AI Done Right – Not all AI-powered Network Security is Created Equal

AI Done Right – Not all AI-powered Network Security is Created Equal

AI Done RightHere at Lastline, we talk a lot about AI Done Right. But what does that mean? And how is our utilization of AI different from that of other vendors? Today, I’d like to take the opportunity to explain. To start, let’s look at why artificial intelligence (AI) in general has received so much attention lately.

Today’s Security Challenges

Organizations face numerous challenges to their information security in today’s world. Three obstacles, in particular, stand out.

Sophisticated Threats. Advanced threats use increasingly sophisticated evasion techniques to fly under the radar. They are engineered to bypass “next-generation” perimeter defense tools like firewalls and sandboxes. Attackers are also able to hijack legitimate IT tools and services to hide their malicious activity as they move laterally in the network.

Also, criminals share best practices and collaborate, with specialists working together to develop sophisticated, multi-faceted attacks. In its 2018 Risk Determination Report the Office of Management and Budget found the cyberthreat situation to federal agencies “untenable” as agencies lack both the visibility into their networks to determine the occurrence of cybersecurity incidents and the ability to minimize the impact from an intrusion.

Complex IT Systems. The concept of a perimeter, which historically has been a major focus of how to defend an organization, is gone. Organizations are increasingly migrating to the cloud, which makes it more difficult for organizations to inventory and protect their sensitive IT assets and data. In his recent blog post, Netskope Chief Strategy Officer, Jason Clark, commented, “security leaders need to accept the fact that the firewall is much less significant than it was in the past, and it will become even less significant in the future as more of IT infrastructure moves to the cloud.”

And, organizations are connecting IoT devices to their networks that lack proper security safeguards, while employees are bringing in connected personal devices that are at risk of being compromised off site. All told, this makes for a larger, more diverse attack surface to protect.

Skills Shortage. It’s well documented that organizations are having trouble hiring skilled professionals to staff their security teams. In May 2017, Cybersecurity Ventures estimated that the number of unfilled jobs in digital security – the “skills gap” – would increase to 3.5 million by 2021.

AI: A Way Forward

To respond to these challenges, organizations need to consider the Golden Triangle of security, which consists of people, processes, and technology. Process largely depends upon people to follow the process. But as we all know, people are in short supply. This leaves technology as a possible way forward.

One of the most promising technologies for digital security is AI. In theory, security analysts can teach AI systems what benign and malicious activity typically looks like, so the AI can identify attacks and the security personnel can focus on responding to the highest-risk threats. But that’s far easier said than done, as implementing and training an AI system is very complex and time-consuming. There are unrealistic expectations for what AI can do, and unlike the implementation of AI in other fields – such as image recognition and natural language processing – the data being analyzed by a security system is actively resisting classification; what the scientific community calls Adversarial Machine Learning.

An alternative way forward is to implement AI-powered tools provided by one of many security vendors. Of course, commercially available tools commonly differ in how they implement AI. AI provides a way for companies to accelerate and improve their information security processes. But not any solution will do. Here are three typical problems associated with commercially available AI-augmented security tools.

False Positives – One of the primary benefits of AI is detecting patterns in vast amounts of data, such as finding anomalies in network activity that could be indicative of an attack. However, this means that most tools will flag as malicious activities that may be anomalous but are benign – the dreaded false positives – and thereby will waste analysts’ scarce time with unnecessary investigations.

Isolated Alerts – Security analysts and Incident Response (IR) teams must build a complete picture of an attack based on hundreds or thousands of isolated alerts about discrete events. While many AI-augmented tools are very good at identifying anomalies, they cannot “connect the dots” to show which alerts are part of the same attack; the end-to-end attack chain that leads to timely and complete remediation.

Lack of Context – In addition to receiving too many warning messages, many of those alerts yield only a low-fidelity assessment of the scope of the threat. They lack the context needed to fully understand the risk. Is an alert about a new connection to an unknown external host simply an employee working with a new vendor, or was there also lateral movement, a change in permission level for sensitive data, and unusual accessing of sensitive data. Taken in this context, the connection to the external host takes on quite a different meaning. And because of the lack of context, there’s limited confidence in the alerts that are needed to automate response, putting even more burden on the security staff.

Organizations need an AI tool that provides high fidelity insights into complex network attacks with minimal false positives. It should be able to connect the dots of malicious network activity to create a complete picture of the entire attack chain, to accelerate and simplify threat response.

AI Done Right

Lastline Defender™ delivers the industry’s most accurate AI-powered network security to defend your organization and address the challenges identified above. “AI Done Right” is AI that learns from both network traffic and malicious behaviors to deliver the high-fidelity insights into malicious incidents (not isolated alerts), with full context of the activity, and with minimal false positives.

Lastline Defender uses a combination of three complementary techniques:

  • It compares traffic metadata and payloads to repositories of variants of known threats. In particular, Lastline Defender leverages our own Global Threat Intelligence Network that uniquely captures our deep understanding of behaviors engineered into millions of malware samples.
  • It applies unsupervised AI to network traffic to detect protocol and traffic anomalies.
  • It uses supervised AI to automatically create classifiers that recognize malicious network behaviors and previously unknown malware.

Most AI-augmented network security products implement only the first two detection techniques. These probabilistic approaches – applying AI to network traffic to find anomalous patterns of behavior within the network traffic – lead to many false positives because not all anomalies are the result of attacks. Without the behavioral data needed to put an alert into a broader context, it is virtually impossible for any AI-augmented tool to understand if the detected anomaly is malicious or benign.

So, how does Lastline Defender deliver against the problems described earlier?

To avoid false positives, we train AI using the right dataset consisting of our rich historic analysis of malicious behaviors plus network traffic anomalies. This combination enables Lastline Defender to learn both what is “good” and what is “bad,” resulting in a minimal number of false positives.

To avoid isolated alerts, Lastline Defender identifies the entire attack chain. Security incidents are complex events that don’t consist of a single action. They are usually comprised of a series of smaller events that together form a trail of what happened. Lastline Defender picks up on these minor warnings and, more importantly, connects these notifications under a single incident and then combines those incidents to visualize the entire attack chain: From the initial device compromise to command & control communication to network discovery to lateral movement to data harvesting and exfiltration.

Lastline Defender puts every alert into the context of the entire attack, generating the detailed information analysts need to accelerate and simplify their ability to respond to those few significant events buried in the daily flood of alerts. Our high-fidelity alerts enable the security team to trust the detection capabilities and consequently automate workflows (such as blocking of malicious activity as it begins to move across the network). The result is faster analysis and response, decreasing the potential of a successful breach.

In Summary

Lastline Defender connects threats identified in emails and URLs with intrusion activity on the network – such as command & control communication, privilege escalation, and data exfiltration – to provide complete visibility of the entire attack chain. It also consolidates multiple events into a single incident and multiple incidents into a single intrusion to make it easy to understand the significance and full scope of the malicious activity.

Armed with deterministic, high-fidelity alerts, your security team will have the confidence to automate incident workflows by blocking advanced threats entering or operating within your network.

Your security team and security processes are more effective with Lastline Defender. This means better enterprise security with fewer resources, all thanks to AI Done Right!

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin