By: Matthew McKenna, VP International Operations
Although some of today’s security vendors refuse to admit it… as an industry, we are still several years away from perfecting the complex recipe of AI, machine reasoning, deep machine learning and cybersecurity. You may find this reality check sobering, yet hopeful; as we continue to make breakthrough developments in this paradigm shift that cybersecurity so desperately needs. Here are three schools of thought that could potentially be the early building blocks of intelligent cyber defense:
School of thought 1: Next Gen AV (NGAV) & End Point Detection/Response (EDR)
NGAV players, and EDR players have some similarities but some clear distinctions. On the one hand, NGAV looks at all processes on the endpoint using algorithms that permit it to no longer rely solely on the signature of the malware being known. This assists in efficiently understanding the context of the attack, allowing it to take remediation actions, faster. End point detection/response on the other hand, provides the correlation of said context, providing greater visibility into the attack chain.
Both of these approaches are functional, however, there are also challenges related to these type of solutions which require us to ask:
- Where is the AI taking place? If the answer is at the endpoint itself, we should be skeptical. AI, machine learning requires significant processing power and in most cases with NGAV, an analytics server is required to provide the needed processing power.
- If the solution requires an agent, where does the agent sit and how is it protected? One of the most well known tactics of malicious actors is to disable end point agents and to undertake actions that trick sensors, rendering the solution ineffective. How is this scenario protected?
- How are things like lateral movement, masquerading, command and control, privileged escalations etc…detected? NGAV is focused primarily on stoping malware. EDR, provides more insight in the context of the end point behaviors.
School of thought 2: The SIEM replacement players or log aggregators (UEBA)
The second school of thought in respect to leveraging machine learning to provide predictive capabilities is the UEBA space. Or, what I like to refer to as the SIEM replacement/log aggregator space. The approach in this area is to apply AI machine learning towards log data, which in turn provides predictive insight into correlated logs, and points to the potential malicious behaviors. This approach has its benefits. It helps SOC analysts work more effectively with the thousands of events they receive a day, and gives them a deeper insight into the existing behaviors across the environment. There are however a few challenges with this approach that do need to be considered:
- UEBA solutions or log aggregators are reliant on logs. Again, one of the most well known tactics of malicious actors are deleting logs to cover their tracks. Along with the useful insight that logs provide, comes the risk of getting an incomplete story.
- Logs are not connected from all devices. BYOD, Printers, IOT devices present a challenge in this respect. It is important to ask if additional customization may be required to ingest information from other data sources.
- If claims of AI machine learning are being made in respect to the analytics engine, be sure to confirm the scalability of the analytics architecture, and how it can be extended to add data sets. More importantly, dig into the type of algorithmic techniques being used. This can help to ensure that multiple algorithms are applied to the context of emerging use cases, and that there are no forms of thresholding required to fine-tune the accuracy of these algorithms.
School of thought 3: The network centric players
The network centric players applying AI to detect non-signature based or unknown threats make up this third school of thought. The belief here is that the network is the true source of information where the movement of a malicious actor can be accurately detected. The thinking behind this approach is that although malicious actors may be able to hide at the endpoint or application layer, they can’t effectively undertake their attacks and exfiltrate the information required to make lateral movements in the network. The network traffic when understood in its context related to users, machines & assets provides the indicators of this anomalous movement. The main things to consider with this approach include:
- What network traffic is being captured by collectors, and how is the architecture of the analytics setup to ensure scalability? If utilizing PCAP, is the entire packet ingested or is only the meta data from headers used?
- The same as with AI for UEBA, ensure that the AI being utilized is not dependent on a single algorithmic approach, and that it is truly unsupervised learning (does not requiring thresholding to adjust the sensitivity of anomalous detection). The key question to ask here is: What techniques are being utilized to eliminate and minimize false positives?
- What techniques are used to prioritize threats? It is important to understand how behaviors are correlated into the story of the emerging threat, and exactly how one threat is determined more important than another.