Introduction to AI-based threat prevention

The shifting security landscape presents challenges to those working in the area of threat detection and prevention. The expansion of endpoints created by hyper-connected IT infrastructures, the Internet of Things (IoT) and mobile computing offers cybercriminals a myriad of doorways into our networks. And as the technology matrix morphs into something from a sci-fi film, cybercriminals are creating clever and stealthy tools like fileless malware.

This would be bad enough, but the cybersecurity skills gap is exacerbating the situation. Security analysts are on the front line of security and they are feeling the pressure of this complex problem. But with a shortfall of 1.8 million cybersecurity professionals by 2022 according to (ISC)2, this pressure looks only set to get worse.

In a study titled “The 2018 Threat Hunting Report,” 52% of Security Operations Centers (SOC) said that threats had at least doubled in the last year. The same study also found that 82% of SOCs would be investing in the use of ‘advanced’ threat hunting techniques like artificial intelligence (AI).

This article will look at how AI is applied in the area of threat detection and prevention, and who is using it.

Use of artificial intelligence in threat detection and prevention

The type of threats and the scope of attack vectors has made the detection and prevention of cyberattacks very difficult. To counterbalance the onslaught, we have to get smart.

Smart security has now turned up in the form of artificial intelligence. AI is held up as a new technology that offers a way to automate the detection process — augmenting, rather than replacing, the human analyst. The market for AI-based solutions in the security space is expected to reach $34.8 billion by 2025 as new technologies and threats expand the attack surface and change the face of cybercrime and as security professionals scramble to keep up.

In the field of threat detection, artificial intelligence is most usually utilized in the form of its subsets, machine learning or deep learning. Which variant is applied depends on the application and data available.

Many of the applications of AI to threat detection and prevention use a version of machine learning called “unsupervised learning.” In unsupervised learning, datasets are input and used to find patterns — these patterns are used to spot anomalies in behavior such as unusual file movements or changes.

Deep learning, a subset of machine learning, is also used in threat detection. Deep learning is based on neural networks; in other words, this technique is based on how our own brains work.

In the area of threat prevention, deep learning is being applied to insider threats. This type of cybersecurity threat is notoriously difficult to spot. Deep learning algorithms are self-training, using large datasets of labeled data; the more data, the more accurate the outcomes. Deep learning is being used to detect insider threats that human beings find hard to differentiate from normal behavior.

Popular vendors in the AI threat prevention market

Below are some of the most popular vendors who offer AI-based threat prevention and detection products:

DarkTrace — Enterprise Immune System. The company compares their product to the human immune system. DarkTrace solutions are based on unsupervised machine learning using current datasets from a massive network of contributors. The system learns from these datasets, spotting trends and patterns that point to anomalies and unusual behavior, before creating an alert. The system can auto-adapt to changing business conditions. There are a number of associated tools that can be used for visualization of the output.

Cylance — AI Platform. This is used to detect fileless attacks and zero-day payload execution. The toolkit uses artificial intelligence and machine learning to stop attacks against endpoints. A Forrester report on Cylance found a 99% catch rate and an ROI of 251%.

Symantec — Targeted Attack Analytics (TAA). Symantec describes the tool as using “virtual analysts,” and the technology is based on advanced analytics and machine learning. TAA detected security incidents at 1,400 organizations soon after the product’s launch. It uses the same methodology and tools that were used to discover the Dragonfly 2.0 hacking group.

Sophos — Intercept X. Intercept X combines deep learning with endpoint detection and response. It is able to prevent ransomware and other malware executing on endpoints without the need for signatures. Intercept X uses over 400,000 samples of suspicious code per day to provide the training sets for the deep learning algorithm it uses for threat detection. They describe their methodology as follows: “Instead of chasing after the signature, we trace the technique.”

Carbon Black — CB Predictive Security Cloud is a move away from signature-based threat detection. Offers help for fileless and “never seen before” cyberattacks. Carbon Black’s community collaboration approach utilizes the intelligence (and data) of 20,000+ security professionals. To detect unusual behavior, the service uses machine learning and “event stream processing” of the massive datasets the ecosystem provides.

McAfee — A product suite including “Investigator.” The approach by McAfee is termed “human-machine teaming.” They apply deep learning to the analysis of malware without the need for any signature-based detection. Their suite of threat detection capabilities is part of a human-machine collaboration to improve threat detection. Threat detection increased by ten times, with a significant decrease in false positives.

A smarter future for threat prevention?

We have watched as traditional security tools like signature-based antivirus solutions struggle to keep up with security threats. Fileless malware attacks are replacing traditional malware threats, with PowerShell attacks increasing by 432% in 2017. These types of attacks are stealthy and very difficult to detect, as they leave no trace on hard drives. As we enter a new era in threat detection, artificial intelligence gives us new hope of tackling the specter of modern cybercrime.

AI and its subsets, machine learning and deep learning, look set to offer much-needed help in the growing search for skilled security analysts. Companies who offer solutions based on AI are at pains to stress that the technology cannot replace humans altogether; however, AI can augment the work of the security professional at a time when finding skilled staff is difficult. Together, human and machine can work in harmony to thwart threats that are extremely difficult for human eyes to discern.

 

Sources

  1. Meet the Millennials: The Next Generation of Your Information Security Workforce, I Am Cybersafe
  2. Threat Hunting Report, Crowd Research Partners
  3. Artificial Intelligence in Security Market, Markets and Markets
  4. Unsupervised Learning, MathWorks
  5. Symantec Targeted Attack Analytics Enables Customers to Uncover the Most Sophisticated and Dangerous Cyber Attacks, Symantec
  6. Dragonfly: Western energy sector targeted by sophisticated attack group, Symantec
  7. Threats Report: McAfee Labs, March 2018, McAfee