• United States



Using Artificial Intelligence to Rebalance the Cyber Criminal Advantage

Feb 27, 20186 mins

Criminals and cyber adversaries use speed, stealth, and bots to achieve their singular goal—steal from you. But as the CISO, you must focus on two goals: Run your organization effectively and counter those adversaries. How might AI be used to fundamentally rebalance the field of play?

istock 509627551
Credit: iStock

There is a troubling convergence of trends across the cybersecurity landscape that I have been watching closely. If not addressed, I suspect they could wreak deeper levels of damage and volatility than any we have already seen. Cybercriminals are taking advantage of the expanding attack surfaces being created by digital transformation, the extraordinary ease and accessibility of malware as both off-the-shelf product and emerging profit driver, and the fact that IT teams are often so overwhelmed managing change that they simply don’t have the resources necessary to keep systems appropriately patched and hardened.

When we take a closer look, the challenges are stark, but the solution doesn’t require a genius, if we approach it wisely and methodically.  After all, genius is 1 percent inspiration and 99 percent perspiration.

The problems: 

  • Keeping up in ways other than just applying speed

The increased speed and variety of malware threatens to overwhelm cyber defenses, much like how a spider traps an otherwise well-armed victim for later digestion. We need to find new ways to counter those attacks. An obvious choice is to match the adversary’s speed with your own. That, though, becomes a horsepower check—an important but sometimes incomplete proposition. Already stretched thin by the velocity of change they must manage to achieve digital transformation, IT teams are scrambling to gather and deploy—in the most efficient ways possible—what resources they do have to keep systems appropriately patched and hardened.

  • Low cost to attack, high cost to defend

It is simply not realistic to expect one IT team—no matter how seasoned—to fight back a dark web’s worth of easy-access malware. This shadowy digital black market provides a host of services for their criminal consumers, from building custom code, to commercially available applications that can generate malware, to malware-as-a-service that simply requires pointing an online malware or ransomware application at a target. They even have help desks. CISOs, and IT teams, are tasked with achieving what at times feels impossible. And, in an industry already struggling with too few cybersecurity professionals, it is a dangerous recipe for burnout, turnover and dejection.

  • Forever Zero Days

If that weren’t enough to contend with, there is the issue of rapid polymorphism. Once malware is released, hackers begin to modify it for their own purposes. Less than 12 hours after WannaCry was released, an entire aligned crime family of variants was unleashed on networks. Originally designed as ransomware, one WannaCry variant was actually a botnet for bitcoin mining. Like a weaponized mutation of legitimate open source development, such polymorphic transformations can happen hundreds of times in a matter of hours, and continue for weeks or months. And I haven’t even talked about self-mutating code, designed to change its signature to become, essentially, forever a zero day.

To contend with the growing sophistication of the threats we now face, we must integrate and underpin our sensors, sense-makers, and actuators so they can implement the intent of network security operators, to find and respond to even the fastest and most stealthy threats. There is no dream of ‘artificial intelligence’ without a means to collect, process, and act on information in an integrated manner that leverages the sophistication of an intelligent response.

Related, the insufficient number of cybersecurity master analysts and engineers means that we must use the extremely powerful and valuable resource of human expertise wisely. Our best talent must be focused on the most critical decisions, while automated systems handle lower-order decisions and processing. 

Like most big things, a true AI capability will emerge based on key building blocks.

  • Speed

Artificial intelligence, completed too late, is without value. Speed is an essential enabler.

  • Advanced Analytic Services

Traditional malware detection, such as antivirus signatures, is a necessary, but not sufficient, means for keeping up with the onslaught, especially when they are created and generated in cyber-relevant time. However, since signatures require a one-to-one match, where the modification of malware’s string of digits can make the signature ineffective, advanced techniques harness content pattern recognition language (CPRL). CPRL tears malware apart in a sandbox, looks at behavior and code, and then uses code blocks to identify even modified malware. Good stuff.

  • Orchestrated Analysis

But while sandboxing is indeed a cybersecurity must-have – no respectable organization should be without it—we need to look for how to make it even better. At Fortinet, we use the sandbox to not only find the previously-unknown, but use it to automatically send out warnings to others on the network, increasing their insight on what’s bad, and what’s not. We also take advantage of other analytics to create insights, and integrate the results of those discrete analytics into the outline of the attack that might escape a single analytic. The commercial discipline of secure orchestration has emerged as a solution that allows systems to automatically execute many things that operators currently have to do manually.

  • Leveraging Machines To Do What Machines Do Best

The insufficient number of cybersecurity master analysts and engineers means that we must use the extremely valuable resource of human expertise wisely. Our best talent must be focused on the most critical decisions, while automated systems handle lower-order decisions and processing. That means that we need to develop and deploy risk-based decision-making engines that take humans out of the loop, and instead, put them above the loop. After fast, specialized analysis and integration, risk engines are the third major step toward AI. The engines will execute the ‘OODA loop’ (Observe, Orient, Decide, and Act) for the vast majority of situations. Pre-planned Courses of Actions (COAs) will free-up valuable cybersecurity experts to concentrate on the more difficult decisions, where human cognition and intervention is most required. The most sophisticated of such engines will actually suggest COAs rather than only rely on pre-defined ones.

Do As I Mean, Not As I Say: Intent Based Network Security

With the core cybersecurity architecture strategies of speed, integration, and automation, enabled by risk-based decision engines, and advanced analytics, we can achieve intent-based cybersecurity. Intent-based security implements the goal of the network operator, without burdening him or her to manage complexity that is beyond human cognitive levels.

So, the final steps toward AI are, indeed, within reach. If organizations quickly prioritize the strategic enablers—speed, integration, advanced analytics, risk-based decision engines—they are primed to create a highly efficient security model that utilizes both human and machine resources for what each does best, and does so with extraordinary agility. But if they press forward in a dead sprint to keep pace with a growing army of increasingly sophisticated and empowered threat actors, they may soon feel like they are standing still, eating the dust of the cybercriminals who have already moved on to another attack.