13 Feb Maximising security with AI and ML
With the cyber threat landscape busier than ever, security professionals have some new tools at their disposal that can help tackle the huge volume of potential threats and provide rapid insights: artificial intelligence and machine learning. Derek Manky, Chief, Security Insights & Global Threat Alliances, and Jonas Walker, Security Strategist at, FortiGuard Labs take a closer look at the benefits these technologies can deliver.
Nowadays, threat actors are leaning on new tools and techniques to improve the efficiency of their attacks. With attacks increasing in speed, agility, and sophistication, it is critical to maximise artificial intelligence and machine learning approaches to defend against evolving attack techniques.
Over the constantly evolving threat landscape, we’re seeing more speed combined with agility. Threats are getting into a system, hitting the targets, exfiltrating data, demanding ransom, and getting out of a system, much quicker than normal. This includes attackers capitalising on new vulnerabilities, both zero-days and n-days. That’s one of the most concerning elements – the theme of speed when it comes to the offense.
Aggression can also be seen, and the problem lies in the combination of the two, which is an even more potent mix. There is more speed, but there is more aggression as well. This includes the double extortion, triple extortion themes, and targeted attacks that we’re seeing too.
Furthermore, it’s about the tactics, the playbooks. There are more tactical approaches, and dual-stage attacks that we’re seeing after doing reconnaissance for information, including information that’s coming from social media works, for example. In addition to everything that we talked about before, we’re still seeing more volume. All of which translates to more risk.
As an example, wiper malware has been much more active than recent years which ties into the theme of aggression. This is destructive malware that’s wiping out hard drives and master boot records of systems. We’re starting to see this tying into the world of extortion too. We’re not just talking about data at risk, but systems infrastructure at risk now.
Organisations can counter these threats by incorporating AI and machine learning into the equation but it is important to distinguish the differences. First, you have at the basic level – automation. Consider a threat feed with threat intelligence and with policies being applied. Without that, organisations would be lost. For example, we’re responding to 100 billion threats a day with FortiGuard Labs, and a majority of that is automated. Automation is largely to help with the volume of detections and policies needed at speed, reducing reaction time, and offloading mundane tasks from SOC analysts.
Targeting the unknown
Where machine learning and AI come into place are for the threats that are unknown. The question here is: how do we get ahead of the curve? AI is the action piece, whereas machine learning (ML) is the learning piece. Machine learning works on models, and each application can use a different model. Machine learning for web threats is entirely different than machine learning for zero-day malware. Organisations need to be able to do them all to effectively secure against various attack vectors. By utilising machine learning and AI, we’re reducing risk dramatically. Also, we’re offloading costs from the OpEx model since we don’t need to hire our way out of the problem.
The other piece of that is the skills gap conversation. Machine learning goes a long way to not only replace but fill those gaps. We know there’s a shortage in the workforce globally, not just in cybersecurity, of course, but specifically in cybersecurity, how do we address that gap? Does it make sense to go and hire 20 to 30 people in our NOC or SOC – and even if there is the ability to do that – can we find the people? This is where machine learning solutions can support skilled employees. An integrated approach such as a security fabric is very powerful.
Convergence of networking and security
There are additional protection measures that can be used to protect against today’s cyber threat landscape such as actionable threat intelligence. Networking and security are converging and that’s why we have to have actionable threat intelligence, and security subscription services tied into that. Being able to detect and respond to threats and to understand the threat landscape is the first priority. Essentially, you need all three of these working in harmony together: automation and orchestration, AI/ML, and escalation paths to SOC analysts on items that have been escalated as high priority.
Segmenting networks is also something that is recommended as a very effective practical approach to reducing risk, because a lot of these threats can penetrate potentially one device system. If you segment it, it won’t be able to spread and hit other systems and create further downtime. Thirdly, zero-trust and ZTNA are a big topic nowadays. There are a lot of things happening on networks, devices coming in and out, applications coming on and off, etc. The idea that nothing should be trusted inherently can significantly increase security, instead it should be earned trust. In addition to that, breach and attack simulation and having a plan ahead of time are critical. We often say, ‘It’s not a matter of if, but when, there’s going to be an attack’. Yes, we should do all the preparation work, but at the same time, have a game plan as well.
Lastly, employee education and security awareness training is all something that should be implemented when addressing cyber threats as employees are often the first line of defense in many cases.