By Joan Ross, Chief Intelligence Officer. Part 2 of a 2-part series
In our last post, we established the crucial role that Machine Learning and Artificial Intelligence (ML/AI) will play in your cybersecurity strategy. In this post, we’ll drill down into the four most critical missing aspects and illustrate how InsightCyber will fill the gap.
01. Data at Scale
The most pressing problem for many organizations is that the available commercial technology to date performs poorly when transacting large amounts of data. Attackers count on overwhelming security teams with the sheer volume of data transacted. It’s much more complicated than finding a needle in a haystack when the entire ecosystem is a field of hay blowing in the wind, changing and transmuting as it progresses through being harvested, baled, and transported in every direction.
Even when smaller amounts of data are transacted, ongoing ML and AI require great amounts of scale to better determine behavior minutia.
02. Signatures Fail
Time and again, security analysts have seen investments in signature-based technology fail against security attacks. The reason for this is that fresh attack methods and code are defeating known signatures and this is always occurring, and always will.
InsightCyber’s security experts have experienced this in their own careers. They would take the latest intelligence, programmatically validate systems against known attack vectors, alert and monitor systems, only to receive an alert several hours too late that an unauthorized person had accessed a production system.
The best of current technology could not protect against a basic security tenet of role-based access by an unauthorized individual in a timely alerting manner, despite a significant resource skill, time, and technology investment.
Security personnel spend enormous amounts of time with vendors while malware code is reversed-engineered and new signatures are generated and applied. In many cases, this happens after the damage has already been done and a successful attack and exfiltration of data accomplished, or ransomware applied.
03. Alert Fatigue
Alert fatigue is the bane of cybersecurity personnel’s existence. When security teams become exhausted, the danger of the real attack progressing from a diversion attack occurs. If technology is always producing inaccurate alerts, the team can become less responsive if they believe it’s another false positive. This has the danger of letting actual attacks slip through.
When asking a security team how many false positive alerts they chase per day, the most common answer is “too many to count.” This has led to some teams to remove or suppress technology alerts from certain events due to their unreliability and inaccuracy.
If you focus on the reconnaissance stage of attacker behavior, which the MITRE ATT&CK framework (v8) recommends, how can you avoid alert fatigue from false positives? Many organizations have these problems to solve in addition to the challenges of finding and retaining trained, adept security personnel.
With the pandemic, a demanding market of dedicated security people are dwindling along with budgets, training, and battling aging technical infrastructure that has never fully delivered in pinpointing malicious activities — whether from inside or outside the digital cyber and physical device ecosystems.
04. Prediction Analytics
We’ve solved for data at scale. What can prediction analytics provide that’s more reliable than signatures? Prediction analytics looks at behaviors of everything on your network over time, including devices, applications, usages, communications, changes, etc. and determines baseline behaviors, and those activities clearly indicative of pending attack. Not only does this eliminate false positives and alert fatigue, it frees up your security team to focus on more critical issues.
No longer in its infancy, ML and AI algorithms have advanced to map out at extreme scale. InsightCyber takes the collective behavior of data, devices and activities across a company’s technology stack. It yields an advanced UI utilizing cognitive visual analytics to enable not only security analysts, but other supporting roles in an organization tasked with supporting the security and information technology team (executives, managers, audit, compliance, help desk, etc.). They view dashboards designed for their roles that present high risk anomalies. So, combined with human sensibility, organizations can get ahead of cyber-attacks before the devastate operations and infiltrate sensitive data systems.
Involving academic and research communities to ensure rigor in their research and testing, they are able to bring this technology into the commercial, high transaction and other interested sectors.