How AI is Changing Cybersecurity
First, the bad news: threat actors appear to be winning the cybersecurity arms race. We know this because, in 2021, cyber attacks were more frequent and costly for organisations than the year before. The good news: artificial intelligence (AI) may soon help defenders even out the score.
According to Ponemon Institute’s “Cost of a Data Breach 2022” report, most (83%) organisations have experienced more than one data breach. The average total cost of a breach has also reached an all-time high, meaning that falling victim to a cyber incident has never been more expensive. Between downtime costs, resource hours spent on remediation, potential ransom payments, and reputational damage, many businesses struggle to survive one cyber attack, let alone multiple.
Interestingly, the report also found that organisations that deploy security AI and automation are at an advantage. Compared to companies without AI, businesses with AI security take 74 days less to identify and contain a breach on average. For organisations with AI, breaches are also less expensive.
Here’s how AI is changing cybersecurity and how self-driving threat detection, investigation, and remediation tools like SenseOn can help defenders regain the advantage over cyber attackers.
AI Helps Security Teams Detect Threats Faster
Traditional cybersecurity tools rely on matching attack signatures to a predefined database or rule set in order to detect malicious activity. However, the types of threats a typical SOC faces are changing.
While “known” threats are still prevalent, the volume of “zero-day” exploits, i.e., never before seen threats, is on an upwards trajectory. Last year, for example, there were more zero-day attacks spotted in the wild than ever before. Unfortunately, solutions that rely on signatures alone are often ineffective against these kinds of threats.
On the other hand, AI and machine learning (ML) based tools are not restricted by what they know. AI security tools can go beyond just checking suspicious code against malware databases and also block attacks that simply resemble events previously judged as malicious. Machine learning-based security uses algorithms to observe and learn from data patterns.
When a company deploys an AI tool, the first thing the solution tends to do is learn everything about the organisation’s environment, i.e., users and devices, to determine the average behavioural baseline. This usually happens without human guidance in a process known as “unsupervised” machine learning. As the environment changes, the AI’s understanding of what this baseline looks like also evolves.
Whenever AI comes across a new pattern (for example, an employee logging in from a new location or at an unusual time of the day), it compares it to a company’s average behavioural baseline to determine if it’s benign or malicious and whether action should be taken or not.
Through unsupervised learning, organisations can detect patterns of behaviour related to previously unknown attack vectors that would be very hard for a human analyst to find.
To put this into perspective, imagine a company that suffers a breach on the 1st of January 2022. If that company had a fully deployed AI security solution, the breach would be more than likely identified and contained by the 6th of September 2022 (according to the Ponemon Institute report). In contrast, if that company did not use AI, the same breach would not be identified and contained until the 19th of November 2022—more than two months later.
The longer it takes to identify an intruder, the more damage they can do, and the more the resulting breach will likely cost.
It Also Makes Remediation Easier
Besides flagging threats that may otherwise slip through the cracks, AI can also guide remediation priorities. It does so by ranking security alerts based on how risky they are in real-time.
As a result, security analysts don’t have to spend time figuring out which potential threats to address first—they can get straight to fixing them. This is important as close to 1 in 2 analysts say they receive too many alerts. A similar number say they find it difficult to know which alerts to prioritise. With so much time spent on tedious manual work, it is perhaps no coincidence that there are vastly more security analysts who feel burned out at work than those who do not.
By eliminating Tier 1 and Tier 2 analysts’ most hated tasks, AI not only improves job satisfaction and organisational security but can also help close the cybersecurity skills gap. Analysts that were once stuck triaging alerts can be trained for more strategic roles, like handling actual security challenges.
Increasingly, AI can also remediate threats on security analysts’ behalf. For example, in the event of a ransomware attack, SenseOn can automatically isolate the infected device to prevent malware from spreading to the rest of the network and then escalate the issue to the SOC for further action.
According to VentureBeat, AI and ML use cases that reduce security analysts’ workload are ones for which CISOs see the greatest payoff.
Not All AI-Based Security Solutions Are Created Equal
Unsurprisingly, AI adoption in cybersecurity is rising. Between 2021 and 2022, the share of businesses with fully/partially deployed AI grew from 65% to 70%.
However, some organisations have more luck with AI deployments than others. A recent Devo survey of organisations that use AI-based tools found that the vast majority have encountered challenges that make their AI deployments less effective than they could be. Challenges cited include too much noise to sift through, critical events not being flagged properly, and misunderstanding of AI outputs.
In most of these cases, data, or lack of it, is to blame. Speaking to the United States Senate Armed Services Subcommittee on Cybersecurityearlier in the year, director of Google Cloud AI Dr Andrew Moore said that without data, AI is “pretty worthless.” According to Moore, AI can’t function with siloed data. For AI to perform optimally, it needs access to as much data as possible and a full interchange of disparate data sets.
Where SenseOn Comes In
SenseOn breaks down data silos by consolidating multiple tools (EDR, NDR, SOAR, SIEM and AV) into a single solution.
Deployed across an organisation’s endpoints and servers, and through Investigator Microservices that gather additional intelligence, SenseOn can collect data from an entire network. Its AI/ML algorithms then compare this data and look at it from different perspectives, pausing for thought and learning from experience, much like a human analyst would. This unique capability helps SenseOn separate signal from noise.
To make analysts’ jobs even easier, SenseOn collects all related alerts into a threat “case.” In a case, each event is broken down chronologically. Every case is also mapped to the MITRE ATT&CK framework. This way, analysts can know exactly what occurred and what needs to happen next—at a glance. Cases are also prioritised depending on how critical they are. The severity of each case is upgraded and downgraded automatically based on the available information at any given moment.
Saving analysts hours’ of time and stopping some of the worst threats from escalating, it’s easy to see why AI is touted as a “force multiplier” for SOCs.