Network Security Challenges Create a Commercial Imperative for AI

Network Security Challenges Create a Commercial Imperative for AI

AI Network Security FIIt won’t come as a surprise when I say that digital security has changed over the past few years. Remember when digital security used to be all about signature-based detection? It doesn’t seem like too long ago when that’s all we needed to keep ourselves safe online.

The Inadequacies of Signature-Based Detection

Yet time moves forward. As David Gold wrote for CSO Online, signature- and rule-based intrusion detection methods are no longer sufficient when it comes to protecting against digital threats. The reasoning for this change is two-fold:

1. Signature-Based Detection Can’t Spot Unknown Attacks

Digital attackers today use sophisticated techniques to prey upon organizations. One of those tactics, especially in multi-stage campaigns, involves using methods to bypass organizations’ defenses that are not immediately discoverable. For instance, a digital attacker may use social engineering techniques to uncover employees’ email addresses and leverage a phishing attack to infect those workers’ devices with malware. That malicious software will, in turn, spread throughout the network whenever the employees connect to the network from those compromised devices. There’s also the issue of zero-day attacks, where bad actors use vulnerabilities that are still unknown to the software vendor at the time of exploitation. This means there isn’t an indicator, a signature, for which signature-based detection technologies can watch.

2. The Perimeter Is Now Too Porous

It’s no longer the case where an organization’s entire workforce discharges its duties within the confines of a physical headquarters. Today’s workforces are increasingly remote, a shift that the evolution of cloud and mobile technology have enabled.

Such remote connectivity might be advantageous for organizations in that they can now hire employees across continents and grant these workers remote access to whatever resources they need. But it’s a disadvantage in the sense that we can no longer defend ourselves simply by blocking what’s outside the network perimeter. That’s because there are large numbers of users making connections to the network from all over the county, or country, or world. At the same time, other employees are connecting to the network from their office but also from home or public environments such as a library or coffee shop.

Both of these developments help to increase an organization’s attack surface when it comes to defending the network. It also complicates data security, as remote workers can now access work-related information from their laptops, smartphones, and other devices whenever they want. As such, how are organizations supposed to effectively defend against digital attackers?

A Paradigmatic Shift to the Network

To detect against advanced threats in today’s world, organizations need to consider the network as a whole. It’s the only way we can account not only for threats attempting to enter the network from the outside but also those that might have already entered the network. As such, organizations need to augment perimeter defense with network traffic analysis (NTA) capabilities.

Implementing this methodology tends to be more complicated than using signature-based detection and firewalls, however. IDS tools act as blacklists in that they look for specific signatures and reputations, while firewalls uniformly block anything emanating from outside of the network. They’re simple in that they offer a streamlined defense.

NTA, on the other hand, watches for anomalies in network activity. Depending on its configuration, an NTA tool can register many events as potentially anomalous, thereby generating a lot of log traffic and potential alerts that security professionals must investigate. This data generation becomes even greater when organizations deploy their NTA solutions across the cloud, IoT devices, and mobile environments.

The problem is that organizations have only a limited number of personnel. That is to say, they don’t have the resources or manpower for their security professionals to spend so much time investigating all of these alerts and searching through all the log traffic. It’s important to remember, after all, how most organizations aren’t in the business of security. It’s an ancillary service that’s essential for survival, but it’s not a central business element for many of us. Hiring dozens of IT security people is therefore out of the question. (Even if it weren’t, the ongoing skills shortage makes it all the more difficult to hire skilled security analysts.)

AI Offers a Solution

Given the sheer volume of activity generated by today’s networks, the need for NTA driven by a porous perimeter, as well as the limitations discussed above, the only possible digital security solution is for organizations to embrace artificial intelligence (AI). This technology’s primary benefit comes from its ability to work as an initial filter and thereby decrease security staff members’ workload. Many of us already recognize the advantage of this functionality, which supports Webroot’s survey finding that AI will receive the greatest amount of focus from organizations regarding their digital security efforts over the coming year.

But AI isn’t a silver bullet. This is partly because NTA solutions aren’t created equally. Indeed, many solutions don’t have the ability to provide context into what they’re seeing on the network. This places organizations into the unenviable position of needing to chase false positives.

Not only that, but many of us still don’t fully understand the utility of AI. Seventy percent of respondents of Webroot’s survey said it’s important for a digital security tool to advertise its use of AI. Yet this importance seems to be a blind attraction to buzzwords, as more than a quarter (27 percent) of survey participants revealed that they know their vendor’s tools use AI but are “not sure what that means.” Similarly, 34 percent of individuals admitted that they don’t even care if a tool uses AI so long as it’s able to defend against digital criminals.

To these individuals, I can only say that AI isn’t a fad. It’s here to stay, and what’s more, it’s a technology that is an essential component of properly defending an organization against today’s advanced attacks. So, it’s not a question of “do I need an AI-powered security tool”, but instead it’s, “which AI-powered tool uses AI to its optimum and realistic capability”?

Lastline’s use of AI and machine learning is as old as the company. It’s not a new trick for us; it’s an integral part of our technology, and always has been. Our three founders, all PhDs in computer science, know a thing or two about AI and how to optimally utilize it as part of an effective network security solution designed to detect advanced threats. Visit our website to learn more.

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna