AI Driven Security Is Much More Than An Algorithm

Information security vendors make sensational claims about their technology, often suggesting special algorithms that are smarter than those of rivals. However, these boasts play on the misperception that algorithms are the only thing that set successful AI/machine learning solutions apart, which is generally not the case.

The fuel that improves the effectiveness of AI is often the volume, velocity and variety of data that helps to generate and feed the models underpinning the solution’s ability to detect and counter threats.

These systems use multiple models which include rules and algorithms to simulate intelligence, understand context, and make decisions when faced with both known and previously unseen situations.

An AI system can process large amounts of real-time, historical, structured and unstructured data much faster, and in more intensive ways, than humans. This speed and depth replaces manual efforts with the potential to make a rapid accurate decision, again based on the training the system has had.

For example, imagine a malicious user logs in to a network-connected PC with admin rights that immediately runs a tool to search for open file shares across the network. Then this user starts to copy several files from a shared volume to a new folder.

Next, the user starts sending these files to a previously unused FTP server: this could be a perfectly reasonable activity, or it could be a signal that credentials have been hacked and a data breach is taking place.

In this scenario, each one of these steps might only be noticed in hindsight after separate alerts and examination of the associated log files. Also, each step might take place days apart and may not even be correlated as a sequence.

Worst of all, unless the security team had visibility with real-time wire data, they won’t be able to rebuild transactions. In fact, some of these actions are unlikely to be captured within logs or by agents.

However, a machine learning solution could spot this as an issue, generate an alert, and potentially automatically quarantine that PC from the rest of the network. For this automated process to be effective and be permitted in the risk-aware culture of security, the solution needs to score up a high level of confidence that this is an attack and not just a real admin going about legitimate duties.

Having more data for the machine learning to analyze allows the AI to make better judgements, and this should start with baseline data about users, devices, systems on the network, and workflow patterns.

So, in this example, if the models had been fed network device discovery information which made the AI aware that the ‘PC’ the malicious user logged in from is a print server; then tasks outside of managing print jobs would be considered as highly suspicious.

An historic understanding of user behavior along with real time access to current network flows is also beneficial in training the underlying models.

For example, if the “admin” account in our scenario had always logged in between 9am and 10am and logged out mostly between 6pm and 7pm and this activity was taking place at 10pm; this break from the established pattern could also cause a red flag. Or if this admin had never previously used an FTP or had any interaction with this file server, again red flags aplenty.

In parallel, has an RDP session recently been initiated with that PC indicating that an external hacker might be spoofing an internal network connection? Again, red flag time.

To be able to gain these insights needs both a broad array of baseline data and constant flow of real-time information beyond what is available from historical logs or agents. The last point is particularly critical as the next generation of IoT devices often don’t have either logs or agents, and application owners really don’t want agents running on their finely tuned systems.

What does it all mean in terms of practical application? Garbage in, garbage out. Quality in, quality out. Security operations now include many data and behavioral analytics applications, running in harness with SIEMs, in series, or in parallel.

All analytics will be more effective when provided with rich, high-fidelity sources of data that can be used to build higher resolution models that can help find patterns and real-time correlations to identify anomalies and predict and prevent security issues: and the more relevant the data the better, not to drown the system, as alerts do today, but to facilitate the training and optimisation of the system for maximum accuracy and confidence.

Although a broad summary of the issue, next time somebody tries to convince you that it’s all about the algorithm; data in fact may hold the key.

Infosecurity- Magazine:

You Might Also Read: 

 

 

« GDPR Means Revisiting Email Marketing
Balancing Security With Digital Transformation »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perspective Risk

Perspective Risk

Perspective Risk provides penetration testing, security assessments, risk management & compliance solutions, InfoSec training and consultancy services.

ENEA Qosmos Division

ENEA Qosmos Division

Qosmos, a division of Enea, leads the market for IP traffic classification and network intelligence technology used in physical, SDN and NFV architectures.

SteelCloud

SteelCloud

SteelCloud has spent the last decade inventing technology to automate policy compliance, configuration control, and Cloud security.

4Stop

4Stop

4Stop is a global KYC, compliance and anti-fraud risk management company.

Padlock

Padlock

Padlock is a trusted platform with an intimate knowledge of the cybersecurity industry that connects businesses with freelance professionals

Luxembourg Office of Accreditation & Surveillance (OLAS)

Luxembourg Office of Accreditation & Surveillance (OLAS)

OLAS is the national accreditation body for Luxembourg. The directory of members provides details of organisations offering certification services for ISO 27001.

ZEBOX

ZEBOX

ZEBOX is an international incubator & accelerator of innovative startups. Focus is on Transport/Logistics and Industry X.0 including technologies such as AI, Blockchain and Cybersecurity.

ISA Global Cybersecurity Alliance (ISAGCA)

ISA Global Cybersecurity Alliance (ISAGCA)

Objectives of the ISA Global Cybersecurity Alliance include the acceleration and expansion of standards, certification, education programs, advocacy efforts, and thought leadership.

International Association of Security Awareness Professionals (IASAP)

International Association of Security Awareness Professionals (IASAP)

IASAP provides a members-only virtual sharing platform where security awareness professionals engage in a lively, year-round exchange of information and ideas.

StoneLock

StoneLock

StoneLock is a trusted leader in the design and manufacture of facial recognition software and technology.

Cyber Skyline

Cyber Skyline

Cyber Skyline is a revolutionary cloud platform to practice, develop, and measure your team's technical cybersecurity skills.

Delinea

Delinea

Delinea is a leading provider of cloud-ready privileged access management (PAM) solutions that empower cybersecurity for the modern, hybrid enterprise.

CSIOS Corp.

CSIOS Corp.

At CSIOS we help our customers achieve and sustain information and cyberspace superiority through a full range of defensive and offensive cyberspace operations and cybersecurity consulting services.

Occentus Network

Occentus Network

Occentus Network is a telecommunications service provider specialized in High Availability Servers & managed Cloud services.

Supra ITS

Supra ITS

Supra ITS is a leading full-service technology partner offering IT Consulting, Cloud Services, 24x7 Managed IT & Cybersecurity Services, and IT Project Support.

Dispel

Dispel

Dispel makes the fastest secure remote access for industrial networks. Built by operators for operators: a zero trust engine for your entire OT, IoT, and xIoT stack.