How AI is paving the way for intelligent cloud security
These days, any reference to artificial intelligence (AI) invariably brings to mind menacing images of the murderous AI-driven cyborgs from the Terminator film franchise.
The implication is that AI will eventually become smarter than the people that created it – but as real-world security specialists increasingly harness the technology to improve information-security protections, that is exactly the outcome they’re hoping for. Outsmarting human attackers, after all, is the goal of any information-security defence – and one security defence after another has fallen as attackers develop new ways to bypass them.
Assailants often quietly probe your network for vulnerabilities over time, using ‘low-and-slow’ attack methods to fly under the radar of systems designed to detect anomalous network behaviour. In fact, recent figures from FireEye’s M-Trends 2017 report suggested attackers linger undetected for a median of 99 days.
Little wonder that Gartner called AI the
“primary battleground for technology vendors”
for the next few years.
Other attackers assume the identity of trusted users, piggybacking on their access to explore and steal confidential data – the equivalent of stealing a staff ID card and walking in the company’s front door. Others let users do the dirty work, using social-engineering and phishing tactics that bury malware in seemingly-innocuous email attachments.
The needle in the haystack
Whatever form an attack takes, the ability to detect and block such activity is a critical part of any modern cybersecurity defence. Security staff have enlisted a range of tools to help spot intruders, but the odds are stacked against them due to the sheer volume of security alerts generated by often overcautious security information and event management (SIEM) systems.
Even after the filtering carried out by SIEM systems, 44 per cent of security operations managers responding to Cisco’s 2017 Security Capabilities Benchmark Study said they were seeing over 5000 security alerts per day. Of these, they could only investigate 56 per cent, with only 28 per cent deemed legitimate and just 46 per cent of legitimate alerts actually being dealt with.
That’s leaving a massive window through which attackers can – and do – regularly climb without security staff even knowing about it. AI tools offer a way of closing those windows of opportunity, monitoring masses of security alerts as well as baselining normal activity so that even unusual but uncharacteristic activity can be flagged.
If an executive’s account has been quiet for several weeks and is then used to download many gigabytes of files, for example, it’s likely that her password has been used by an attacker. The same goes if an HR executive’s details are suddenly used to log into an R&D system with details of upcoming products.
“Without knowing each of the individuals involved, you need to know what each individual is doing differently,” explains Paul Gibbs, Director of Regional Security with DXC Technology. “It’s not just about people who are doing new things; it’s about using AI to identify who is no longer active, and making sure we ask the question ‘why?’”
In particular, AI is gaining currency as businesses face up to growing compliance demands from Australia’s new Notifiable Data Breach (NDB) scheme, the European Union’s General Data Protection Regulation (GDPR), and tighter requirements for handling of financial data under updated PCI DSS requirements. All require close scrutiny of network activity – and can impose serious penalties if security breaches go undetected.
AI lives in the cloud
The more that AI is used in an environment, the better it gets at detecting potential security breaches. This is because ever-growing quantities of data help AI refine its perception of what is normal activity, and what is anomalous. And while some companies are implementing AI-enhanced tools for on-premises use, AI is rapidly being democratised as security providers build AI engines that operate entirely in the cloud.
Cloud-based AI is particularly desirable for several reasons. The first relates to scale: by aggregating masses of data from many customer environments in a single centralised model, cloud-based threat-intelligence tools give AI engines inconceivable amounts of data to process.
This helps refine their models for a broader range of use cases and activities: “what you don’t want is to set the same benchmark for every client,” says Gibbs, noting that DXC has been exploring the application of AI engines to security-related work for its clients.
“It’s about contextualisation of a client, and we are getting to the point where we are deploying content from threat-intelligence sources mixed with our own knowledge of particular clients.”
It also helps propagate alarms about new attacks much faster than in the past, since the hallmark behaviours of a compromise detected at one company are instantly conveyed to every other company using the service.
Running AI in the cloud makes it easy for security vendors and cloud service providers (CSPs) to add AI as a service without having to source and keep their own in-house data-analytics experts. Instead, they can leverage the expertise of cloud providers like Amazon Web Services, Microsoft, Google, and others, which are powering AI-driven security tools from a range of sources.
As security innovators bundle AI into all manner of new products, infrastructure providers will have new opportunities to bundle intelligent security assistants with their cloud-access technologies – providing essential value-added capabilities that can improve the security defences and compliance of nearly any customer.
Little wonder that Gartner called AI the “primary battleground for technology vendors” for the next few years.
We’re still a long way from creating Skynet or any of Hollywood’s many other malicious AI-driven movie tropes. That said, given how quickly AI is establishing its value within the security space, soon it’s going to be hard to find any aspect of information security that the technology has not touched.
Find out how you can deliver more secure, high performance, private, direct connections on a public cloud platform using Cloud Access.