The application of AI and ML in cybersecurity

There’s a lot of talk nowadays around AI and ML. AI technologies are used in smart home devices, fitness trackers, customer support, shopping/social recommendations, financial and stock predictors, video games, identifying drugs in healthcare, personal assistants, speech recognition, travel assistance, facial recognition, business advertising, and much more.

In the field of cybersecurity, the use of AI is still evolving and potential applications in cybersecurity are in the very early stages or are not well thought of yet. Clients too are exploring the use of AI in security domains, and even modern security products are entering the market highlighting specifically in-built AI & ML capabilities.

That said; besides security practitioners, cyber criminals have also started leveraging artificial intelligence to disrupt businesses through AI supported cyber-attacks. It has therefore become highly important for security practitioners to have a greater understanding of AI/ML implications on the organization’s overall security posture.

Below I have outlined a few cybersecurity challenges and how the application of AI/ML technologies in cybersecurity can help to overcome these challenges. Let’s begin with basic definitions of AI/ML.

Artificial intelligence (AI) is enabling machines to think like humans and mimic humans. When it comes to machine learning (ML), there is a misconception that it is separate from AI. ML is actually a subset of AI, a kind of software algorithm or model that enables computers to analyze enormous amounts of data and identify patterns and structures that are otherwise not visible by traditional methods.

Known challenges

• Humongous amounts of data: More than 5000 security products are out there in the market and organizations are using various solutions to strengthen their forts, to reduce the likelihood of security breaches. Enormous amounts of security data are being pumped into SOC platforms and finding the proverbial needle in a haystack is always challenging. SOC analysts need a next generation tool, which can automate the analysis of data and help to flag any kind of suspicious events quickly with accuracy and precision.
• Constantly changing TTPs: New security threats are sophisticated in nature. Threat actors are even using known ports (53,443) to exfiltrate critical data, changing source IP/destination IP addresses continuously and evading legacy signature-based solutions like anti-malware to persist in systems. This is where AI/ML capabilities are critical.
• Siloed operation: Albeit, zero trust architecture demands are spurring up, and having a defensive in-depth layer approach will remain important as having multiple vendors in the infrastructure at least ensures cyber criminals sweat enough while trying to gain access to the environment. A central intelligent platform is needed to understand the various technology data formats, as well as handle and analyze all the information collected from the various technologies.
• Skills shortage: There are too many attackers and too much data available, but not enough skilled resources to effectively deal with the pace of cybersecurity concerns. Non-human support in terms of AI/ML is crucial to identify, detect, respond and mitigate security issues faster and more efficiently than SOC analysts can do alone.

How AI/ML use cases can help to overcome above security challenges

# Continuous security alert detection and monitoring:

A SIEM solution helps to continuously monitor, alert and respond to alerts but we have seen that huge volumes of data with different log formats are coming in to the SIEM, so manually looking for suspicious activity on a continuous basis is not only tiresome, it is close to impossible. The SIEM also throws up a number of alerts including many false positives, which leads to alert fatigue in the SOC. Humans are finding it difficult to analyze data in real or near real time, detect current attacks and provide a response. This is where organizations need non-human, ML capable solutions to assess alerts intelligently, and leverage additional automation tools such as a SOAR platform to provide faster and more effective responses. Increasing the level of automation in the SOC will also help to tackle skills shortage, talent retention and cost escalation issues.

# User behavior analytics:

Malicious insiders are another big risk in cybersecurity and in the current environment where users can access an organization’s critical data from anywhere, this makes this risk even more severe. UBA detects anomalies from a known baseline of user behavior. An AI/ML based solution can help to address security concerns such as careless or malicious insiders and stolen user credentials, to prevent users from taking out unnecessary information from a system and to identify malicious users masquerading as legitimate users. To identify, detect and alert on any deviations from established baselines, AI/ML solutions will be useful as they would move beyond static rules of detection of standard behavior. An AI/ML solution can provide dynamic baselining of user behavior, as well as anomaly detection, which can then be triaged by the SOC much more quickly.

# Secure end points/servers:

Traditional anti-virus solutions are mostly signature, heuristic based. They clean, quarantine and delete infections based on signatures available and are hugely dependent on frequent updates. This means that we are further dependent on OEM and solution providers to release updates in real time (which is practically not possible) and until then organizations are at risk of exposure. In addition, cyber criminals are changing their TTPs frequently, easily evading these traditional solutions and maintaining persistence in the environment. These challenges make malware detection a great use case for AI/ML as AI/ML isn’t necessarily dependent on signatures. Also, the number of samples available in the wild provides a large enough base to efficiently train and implement a ML model that can accurately detect malicious software that has been obfuscated by the threat actors.

Endpoint detection and response (EDR) solution machine learning (ML) capabilities help to prioritize risk, conduct an advanced search, and carry out threat hunting to identify unknown threats. AI/ML enables endpoint solutions to focus on threat detection, which then enables a meaningful incident response.

There are many other AI/ML use cases including phishing emails, anti-phishing solutions to perform link inspection by simulating all links in the mail or in the field of threat intelligence, botnet detection, cyber risk ratings, analytics-based threat hunting, intrusion detection, incident forecasting etc.

In summary, organizations should start adopting AI/ML capabilities in their cybersecurity programs to strengthen their defensive control, identify attacks they may not have seen before and react quickly. To know more about how we’re helping organizations embrace these capabilities with various security solutions, visit us at services.global.ntt