How AI and machine learning can help you defend the enterprise from cyberattacks

As attack methodologies advance, tool-assisted detection is indispensable for security professionals to manage sprawling networks of devices that are not necessarily trustworthy.
Written by James Sanders, Contributor

Security measures have increased significantly in the last several years, and malicious actors have similarly advanced their techniques to keep pace, particularly with advances in attack methods such as fileless malware. Likewise, the security model of 'serverless' computing platforms like AWS Lambda are completely different from traditional computers. These itinerant computing concepts are not effectively secured by the traditional model of checking file hashes against known malware samples.

For a robust, modern defense, an adaptive monitoring solution that leverages machine learning to identify anomalous patterns indicative of an attack in its infancy is necessary to defend enterprise systems from cyberattacks.

Much of the groundwork for this has been laid over the last several years, with endpoint detection services analyzing system events. "Network connection opened, registry key modified, process created… You build this catalog of really security relevant behaviors. The challenge becomes to map known malicious behaviors that essentially do the same thing," said Forrester Senior Analyst for Security and Risk Josh Zelonis, "You have to have two people in the room in order to build this: a data scientist who understands the map and can build these models… [and] an expert in offensive techniques in order to help them build the model and understand the abstraction of what they're doing, so they can statistically identify when an adversary does something that looks similar."

Accurately connecting aggregations of system events to anomalous activities is just one step on the security staircase -- determining the difference between legitimate changes in workflow and malicious activity is a higher-level-order task for machine learning or artificial intelligence. A variety of approaches for security information and event management (SIEM) that leverage ML/AI are available from a variety of vendors.

Leading vendors for AI/ML-powered solutions

ExtraHop's Reveal(x) platform provides network traffic analysts for enterprise networks, providing insight into connections, and identifies potential threats using rule and behavior based analytics paired with logical device groups. The platform also touts "full context and one-click investigation workflows for every detection."

Vectra Networks
Vectra Cognito is an AI-powered security platform that uses an analysis of known malware payloads and techniques to inform the machine learning models to detect future or unknown threats. It also analyzes user behavior and local networks, or attributes specific to a customer environment, in order to gain a baseline understanding of normal, against which to set parameters that identify anomalous behavior.

Corelight's 1U rack-mountable network security appliances are intended to produce comprehensive and actionable logs based on a variety of factors. CoreLight's platform can be used to track DNS queries and responses, as well as potentially problematic environmental factors, such as out-of-date or vulnerable software, abnormal keyboard settings for an environment, self-signed, expired, or soon to expire SSL certificates, as well as detecting what systems in a network have accessed a file found to be malicious.

DataVisor's offerings are targeted more toward transactional security than network security, with products targeted toward content moderation and filtering, transaction fraud (including promotional abuse and loyalty program fraud), account opening and monitoring, and money laundering detection and prevention.

The company touts their ability to provide detailed information about why patterns are flagged as anomalous, citing a tendency for competing AI/ML models to be treated as 'black boxes'.

Like DataVisor, PerimeterX targets detection of automated platform abuse, in essence, bots. The PerimeterX platform can be added to existing websites through the use of JavaScript, and uses "hundreds of indicators from the browser such as features, sensor data, and visual and audio rendering," which are compared against known profiles to detect when requests are not typical of normal users. Likewise, it also collects user behavior patterns "such as mouse clicks, screen touches, cadence and timing."

Looking forward (and backward) in enterprise cybersecurity

For all of the advancements that AI/ML promise for improving cybersecurity, it's not a replacement for the traditional groundwork needed to establish basic security hygiene in a given organization. "In terms of what people need to worry about when they're deploying is how control systems get used or accessed...that is the gateway to all the other devices. If someone is checking their email on [an industrial control system] then you're going to have a bad time." said Zelonis. "There really isn't a technological solution for in-depth social engineering."

Moving forward, SIEM is likely to integrate user data, according to Eric Ogren, Senior Analyst for Information Security at 451 Research. "The first step is who's accessing [a device]? And are they accessing at normal hours with normal protocols? Do they have permissions? Are they authorized? I'm starting to see a lot of the same vendors integrate with identity information, for access control."

Also See

Adversarial AI: Cybersecurity battles are coming
One of the world's foremost experts in building AI systems to detect malware explains "offensive AI" and the mathematical models he develops to protect against cyber attacks.  

Top digital transformation tech investment priorities for 2019: Cloud, cybersecurity, and AI
According to the "State of Digital Transformation" research, in 2019, it is clear that digital transformation is maturing into an enterprise-wide movement. Digital transformation is modernizing how companies work and compete and helping them effectively adapt and grow in an evolving digital economy.  

IBM's AI-cybersecurity platform learns new models from MITRE framework
The machine learning system is being given a crash course in cybercriminal techniques.

Cybersecurity, AI skills to dominate IT staff hires in 2019
While a third of the enterprise is looking to hire more IT staff next year, close to the same figure are looking to switch roles.  

Microsoft wants AI to predict if your Windows PCs will get malware
Microsoft wants new models to predict when Windows machines need extra protection from malware.

7 tips for CXOs to combat cybersecurity risks in 2019 and beyond (TechRepublic)
This year alone saw more than 600 data breaches, yet only 25% of organizations are planning to defend against attacks, according to Deloitte.  

Editorial standards