How AI Can Help Close the Security Gap

Written by

It is no secret that enterprises are increasing their digital footprint by bringing more and more of their business operations online, and corporate networks now extend to a wide range of mobile devices and apps, personal and SaaS web sites, public cloud infrastructure, IoT devices and third-party systems. Each of these new components expand the attack surface of the network, and provide perpetrators with myriad of ways to breach the enterprise.

Meanwhile, enterprise security teams are overwhelmed by the large number of threats and security events they encounter on a daily basis, and consequently, are unable to find the time and money to develop a strategy that can rein in the explosion of cyber breach risk. The problem is particularly bad for smaller, non-Fortune 500 businesses, which either underestimate breach risk or struggle to find skilled cyber defenders and fund expensive security operations and projects.  

This is where artificial intelligence (AI) technologies can come in. If leveraged correctly, AI can help close the gap between the growing threat landscape and our cyber-defense capabilities.

Discovering All of Your Threat Vectors:

In any non-trivial sized organization, the first challenge is getting a handle on all of the entities – the various devices, users and applications, in the network, and understanding their attack surface. This is especially challenging because personal and connected devices, along with many cloud applications, are frequently unmanaged – yet they remain a part of corporate infrastructure and often house an abundance of critical business data.

Furthermore, traditional vulnerability assessment tools are episodic and not continuous – you run them once or twice a month, and do not have the granularity to spot rapid changes in the environment. Increasingly, IT has no idea what a particular entity actually does, except that someone or something somewhere in the business might be interacting with it. In smaller organizations, the situation is typically much worse, with likely no-one keeping track of what’s on the network or how the network is doing security-wise.

So how do you discover these devices and applications, and categorize them in terms of risk severity? AI can help here because it can observe and analyze every entity in your environment automatically and continuously – even the ones that aren’t managed and opaque.

The AI system has to first gather any and all information available about the entities, from the network traffic and behavior, and if available, from the endpoint state, or internal databases, or even from outside the enterprise e.g., from a web page on the Internet that describes what the function of a specific type of entity. This sampled data, often incomplete, is brought together and used to categorize and prioritize assets that represent the biggest targets by hackers. AI can do this quite well, continuously, and in real-time, 24x7.  

Determining the Likelihood of Being Breached

Once all the entities on the network are discovered, we need a way to predict the likelihood of them being breached. Traditionally, this is the domain of expert security analysts who draw upon their experience to come up with an overall estimate of the security posture of the entities in your network.

As you can imagine, this task is painstaking and slow. Also, as soon as the analyst is done, the report is obsolete because even a simple software or configuration change to these entities might change the security posture. Furthermore, even the best analysts struggle to understand all aspects of risk – the human brain can usually deal with computations involving a few dimensions of risk, perhaps four, five or 10 at the most.

A truly accurate risk calculation will often encompass factors from hundreds of dimensions of risk. This is no small task; among other things, risk assessment teams have to consider: How likely is it that employees will click on links embedded in emails and messages, or through warning dialogues? How strong are their passwords? Where does this particular user browse? What security controls are installed and which are going to be effective? These and similar observations will be needed for every asset.

For humans, this kind of analysis across hundreds of factors is extremely difficult to do manually, or with traditional analytics approaches. AI, on the other hand, has the ability to analyze all entity data, and calculate which devices have the highest likelihood for attack. Essentially, AI has the ability to analyze and cross-reference very large sets of variables, then produce risk sub-score and super-scores based on key criteria.

What’s more, AI has the ability to see patterns in large data sets. From there, it can strip all of the superfluous information and hone in on what’s most important in order to locate the device or application that is most at risk, and why. This might include factors that to the human eye might seem unrelated, but ultimately culminate to contribute to high risk.

Assessing the Business Impact:

If you tell C-level executives that a system or application is at risk, they’ll likely ask “What’s the business impact?” To find that out, you need to know the distribution of business impact within your environment. Not all devices are equally valuable, some entities are extremely valuable – machines that house sensitive customer data or intellectual property, for example – while others are less important.

Every entity has a different business impact and it’s up to the security organization to learn it and put it in context. That often requires asking: What kind of roles does this particular device have? What kind of infrastructure does it interact with? What kind of business processes is it part of that are important to the business?

AI has the ability to learn and apply unique factors to each device and application in the network, business and infrastructure by continuously and automatically examining how each entity is used in operation of the business, as manifested in the network traffic and endpoint behavior.

Here AI might need a little bit of input from the business side for specific systems, such as the dollar value of a particular web server, but can derive and calculate business impact values for the vast majority of systems automatically, by following the self-learned discovered dependencies and relationships.

Becoming informed about business impact gives organizations the final piece of their complex and comprehensive risk puzzle. This big picture will arm security teams with the ability to create a heat map of all devices that will tell them which ones are most likely to be compromised, and under what scenarios.

AI can also expose specific information on the factors that are driving high risk for the organization, and provide tactical and strategic prescriptions to improve the risk posture. As the threat landscape changes, certain situations can be highlighted and prescriptions can be prioritized. That in turn will enable them to put feet to the data, and take informed and deliberate action to reduce risk and prevent breaches.

What’s hot on Infosecurity Magazine?