There is a lot of talk nowadays around AI and ML. AI technologies are today included in everything ranging from smart home devices, fitness tracker, customer support, shopping/social recommendations to financial and stock predictors, video games, identifying drugs in healthcare, personal assistants, speech recognition, travel assistance, facial recognition, business advertising, and much more.
In the field of cyber security, use of AI is still evolving and potential applications in cyber security are in the very early stages or are not well thought of yet. Customers too are exploring the use of AI in security domain, and even modern security products are entering the market highlighting specifically in-built AI & ML capabilities.
That said, besides security practitioners, cyber criminals too have also started leveraging artificial intelligence to disrupt businesses through artificial intelligence supported cyber-attacks. It has hence become imperative for security practitioners to have greater understanding of AI/ML implications on the organisation’s overall security posture.
Here, I am trying to outline a few cyber security challenges and how application of AI/ML technologies in cyber security can help to overcome these challenges. Let’s begin from basic definition of AI/ML.
Artificial Intelligence is enabling machines to think like humans and mimic humans from all sense. Machine Learning – At first, it is a misconception that ML is separate from artificial intelligence. ML is a subset of AI, a kind of software algorithm or model that enables computers to analyse enormous amount of data and identify patterns and structures that are otherwise not visible by traditional methods.
Known Challenges –
How AI/ML use cases can help to overcome above security challenges –
# Continuous security alert detection and monitoring:
SIEM solution helps to continuously monitor, alert and respond to alerts but we have seen steadily huge volume of data with different log formats are coming in to the SIEM and manually looking for suspicious activity on a continuous manner is not only tiresome, it is close to impossible. The SIEM also throws up a number of alerts including many false positives, that lead to alert fatigue in the SOC. Humans are finding difficulty to analyse data in real or near real time, detect current attacks and provide a response. That is where organisations need non-human, machine learning capable solution to assess alerts intelligently, and leverage additional automation tools such as a SOAR platform to provide faster and effective response. Increasing the level of automation in the SOC will also help to tackle skill shortage, talent retention and cost escalation issues.
# User Behaviour Analytics:
Malicious insider is another big risk in cybersecurity and current environment where users can access organisations critical data from anywhere makes this risk utmost importance. UBA detects anomalies from a known baseline of user behaviour. An AI/ML based solution can help to address security concerns such as careless or malicious insiders, stolen user credentials, to prevent users from taking out unnecessary information from a system and to identify malicious users masquerading as legitimate users. To identify, detect and alert on any deviations of established baseline AI/ML solution will be useful as it would move beyond static rules of detection of standard behaviour. An AI/ML solution can provide dynamic baselining of user behaviour as well as anomaly detection, which can then be triaged by the SOC much more quickly.
# Secure End points/Servers:
Traditional anti-virus solutions are mostly signature, heuristic based. They clean, quarantine, delete infections based on signatures available and are hugely dependent on frequent updates - this means we are further dependent on OEM and solution providers to release updates in real time (which is practically not possible) and until then organisations are at risk of exposure. In addition cyber criminals are changing their TTPs frequently, easily evading these traditional solutions and maintain persistence in the environment. These challenges make malware detection a great use case for artificial intelligence/machine learning as AI/ML isn’t necessarily dependent on signatures. Also, the amount of samples available in the wild provides a large enough base to efficiently train and implement a ML model that can accurately detect malicious software that has been obfuscated by the threat actors.
Endpoint detection and response (EDR) solution machine learning (ML) capability helps to prioritise risk, conduct an advanced search and carry out threat hunting to identify unknown threats. AI/ML enables endpoint solution to focus on threat detection that enables a meaningful incident response.
There are many other AI/ML use cases including phishing emails, anti-phishing solutions to perform link inspection by simulating on all links in the mail or in the field of threat intelligence, botnet detection, cyber risk ratings, analytics based threat hunting, intrusion detection, incident forecasting etc.
In summary, organisations should start adopting AI/ML capabilities in their cyber security program to strengthen the defensive control, identify attacks that may not have been seen before and react quickly. To know more how we are helping organisations embracing these capabilities with various security solutions visit us at https://www.netmagicsolutions.com/security