Currently, the new trends in cyber security are the use of artificial intelligence (AI) and machine-learning to predict threats before they are even conceived. Nowadays, having a simple endpoint security without some component of machine-learning and data science has become incredibly outdated and, simply, just not enough. While the arrival of AI may have initially seemed to be a threat to security professionals, worried that machines might take over their jobs, the shift towards combining it with machine-learning greatly benefits users and their security.
The use of artificial intelligence was a result of a slow evolution in the cyber security world. For many years, the main concept of cyber security was “defense-in-depth”, where the basic idea was to have as many protective layers as possible in front of the assets. Mechanisms like firewalls, antiviruses, anti-spam, IPSs, IDSs and such, were all used collectively in the hopes of preventing cyber attacks.
These systems work mainly by matching signatures and hashes to known values, as is the case with antiviruses and anti-spam, or by matching preconfigured rules to traffic, such as firewalls and IPSs. If a match is found, an action is taken, like dropping a connection or placing a suspect file in quarantine. This method worked very well…for a while.
However, because of the static nature of these methods, they are incapable of adapting to modern attacks & threats. As example, fileless malware which runs on memory without touching the disk and which uses encrypted channels for communication with command & control servers would have been undetected by traditional defense mechanisms. Thus, a different approach was needed.
Eventually, the underlying concept was changed to fit a model where all defense systems are integrated and work together to cover all bases = UTM (Unified Threat Management). The concept of UTM is all systems are integrated, thus less possible holes to bypass. This methodology proved to be somewhat helpful.
Yet, it was discovered that this was still not enough. The concept of machine-learning and artificial intelligence was then added to security solutions. The principal idea was to catch threats in real-time and block attacks before they are even conceived. Even patching systems became more automated to improve the customer’s experience. Once again, the premise didn’t quite pan out as intended.
Nonetheless, it did quicken the analysis of new exploits and weakness, not to mention that response time for mitigations became available in record time. If an attack happened on a remote machine in the middle of nowhere, an AI agent would pick up the IOCs (Indicator of Compromise), and all machines connected to that network would be able to prevent, or at the very least, mitigate that attack. With that picture in mind, it is easy to understand why some security professionals became concerned about their job security (no pun intended).
On the side of networks, algorithms that collect and analyze data in real-time appeared, working with models to categorize all traffic as malicious or benign. Metrics, such as IP addresses, file hashes, and domain names, started being used to categorize data automatically. This allowed offloading of human resources, reducing cost and increasing effectiveness. Such techniques, when combined with technology (SSL Inspection – encrypted packets are unencrypted, checked, and re-encrypted), made for much safer networks.
However, AI is not the end-all solution to cyber security. APTs (Advanced Persistent Threat) are known to have bypassed machine-learning solutions, showing that there are flaws and weaknesses in artificial intelligence software. After all, the first thing we learn in cyber security is that no perfect software exists, and AI is a form of software.
In summary, an effective security solution needs to have artificial intelligence and machine-learning components integrated. The benefits are just too evident to be ignored, and the solution is proven to be effective. Unfortunately, cybercriminals – as always – are catching up and starting to use these tools themselves. It is time for our industry to fully integrate these technologies and put them to the best use. With advanced threats knocking at our door, the need for meticulous resource allocation is needed more than ever. Humans and machines need to work (and can) cohesively to achieve excellence in the field of cyber security.
Rafael Souza, Cyber Security Consultant
