates down, we can detect more threats, and we don’t rely as heavily on pushing signatures out, so there’s less lag time,” says Sven Krasser, chief scientist for CrowdStrike. “Machine learning has been here for a while, but the novel thing is the amount of data we can analyze now. You have a lot more information to work with.”
A New Class of Tools
“The number of malicious files is almost infinite,” says Frank Dickson, research vice president for cybersecurity products at IDC. “But malicious activity is reasonably finite. We know what that looks like. If we monitor activity for maliciousness, we can stop those kinds of activities.”
Dickson explains that state-of-the-art security solutions incorporate endpoint agents, network sensors and analytics tools to piece together often-complex attack incidents. “By correlating all this activity, we can say, ‘This happened on this endpoint, and that reached out to this network piece, and that reached out to somewhere over the internet to a foreign IP address that is known for malicious activity,’” he says.
Dickson says file analysis based on machine learning is now “table stakes” for security vendors, while features such as advanced data analytics and threat hunting are typically associated with premium products.
Krasser says these emerging solutions help organizations meet the “1-10-60” challenge. “You want to detect the threat within one minute, investigate it within 10 minutes, and remediate within 60 minutes,” he says. “It’s fairly easy to breach an environment. You’ve got to be very quick to detect things, to pull in the right data, and then have the right tools to remediate what’s going on.”
Parnian Najafi Borazjani, a senior cybersecurity analyst for FireEye, says large data sets are essential when dealing with tools that are hunting for subtle signs of attack. “Machine learning models can only do so much,” she says. “Trying to determine what unique combination of features indicates an attack — that’s the secret sauce, and the biggest piece is the data that you have. If you train your model in a small set of samples, there can be overfitting. It works perfectly with that sample, but if you try another sample, it may not work so well.”
She notes that FireEye’s MalwareGuard model is trained on a data set that includes 300 million samples. “We train our model on a subset of samples, then do validation on another subset of samples — and then we do the testing on yet another subset.”
Four Cybersecurity Trends
In its 2018 Cyber Intrusion Services Casebook, CrowdStrike identifies four key cybersecurity trends.
1. Creative tactics to monetize attacks:
Cybercriminals are gaining more power (for example, by watching emails being written and sent, rather than merely reading them), and are combining attack tools that were previously used discretely.
2. Quick strikes, patient attackers:
Misplaced trust in legacy tools offers opportunities for attackers to lurk inside environments for extended periods of time, illustrating the need for holistic security solutions.
3. Commodity malware, then disruptive attacks:
Increasingly, cybercriminals who gain network access via commodity malware are selling that access to other bad actors — who use the access to deploy ransomware, steal intellectual property or even engage in cryptomining, fraud or extortion.
4. Attackers hiding in plain sight:
Some of the most effective attacks come from cybercriminals who are able to masquerade as legitimate users — attacks that often result from user credentials being uncontrolled, misconfigured or bypassed. Attackers who utilize legitimate credentials often go undetected and can gain tremendous insight into an organization.
Big Benefits to Shrink Security Threats
Data analytics and AI can deliver endpoint security capabilities including predictive security, threat detection, reduction of false positives, accelerated incident response time and reduction of dwell time.
While any tool that improves detection rates is attractive for obvious reasons, the automated threat response and reduction of false positives enabled by AI and data analytics also help organizations save time and make better use of their IT resources. “What you really want to do is start to react at machine speed with your remediation,” says McElroy. “Instead of having a human look through logs and try to find threats, these tools are going to do that for you.”
Dickson notes that enterprises face a shortage of security professionals, and says that AI and data analytics may help organizations fill that gap by handling routine tasks. “We don’t have enough security professionals,” he says. “One of the ways to mitigate this problem is to make the existing people more efficient. You might take a Level 1 security analyst, augment him or her with AI tools, and make them perform like a Level 2 analyst by having these tools do the first few steps automatically. Using AI to make security analysts more effective and more efficient is a pretty big movement within security.”
Dickson says security tools featuring AI and data analytics may only need to offer a marginal improvement in threat detection rates over standard solutions. But, he notes, even a small improvement can have an outsized impact on a company’s bottom line. “If a tool is .01 percent more effective, and I have 10,000 endpoints, I’m going to stop one more attack,” he says. “If it’s one in a million, and I have a million endpoints, I’m going to stop one attack. Depending on what information or systems I’m protecting, stopping that one breach matters.”