Never content to simply maintain the status quo, this group is busy putting the technologies to work to make their techniques stronger and more likely to succeed. AI and ML tools allow them to amplify their efforts and mount attacks in ever more inventive ways.
Fortunately, cyber criminals are not the only ones making use of AI and ML in security. Cyber-security teams turn to rapidly evolving tools that use these technologies to eliminate much of the manual work associated with incident detection, analysis, and response.
New methods of threat detection
IT security vendors have been hard at work, developing a new generation of tools that use AI and ML-based automation to identify attacks. Many rely on AI to pattern match or attempt to detect anomalous behaviour.
At the same time, security teams are realising efficiency gains by using ML to automate security solution deployments. An example of this is with deception technology, where the solution self-learns the environment and then automatically proposes decoy configurations and credentials. This automatic configuration saves both the time to deploy as well as eliminating mistakes during customisations.
AI and ML tools are also helping organisations reduce the length of time between when intruders enter a network and when security teams detect them. These tools can spot unusual behaviour and flag incidents for further examination. They can also automatically gather information about the attack in real-time, which helps remediate and prevent future intrusions.
There are considerable benefits an organisation can gain by gathering information about an attack as it occurs. Charting the attack path and point of origin provides valuable information, as does identifying the tools the attacker is using to gain access.
Fortunately, some next-generation security controls can automatically perform this function, providing security teams with high-quality alerts and verified information that allows them to respond to an incident more quickly and effectively.
Putting the tools to work
One approach to gathering and assessing attack information involves deploying a security information and event management (SIEM). Endpoint detection and response (EDR) tools can also assist in providing end point forensics and other telemetry information. Their ability to quickly isolate an infected system can mitigate the spread of an attack.
Another preferred strategy is using deception techniques to automate incident response actions, such as isolating an infected end point or blocking the affected network segment through built-in integrations with existing security controls. The security team can gain further operational efficiencies by automatically sharing attack data with their SIEM, EDR to accelerate threat hunting and containment.
Substantiated alerts are a critical aspect of automated tools; however, security teams often hesitate to automate responses because many detection tools suffer from low signal-to-noise ratios. The last thing they want to do is cause business disruption with a false positive alert. Instead, by relying on tools with substantiated alerts, defenders can be more confident automating responses with less additional investigation time.
Increasing numbers of organisations embrace security orchestration, automation, and response (SOAR) platforms to maximise information sharing and response automation. SOAR platforms are similar to SIEMs but include workflow automation to enable information exchange and playbook execution.
This superior level of automation can help reduce information sharing time and human error potential while resulting in significant improvements to both attack recognition and response time.
Rapidly detecting and responding to cyber-security incidents is critical to avoiding business disruption and minimising or avoiding losses altogether. Adding automation to the mix through AI and ML-powered tools can help teams significantly increase their capabilities and success rates.
As AI and ML continue to evolve, their ability to add value to security in the future will only grow.
Jim Cook, ANZ regional director, Attivo Networks