Hardly a day goes by without new information being shared about how AI and machine learning have automated something new. From smart speakers in the home to autonomous driving on the road, these technologies are revolutionizing the world in a way we could never have dreamed possible. It’s no different in IT security.
“AI-enabled response to cyber threats is the new frontier in cybersecurity,” says a recent Capgemini Research Institute report based on a survey of IT security executives. Some 69 percent of respondents worldwide think AI will be necessary to respond to cyberattacks; among U.S. respondents, the percentage shoots up to 83.
It’s worth noting that CapGemini surveyed only the largest enterprises. The 850 executives polled (in seven different industries across 10 countries) came from companies with revenues ranging from $1 billion to over $50 billion. That doesn’t mean small and medium sized organizations can’t leverage these technologies. However, there is a limit to what AI can do and SMBs may get more benefits by using a managed IT security service that incorporates AI and machine learning.
Netrix’s RADAR does that. It is a complete end-to-end threat detection and response platform and service that was designed from the bottom up. It grew directly out of Netrix’s experience with SMB customers.
The service is based on three key pillars:
It seems obvious that you must be able to see what’s going on across your network and all of your systems in order to have good security. But many companies have acquired a collection of point solutions – products or programs that monitor only particular systems or that are designed for the security needs of a particular vertical industry. The problem is, even with best-of-breed products, these solutions usually do not work together to provide a comprehensive view of your organization. What’s more, point solutions can be expensive, and many include features you either don’t need or that duplicate what you already have.
Other managed service providers have a limit to the information they collect and the systems they monitor. They ignore massive amounts of data produced by your network, systems and apps. RADAR uses all of that data. “We’ll process everything we can get our hands on,” says Ron Schlecht Jr., founder and managing partner of Netrix Global. “Visibility and correlation are paramount to our service mission.”
Netrix’s experienced team works with you to make sure RADAR covers 100 percent of your data sources. They will even develop custom scripts to connect specific, custom or proprietary systems or apps to the platform.
As RADAR processes your data, the system establishes a baseline of “normal” activity for your organization. Even at the beginning, however, RADAR proves its mettle. “No matter what security tools a client has been using, we typically find the first incident on the first day of deployment,” says Schlecht.
A typical RADAR implementation takes six weeks (to cover everything) and ingests data from 500 different sources on average. After establishing what’s normal for your company, it continues to update and refine the baseline on an ongoing basis. The machine is constantly learning from the data and refining how it detects anomalies.
The human element and reasoning matter
The capabilities of RADAR range from applying simple logic rules – if it detects five failed log-in attempts over a time span of two minute or less, for example, then it sends an alert – to more complex machine learning and AI. But the “intelligence” in the latter is still rudimentary. The program can flag things but cannot put it into context in order to gauge its importance.
That’s where human beings play a critical role. RADAR’s team of cybersecurity experts examine these alerts and determine which indicate real and present dangers.
The combination of machine and human intelligence and reasoning is particularly valuable for SMBs. First, these organizations typically are very lean. Their IT staffs have their hands full without having to field hundreds of alerts a day. In fact, IT probably ignores log data it already has simply because there’s no time to deal with it. Remember all those point solutions? Each one is different and takes time to manage, not to mention trying to correlate data among them. Plus, IT and cybersecurity are different disciplines. IT professionals have an “availability-first” mindset. They are trained to keep everything up and running. Cyber analysts consider security first.
Second, even if a company has the budget to hire cybersecurity professionals, a severe talent shortage makes qualified people hard to find. (ISC)2 – the world’s largest nonprofit association of certified cybersecurity specialists — says there is a gap of almost 3 million cybersecurity professionals across the world. In a survey by the Enterprise Strategy Group and the Information Systems Security Association (ISSA), two-thirds of respondents said the cyber skills shortage has increased the workload of their existing IT staff. Some 47 percent of respondents said that increases in workload left them little or no time to learn and use security technologies to their full potential.
Even the largest companies have trouble finding talent; and they recognize that they need to use the specialists that they do have more wisely and strategically. These companies say that their cyber analysts are being overwhelmed by alerts, according to the Capgemini report, spending too much time doing grunt work like going through data logs and incident time sheets. “They are counting on AI to help these overwhelmed staff,” says the report.
The (ISC)2 report also hits on this theme. Security professionals want to do less security administration, incident response and endpoint security management. “They’d rather be spending time on more high value cybersecurity tasks such as threat intelligence analysis, penetration testing and forensics,” says the report.
RADAR combines the capabilities of machine learning and human reasoning, creating a funnel that results in an efficient and effective security system. And both the machine and the humans are always learning.
Because RADAR is constantly analyzing data and feedback from human analysts, it learns more about the patterns of your organization and fine tunes rules. Here’s an example of how that works:
RADAR might start with a rule designed to catch spoofed emails. Consequently, it may block traffic that has the attributes of spoofed email – such as Constant Contact newsletters from your vendors or other people you want to hear from such as customers. But you may not want that information to be blocked. As it detects how analysts handle these “alerts,” i.e. they have cleared them as acceptable, the system will “learn” and accept those emails as normal activity.
Over time, this reduces the number of false positives and increases the time human analysts can spend on real and significant threats. “By collecting, analyzing and learning from all that data, the machine part of RADAR is doing the heavy lifting. Machines are really good at repetition – executing things over and over again in the same way,” says Wilson. “Humans are good at intuition. So, we task the machine with something that’s easily repeatable, so you don’t have the human do the dumb work. You have the humans do the smart work.”
The human analysts then further narrow the funnel by bringing intuition, human reasoning and intelligence, an understanding of context, and plain old common sense to address the issue at hand.
Envision your staff returning to work after a long holiday weekend, for example. An employee is logging into the system but mistypes his password a few times. The strict rules by which RADAR operates would flag these “unauthorized access attempts” as a possible threat. But the cyber analyst considers the context. First, it’s the first day after a long weekend. Second, the employee is trying to access email, not a mission-critical system accessible by only a few privileged accounts. Thus, the analyst can intuit that this is not a threat. On the other hand, if there are 50 such attempts, not just five, or if there were 50 different employees repeatedly attempting wrong passwords, the analyst might suspect a brute force attack on your network, investigate further and sound the alarm if appropriate.
As they work together, the machine and human “winnowing” means that some 350 alerts a day are ultimately reduced to only a few potential threats deserving attention. “A RADAR customer is notified only about 20 times a month, and only with a thoroughly vetted security threat, along with recommendations on how to mitigate it,” says Wilson.
In summary, while the latest advances in AI can supplement cybersecurity, well trained cybersecurity professionals are still your best defense. Technology alone is not the answer today or for the foreseeable future.
With no end in sight to the shortage of cybersecurity talent, it makes sense to use technology to help make the most of the cyber talent you have. Some 63 percent of the large companies Capgemini surveyed said they plan to use AI by 2020, mostly to improve the accuracy and efficiency of their cybersecurity specialists. Small and medium sized organizations can similarly benefit by engaging a managed service provider that uses a combination of technology and human intelligence to secure their organizations.