The landscape of possible cyberthreats is rapidly changing, exploiting vulnerabilities in new technologies, systematically jeopardizing wide and multifaceted systems, and threatening the security of an ever increasing amount of information.
The question follows naturally: how can we secure our infrastructures, systems, and information in this new landscape? Many solutions are already available. Outstanding research programs are already developing and implementing techniques to secure both new technologies, such as new Radio Access Networks and Software Defined Networks, and devices, such as lightweight technologies for IoT devices.
But will this be enough? Probably not. Cyberattacks will evolve together with our technologies and not only the techniques, but just even the number of attacks will grow exponentially. According to Cybersecurity Ventures, a total of 111 billion lines of new software codes were written in 2017, which offer cybercriminals a vast volume of vulnerabilities waiting for exploitation.
How can we identify unknown and unexpected threats in a landscape that is constantly evolving?
Security teams are becoming more and more dependent on the implementation of technologies able to support humans in the analysis of possible threats.
Just a few decades ago, early detection of abuse was the result of often personal creative thinking and problem solving, but were neither organized nor repeatable. Talking about the 5 most relevant questions for a SOC analyst for the Recorded Future Podcast, Denver Durham – intelligence consultant with a background in the U.S. Army as an intelligence analyst – points out that at the beginning of his career he had to go out and literally search the internet every single day, setting up RSS feeds just to read articles and blogs, and then either copy and paste these new IOCs that came up into an internal database, or hand type all of them. If this was maybe feasible about 10 years ago, it is now definitely outdated.
New technologies are ticking from around the corner: Machine Learning techniques, a sub-branch of Artificial Intelligence, can effectively provide a digital pair of hands when it comes to optimizing cybersecurity paradigms, automating workflows, and coherently investigating security generated alerts by performing preliminary investigations and cutting down the number of false positives, hence making human analysis a lot more efficient.
Human intelligence is extremely versatile and indispensable; but it is limited. Why was Alpha Go able to beat the best Go world champions? Because Alpha Go can process, analyze, and “memorize” billions of data within a few milliseconds. This allows the sophisticated neural network that underpins Alpha Go to make better predictions of future moves on the board.
Humans cannot do it. And it is not just a matter of how long it takes for us to learn, rather than how long it takes a machine learning algorithm to learn. The point is that properly trained automatic systems have the capability of attaining what humans cannot: machine learning algorithms learn by extracting pattern from the training dataset and constantly update their knowledge on the basis of the data they encounter. Furthermore, on the basis of the knowledge stored in the system, they can process and correlate a huge amount of data – information – in split seconds.
Hence, Machine Learning (ML) techniques are extremely useful in those areas in which the constant flow of information that needs to be monitored and processed is already rapidly growing and will reach unprecedent peaks in the next few years. On the one side, AI learns by consuming billions of data artifacts from both structured and unstructured sources, constantly improving its knowledge to understand cybersecurity threats and cyber risks. AI helps gathering insights and using reasoning to identify the relationship between threats, such as malicious files, suspicious IP addresses, and so on. The speed at which ML algorithms can analyze data, detect patterns, and identify possible risks allow security analysts to respond to threats up to 60 times faster. Machine learning techniques augment our capabilities in securing our data from possible cyber threats.
For instance, machine learning in SIEM can enable threat analytics and create notifications of risk in real time. Part of the appeal of Machine Learning algorithms lies in its ability to predict future data from previous patterns and use patterns from previous breaches to detect activities indicator of potential infiltration. Cluster capabilities allow Machine Learning to identify unknown values and groups together based on similarities proving essential to successful forensic analysis efforts.
Machine Learning techniques are also extremely useful in detecting and tracking phishing sources as well as in reacting and remediating much more quickly than humans can. On the same line, DNS protection can hugely benefit from implementing machine learning based techniques, which can rapidly process a high number of domain names and a volume of new registrations that ranges from 90 to 150 thousand units per day.
However, AI alone does not guarantee security. Having strong detection capabilities constitutes a major step in better and stronger cybersecurity, but it is not the only step. There will always be the need of a human agent monitoring both the systems and analyzing what the system reports as potentially malicious. Furthermore, the implementation of Machine Learning algorithms highly depends on the training data set, making the initial data collection about already existing threats and other relevant data of fundamental importance. AI and ML based systems are in the end initiated by and grounded on researchers’ decisions. The interaction of human and machines will not just be a key factor of our everyday life, but it will also be the key to protect our privacy, our information, our businesses. AI, and its subset of Machine Learning techniques, can help security analysts and leaders to ask the right questions, making detection of threats faster and more accurate, allowing preventive actions and immediate responses.