Every time we come out with a new mousetrap to secure our system, the hackers will work to find ways around it. But in the global security arms race, having Artificial Intelligence and Machine learning in place is going to become an essential part of the toolkit, especially as hackers look to use it for their own ends. In addition to other security protocols, AI programs can help keep the good guys one step ahead.
Artificial intelligence is a system's ability to "learn" from its inputs and infer rules from them. That enables the system to better interpret and react to similar inputs in the future.
This capability is enabled by Machine Learning, which is the technology, hardware, software and algorithms that ‘learn’ from previous inputs.
In a more practical sense, Dr. Jim Davis, Professor of Computer Science and Engineering at Ohio State University explains, “Modern machine learning is data-driven and with the data you can do auto-discovery of categories and classification, such as types of malicious or unwanted emails.”
Herb Roitblat, one of Mimecast’s resident data scientists, defines AI as “a form of computerized problem-solving with the means to solve a problem, but without the rules to do it.”
Four Elements of an AI Magic
AI capabilities are a hot topic among cybersecurity experts, so nearly every vendor is quick to promise cutting-edge AI capability. It’s up to CISOs to determine which solution will be best for their unique requirements. The decision process should start with four important considerations:
• Power of ML Algorithms: Assess the quality of machine-learning algorithms. Algorithm effectiveness is an important way to differentiate vendors and products, but evaluations can quickly turn into highly nuanced technical discussions, making apples-to-apples comparisons difficult. If an organization has the resources, it should create a test bed environment to gauge product performance using copies of its production data. That provides live and actual performance data.
• Investigate related Capabilities: Companies look beyond algorithms to what related capabilities vendors offer, such as security training for end users and technical instruction about AI for the security personnel.
• AI Automation: The intense competition among companies for cybersecurity skills is creating a talent shortage that challenges CISOs to attract and retain experienced people. AI can provide a solution to that. “Evaluate how well the AI solution can automate the tasks that employees are now performing,” says Jon Clay, director of global threat communications for security company Trend Micro. “AI may enable them to perform other, more important tasks within security operations.”
• MSSP with AI: Weigh the value of working with a managed security services provider (MSSP) that uses AI-based technologies for its services. Not only will an MSSP give organizations access to the latest AI innovations, but it will also lessen the need to hire highly paid AI experts for their own security teams. Depending on the size of an organization, hiring a security staff with AI knowledge and then keeping them trained can be costlier than moving to managed services. An MSSP acts like an extension of the business’s IT team and ensures access to updates and patches as soon as they are available.
The practical cybersecurity applications of AI and ML
There are a huge range of systems available today that utilize AI techniques for email and web security. These systems complement more traditional analytic and detection techniques by cutting down on the time required for analysis, blocking known risks and flagging likely risks to users or cybersecurity professionals to train and improve the AI.
Let’s take a look at successful real-world applications of AI/ML in cybersecurity.
Image Checking and Filtering: Deep learning, enabled by ML, are being used to identify not-safe-for-work and other images, such as logos, to improve filtering and phishing detection. AI/ML filtering tools are being used to spot deep fakes and flag phishing emails and all.
Detecting Outbound Email Attacks: ML models are also used to detect unusual and potentially risky patterns in a sender’s email frequency. This could be a sign of a cyber-attacker using an organization’s email for outbound attacks.
Malicious URL Detection: Algorithms can analyze a URL’s structure and content to check for anything unusual, which is great for detecting malicious URLs.
Detecting Data Leaks: Several AI/ML techniques like content matching, image recognition and statistical analysis are being used to detect sensitive data leakage during channel monitoring.
Website Categorization: AI/ML tools can and do use supervised learning (i.e. human-assisted) to categorize websites, detect high-risk sites and enforce policies. This application is useful for both email and web security controls, which use site categorization as part of policy-based decision-making.
Spam Detection: Neural networks (AI systems that mimic the way our brains work and increase computational speed by categorizing data sets) are used to help identify spam and other forms of unwanted, but non-malicious emails.
DNS-based Data Exfiltration: Use of AI to detect the malicious use of external DNS calls by malware to sneakily infiltrate data.
Categorizing Customer-Reported Phishing Emails: Pre-sorting and categorizing emails submitted by customers to improve the efficiency of an SOC. When you look at a big network overall, there can be thousands of phishing emails flying around at any given time. AI/ML tools can categorize and sort those, simplifying things greatly for the human cybersecurity team.
Spear Phishing: Predictive URL classification models based on ML algorithms can identify patterns that reveal a malicious sender’s emails. The AI/Ml tool is trained to spot micro behaviors like email headers, subsamples of body-data, punctuation patterns, etc to judge whether an email is likely to be a phish or not.
Watering Hole Detection: Attacks that are designed to compromise targeted users by infecting websites they typically visit can be detected using ML. Path traversal detection algorithms are used to detect these malicious domains and monitor them for rare or extraordinary redirect patterns to and from a site’s host.
Malicious Webshell Identification: ML algorithms can be used to pre-emptively identify web shells and isolate them from the system before they do anything dangerous. Web shells can modify websites to route transaction data through a different path. ML models can be trained to distinguish normal behavior from malicious behavior, and malicious files can be executed on a monitored standalone system in order to train the model further.
Ransomware: AI neural networks in combination with deep learning algorithms can detect unknown ransomware data sets through micro behavior training. A large set of ransom files with an even larger set of clean files are used to create an algorithm to identify key features that are then categorized into subsets to train the AI. When a ransom file attacks a system, that file can be checked against the trained model and automated security actions can be taken before it encrypts the whole file system or locks access to the computer.
Remote exploitation: Malicious attacks that target one or a network of computers in order to gain access to the system can happen in various ways including DDOS, DNS poisoning and port scanning. ML algorithms can be used to analyze system behavior and identify abnormal instances which do not correlate with the typical network behavior.
Experts warn that successful breaches are a matter of time. Many organizations take weeks or months to discover infections, the Verizon report notes, giving malware plenty of time to spread across networks and stealthily infiltrate valuable information. The use of AI in security technologies promises to shorten discovery time frames. It can monitor large volumes of network log data quickly to spot patterns revealing unusual behavior indicative of malware. AI can alert an organization of suspicious activity more quickly; so the security team can limit the damage.
Not only does artificial intelligence and machine learning help build a robust security framework with always-on risk assessment and coordinate an organization’s incident response, but these systems also work as an automation and orchestration tool to strengthen existing cybersecurity architecture with things like preventive security controls, firewalls and application security, and intrusion prevention systems.
It also helps offset the industry-wide shortage of skilled cybersecurity professionals. As more and more organizations undergo digital transformation, AI and ML can help these modern enterprises build a resilient and future-proof cybersecurity plan instead of traditional methods of tracking, threat detection, and risk assessment.