Machine Learning Speed Up Remediation, But Will it Ever be Able to Autonomously Protect Organizations Against Cyber-attacks?
Cyber-attackers are leveraging automation technology to launch strikes, while many organizations are still using manual efforts to aggregate internal security findings and contextualizing them with external threat information. Using these traditional methods, it can take weeks or months to detect intrusions, during which time attackers can exploit vulnerabilities to compromise systems and extract data. To address these challenges, progressive organizations are exploring the use of artificial intelligence (AI) in their day-to-day cyber risk management operations.
According to the Verizon Data Breach Report, more than 70 percent of attacks exploit known vulnerabilities with available patches. At the same time, the findings show that hackers take advantage of vulnerabilities within minutes of their becoming public knowledge. These statistics emphasize the importance of time-to-remediation. However, due to the shortage of security professionals and the general challenge of dealing with big data sets in security, it is not surprising that vulnerability remediation efforts are not keeping up with cyber adversaries. Recent industry research shows that it takes organizations on average 146 days to fix critical vulnerabilities. Obviously, this benchmark indicates we need to rethink existing approaches to enterprise security.
Cyber adversaries have long leveraged machines and automation techniques to streamline their operations. So why shouldn’t organizations do the same?
Last year, the IT security community started to buzz about AI and machine learning as the Holy Grail for improving an organization’s detection and response capabilities. Leveraging algorithms that iteratively learn from data, promises to uncover threats without requiring headcounts or the need to know “what to look for”. Ultimately, AI can assist in conquering three specific uses cases that are currently handled in manual fashion.
Identification of Threats
Organizations face an uphill battle when it comes to cyber security, since the attack surface they have to protect has expanded significantly and is expected to balloon even further. In the past, it was sufficient to focus on network and endpoint protection, but now with applications, cloud services, and mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches) organizations are battling a broadly extended attack surface.
This “wider and deeper” attack surface only adds to the existing problem of how to manage the volume, velocity, and complexity of data generated by the myriad of IT and security tools in an organization. The feeds from these disconnected systems must be analyzed, normalized, and remediation efforts prioritized. The more tools, the more difficult the challenge. And the broader the attack surface, the more data to analyze. Traditionally, this approach required legions of staff to comb through the huge amount of data to connect the dots and find latent threats. These efforts took months, during which time attackers exploited vulnerabilities and extracted data.
Breaking down existing silos and automating traditional security operations tasks with the help of technology has therefore become a force-multiplier for supplementing scarce cyber security operations talent. In this context, the use of human-interactive machine learning engines can automate the aggregation of data across different data types; map assessment data to compliance requirements; and normalize the information to rule out false-positives, duplicates, and enrich data attributes.
Once internal security intelligence is contextualized with external threat data (e.g., exploits, malware, threat actors, reputational intelligence), these findings must be correlated with business criticality to determine the real risk of the security gaps and their ultimate impact on the business. Ultimately, not knowing the impact a “coffee server” has on the business compared to an “email server”, makes it virtually impossible to focus remediation efforts on what really matters. In this context, human-interactive machine learning and advanced algorithms play a big role in driving the appropriate response to individual risks.
Orchestration of Remediation
Increasing collaboration between security teams which are responsible for identifying security gaps and IT operations teams which are focused on remediating them, continues to be a challenge for many organizations. Using a risk-based cyber security concept as a blueprint, it’s possible to implement automated processes for pro-active security incident notification and human-interactive loop intervention. By establishing thresholds and pre-defined rules, organizations can also orchestrate remediation actions to fix security gaps in a timely fashion.
While machine learning can help reduce time-to-remediation, will it ever be able to autonomously protect organizations against cyber-attacks?
Too often, unsupervised machine learning contributes to an onslaught of false positives and alerts, resulting in alert fatigue and a decrease in attention. For opponents of AI, this outcome provides ammunition they typically use to discredit machine learning in general. Whether we choose to admit it or not, we have reached a tipping point whereby the sheer volume of security data can no longer be handled by humans. This has led to the emergence of so-called human-interactive machine learning, a concept propagated among others by MIT’s Computer Science and Artificial Intelligence Lab.
Human-interactive machine learning systems analyze internal security intelligence, and correlate it with external threat data to point human analysts to the needles in the haystack. Humans then provide feedback to the system by tagging the most relevant threats. Over time, the system adapts its monitoring and analysis based on human inputs, optimizing the likelihood of finding real cyber threats and minimizing false positives.
Enlisting machine learning to do the heavy lifting in first line security data assessment enables analysts to focus on more advanced investigations of threats rather than performing tactical data crunching. This meeting of the minds, whereby AI is applied using a human-interactive approach holds a lot of promise for fighting, detecting, and responding to cyber risks.