[BreachExchange] Bring the noise: How AI can improve cyber security

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 21 19:57:00 EDT 2016


http://www.information-age.com/technology/security/123461638/bring-noise-how-ai-can-improve-cyber-security

Beleaguered enterprises are struggling to keep pace with cyber threats, and
small and medium-sized businesses are hit hardest of all due to limited
resources.

A recent survey by the Federation of Small Business (FSB) found 66% of
those questioned had been a victim of cybercrime over the past two years,
and only 4% had an incident response plan in place in anticipation of an
attack.

For many, cyber security takes them into unfamiliar territory and depletes
the time spent on core business activities.

This has seen an over-reliance upon point solutions, poor attention to
patching and updates, and a failure to apply strategic business-specific
security controls.

To make matters worse, the potential attack surface is only set to widen as
the Internet of Things sees sensors and IP-enabled tech insinuate
themselves into every niche of society, even the small business.

A badly configured humble kettle could open up a conduit onto a business
network, for instance. Yet the current situation finds many SMEs
ill-prepared for any change in the threat spectrum, being unable to
monitor, detect and respond to an attack – begging the question, how will
they cope with yet more holes in the network?

What is needed is some form of automation coupled with artificial
intelligence; a system that has visibility of the network and can monitor
activity and alert the business to enable security resources to be focused
as and where needed, thereby conserving spend, but which is specific to the
business.

High-level data processing has been available for some time in the form of
security incident and event management (SIEM) systems that, when combined
with a security operations centre (SOC), can correlate data and issue
alerts.

But these systems can be costly and complex to deploy and manage, with
reports estimating it takes up to six personnel to run a SOC 24/7.

Even then, the information derived from these tools needs to be correctly
interpreted and actioned upon. And few SMEs have data scientists on the pay
roll.

For this reason, AI is beginning to receive more attention. It takes
complex event processing and performs pattern analyses, using machine
learning, to improve success rates.

In the context of a SOC, AI can be used to extract hidden correlations and
detect complex attack vectors, as well as by assisting analysts looking for
traditional attack patterns by offering multiple filtering options.

It can then assess the potential for these events to scale-up and evolve
into attacks. Threat feeds are assessed in the context of the business, so
that criteria such as geography, sector and compliance requirements are
used as parameters externally, while internal elements, such as business
strategy and the risk profile, are included to create an overarching view
–allowing the threat to be assessed against the risk appetite of the
business before determining a response.

As opposed to a traditional SOC, an AI SOC demonstrates machine learning
and uses deep threat intelligence. It can drill down further for data and
use advanced penetrative techniques to mine information from dynamic data
sources such as those associated with social media and even off-grid in the
dark web.

This can give the business advance warning of an impending attack in
real-time as data can be collated, sifted and interpreted using predictive
data analytics to forecast likely event outcomes.

The FSB survey found that the most common form of attack against the SME
were phishing attacks experienced by 49% of respondents, with 37%
experiencing the more targeted spear phishing attack.

These can readily be spotted and filtered using automated software.
Trickier and more difficult to anticipate are denial of service attacks,
aimed at crippling websites, and ransomware attacks, which use DDoS attacks
or malware to demand a release fee.

Both are on the increase in the SME sector, with the FSB survey reporting
five percent of respondents had experienced a DoS attack and 4% ransomware.

By the time a DoS has been executed, the business is already caught off
guard and is potentially in a capacity war, forced to scale up resource to
fend off the attack.

Yet, with sufficient warning, the SME can use a DoS solution to throttle
the attack. The key is getting that information in advance for it to become
actionable intelligence and that can only be achieved by applying AI in the
form of complex algorithms that can spot rogue activity.

For instance, DoS attacks are highly organised in nature and are often
planned on forums hosted on the dark web. Tap into those conversations by
using the parameters referred to above and you can create a window into
underground activity that can trigger an alert when the noise merits it.

Real-time SOC services are now emerging that can deliver this type of
capability to the SME and it doesn’t need to cost. Outsourcing can provide
the SME with access to the technology, the AI, and the personnel needed to
man the operation, thereby giving the sector access to high-level security
services using economies of scale for the first time.

When selecting a supplier, it’s the intelligence that you need to look for,
so in addition to the usual requirements such as SIEM, event logging and
data analytics, it’s beneficial to look at the managed services on offer.

Ask how data is captured and correlated and analysed and by whom? Can it
dovetail with your day-to-day business operations to provide business
intelligence?

Finally, bear in mind that the threat spectrum is constantly evolving.
Cyber security sees security solutions and attackers pitted against one
another in a never-ending arms race.

If we now have AI security solutions, businesses should expect to see
malicious AI systems in the future.

Researchers are now modelling how a malevolent AI system could develop, and
have concluded that current cyber security practices are woefully
inadequate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160621/f9d0dcea/attachment.html>


More information about the BreachExchange mailing list