Cyber threats regularly overwhelm traditional security solutions. It’s growing clear that artificial intelligence and machine learning is the safest path to lock down data and protect the enterprise.
The amount of information that we have to pour through in order to identify threats and vulnerabilities and ongoing attacks is growing non-linearly, says Fernando Maymi, Ph.D., CISSP, a security practitioner with over 25 years’ experience in the field for both government and private sector organizations in the US and abroad. “What AI fundamentally does is give us a fighting chance,” Maymi says.
The New Face of Threats
Maymi first became a passionate cyber-security advocate, decades ago, when as part of a government project looking at creating the next generation of wearable computing devices for soldiers, he realized there was no way to prevent an adversary from intercepting any communications. The project was ultimately cancelled till it was entirely reimagined some time later to manage for the risk.
And today we see similar threats in the civilian sphere, with the rise of nation state attacks against companies that may not seem like logical targets. The OPM attack in 2015 perhaps makes sense, since hackers were going after security information for people who held clearances.
But the Anthem, Marriott, and Equifax hacks that followed have come as a surprise to many, and smaller organizations that aren’t making headlines are being attacked by nation states as well. The long game, Maymi says, is complicated, and kind of terrifying.
“For the most part, it’s all about some of our adversaries building some very detailed files on everybody in our country,” he explains. “You never know who’s going to be in a position of prominence later on, and they may have something in their background that can be used as leverage, whether maliciously or simply to manipulate their opinions, as we’ve seen in the influence campaigns recently.”
These attacks are not letting up, making cybersecurity a top-line concern for companies of every size.
The AI Advantage
AI techniques like machine learning, neural networks, and statistical methods are exceptionally good at finding a very specific thing, or a very specific set of things, Maymi says, pointing at spam filters as an example.
But you’ll find that while AI is very good at point solutions, it’s not quite as good at looking holistically at an organization and telling you what a bad guy is going to do next (or even what they’re doing now) looking at broader patterns of behavior, and determining the intent of an adversary, figuring out why they’re aiming for a specific objective, and how.
While armed with hindsight, any of the companies that have experienced a headline-grabbing breach could have built an AI system to detect the threat, it wouldn’t have been particularly difficult, he says. But the issue is that you have to tell it what you want it to look at.
“Could they have built that AI system?” he asks. “Yes, but they would have had to have a reason to do it. They would need to have known what the threat is. Our risk management efforts, which of course rely heavily on threat modeling and threat assessments, are not where they need to be. A lot of these companies wouldn’t have had the motivation, the foresight.”
The underlying problem for a lot of organizations is they have no idea what their level of risk is, Maymi says.
Adding Risk Management
“There is strong evidence that the organizations that take risk management seriously, that follow through, see dramatic returns on their investment,” he adds.
Some mature organizations go deep in quantifying their risk and then taking deliberate actions to mitigate that risk to an acceptable level, but most organizations don’t go through this process.
The vast majority of organizations that even look at risk management do so in the context of satisfying some regulatory or insurance requirements. And once you get that stamp of approval, it stays on a shelf.
“I’ve talked to tons of people in the security world and asked, can you talk me through your risk management process?” he says. “They say, ‘I didn’t know we had one. I think somebody’s doing that, but it’s never involved me.’ That underscores the importance of bringing everyone to the conversation who should be in there.”
A robust risk management process requires an honest assessment of the threats to your systems, those you’re facing and those you could potentially face. Then looking at what you know about these threats, you model them, looking at what they could do against your systems, and how bad actors would try to get in.
“This is not just about technology,” he says. “What things do you put in there to prevent an attack? But also, what techniques do you put in there to detect that an attack is ongoing? AI can help you do a very targeted search for the events that are going on in your network, but you have to know what to look for.”
The last piece is ensuring that there are effective response systems in place. You have to prepare yourself, rehearse your own internal response procedures, but you also have to think about what dependencies exist between your entities and other entities, your security might be up to speed, but if you do business with a company that’s just hanging out in the breeze, it becomes an attack vector into your organization.
Tackling an Incident, the Right Way!
Your incident response plan has to be tied to business objectives and the business in general. A big problem, Maymi says, is when security policies and incident response plans don’t take the organization into account, and then the organization rehearses its incident response plans with just the security people in the room.
“Security professionals get paid to keep the business doing whatever it is that the business is doing,” he says. “If it’s a commercial entity, that’s making money. If it’s a government entity, it’s serving citizens. That’s our job. If we’re able to look beyond the technology and into what our organizations are intended to be doing, our job is to ensure that the organization continues doing that.”
You have to bring in business people, he explains, come up with exercise scenarios that involve the business’s bottom line, whatever that may be, and then you need whomever is impacted by a threat to the bottom line in the room to ensure your response plan is robust enough and protects the pieces of the business that need to be protected without threatening or undermining business as usual.
Your Secret Security Weapon
“It all boils down to people,” Maymi says. “Who is on our team that’s helping us fight the adversaries? What are their strengths and weaknesses? How do we offset those? Who do we need to give the time to get smart about AI? Where are our blind spots and how do we mitigate them?”
And then once you have your team figured out, and you have a well-running engine there, you look more broadly. What is the organizational team? What are the user behaviors that I need to be concerned about? What are we trying to do as an organization? What are the goals I’m supposed to support?
And then you look beyond that, even, looking at what you need to do to grow your network so that when you face a difficult issue, you know who to go to for help.
Perhaps you don’t have the resources to build a data science or AI cell within your shop, but you have a connection at another company who does that kind of work, and you can talk to them about the challenges you’re facing to get some insight and ideas on how to address them.
“The first step is to look inwardly,” he says. “And then based on what we find, look outward and say, how do I need to grow my network? How do I need to grow my team? How do I get better?”
Source: Cyber Security Intelligence