The Application of AI and ML in Cyber Security

There is a lot of talk nowadays around AI and ML. AI technologies are today included in everything ranging from smart home devices, fitness tracker, customer support, shopping/social recommendations to financial and stock predictors, video games, identifying drugs in healthcare, personal assistants, speech recognition, travel assistance, facial recognition, business advertising, and much more.
 

In the field of cyber security, use of AI is still evolving and potential applications in cyber security are in the very early stages or are not well thought of yet. Customers too are exploring the use of AI in security domain, and even modern security products are entering the market highlighting specifically in-built AI & ML capabilities.
 

That said, besides security practitioners, cyber criminals too have also started leveraging artificial intelligence to disrupt businesses through artificial intelligence supported cyber-attacks. It has hence become imperative for security practitioners to have greater understanding of AI/ML implications on the organisation’s overall security posture.
 

Here, I am trying to outline a few cyber security challenges and how application of AI/ML technologies in cyber security can help to overcome these challenges. Let’s begin from basic definition of AI/ML.
 

Artificial Intelligence is enabling machines to think like humans and mimic humans from all sense. Machine Learning – At first, it is a misconception that ML is separate from artificial intelligence. ML is a subset of AI, a kind of software algorithm or model that enables computers to analyse enormous amount of data and identify patterns and structures that are otherwise not visible by traditional methods.
 

Known Challenges –

• Humongous amounts of data: More than 5000 security products are out there in market and organisations are using various solutions to strengthen their fort to reducing likelihood of security breaches. Enormous amount of security data is being pumped in SOC platforms and finding the proverbial needle in a haystack is always challenging. SOC analysts need a next generation tool, which can automate the analysis of data and help them to flag any kind of suspicious events quickly with accuracy and precision.
• Constantly changing TTPs: New security threats are sophisticated in nature. Threat actors are even using known ports (53,443) to exfilitrate critical data , changing source IP/destination IP address  continuously and evading legacy signature based solutions like anti-malware to persist in systems.  This is where Artificial intelligence/Machine learning kind of capability is critical.
• Siloed Operation: Albeit, zero trust architecture demands are spurring up, defence in depth layer approach will remain in game as having multiple vendors in the infrastructure at least ensures cyber criminals sweat enough while trying to gain access to the environment. A central intelligent platform is the need of the hour to understand various technology data formats, handle and analyse all the information collected from the various technologies.
• Skill shortage: There are too many attackers and too much data available but not enough skilled resources available to effectively deal with the pace of cyber security concerns. Non-human support in terms of AI/ML is crucial to identify, detect, respond and mitigate security issues faster and more efficient than SOC analyst to deal with the Skill shortage challenge.

How AI/ML use cases can help to overcome above security challenges –
 

# Continuous security alert detection and monitoring:

SIEM solution helps to continuously monitor, alert and respond to alerts but we have seen steadily  huge volume of data with different log formats are coming in to the SIEM and manually looking for suspicious activity on a continuous manner is not only tiresome, it is close to impossible. The SIEM also throws up a number of alerts including many false positives, that lead to alert fatigue in the SOC. Humans are finding difficulty to analyse data in real or near real time, detect current attacks and provide a response. That is where organisations need non-human, machine learning capable solution to assess alerts intelligently, and leverage additional automation tools such as a SOAR platform to provide faster and effective response. Increasing the level of automation in the SOC will also help to tackle skill shortage, talent retention and cost escalation issues.
 

# User Behaviour Analytics:

Malicious insider is another big risk in cybersecurity and current environment where users can access organisations critical data from anywhere makes this risk utmost importance. UBA detects anomalies from a known baseline of user behaviour. An AI/ML based solution can help to address security concerns such as careless or malicious insiders, stolen user credentials, to prevent users from taking out unnecessary information from a system and to identify malicious users masquerading as legitimate users. To identify, detect and alert on any deviations of established baseline AI/ML solution will be useful as it would move beyond static rules of detection of standard behaviour. An AI/ML solution can provide dynamic baselining of user behaviour as well as anomaly detection, which can then be triaged by the SOC much more quickly.
 

# Secure End points/Servers:

Traditional anti-virus solutions are mostly signature, heuristic based. They clean, quarantine, delete infections based on signatures available and are hugely dependent on frequent updates - this means we are further dependent on OEM and solution providers to release updates in real time (which is practically not possible) and until then organisations are at risk of exposure. In addition cyber criminals are changing their TTPs frequently, easily evading these traditional solutions and maintain persistence in the environment. These challenges make malware detection a great use case for artificial intelligence/machine learning as AI/ML isn’t necessarily dependent on signatures. Also, the amount of samples available in the wild provides a large enough base to efficiently train and implement a ML model that can accurately detect malicious software that has been obfuscated by the threat actors.
 

Endpoint detection and response (EDR) solution machine learning (ML) capability helps to prioritise risk, conduct an advanced search and carry out threat hunting to identify unknown threats. AI/ML enables endpoint solution to focus on threat detection that enables a meaningful incident response.
 

There are many other AI/ML use cases including phishing emails, anti-phishing solutions to perform link inspection by simulating on all links in the mail or in the field of threat intelligence, botnet detection, cyber risk ratings, analytics based threat hunting, intrusion detection, incident forecasting etc.
 

In summary, organisations should start adopting AI/ML capabilities in their cyber security program to strengthen the defensive control, identify attacks that may not have been seen before and react quickly. To know more how we are helping organisations embracing these capabilities with various security solutions visit us at https://www.netmagicsolutions.com/security