Browsing category

Cognitive Security

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

  1. Create a hypothesis.
  2. Investigate via tools and techniques.
  3. Discover new patterns and adversary tactics, techniques and procedures (TTPs).
  4. Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

  1. Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
  2. Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
  3. Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
  4. Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Artificial intelligence, Artificial Intelligence (AI), Chief Information Security Officer (CISO), Cognitive Security, Cybersecurity, Data Protection, Endpoint, Endpoint Protection, Incident Response, Incident Response (IR), insider threats, Internet of Things (IoT), IoT Security, Malware, Risk Management, Security Intelligence & Analytics, Security Operations Center (SOC), Security Strategy, Threat Intelligence,

Fight Evolving Cybersecurity Threats With a One-Two-Three Punch

When I became vice president and general manager for IBM Security North America, the staff gave me an eye-opening look at the malicious hackers who are infiltrating everything from enterprises to government agencies to political parties. The number of new cybersecurity threats is distressing, doubling from four to eight new malware samples per second between the third and fourth quarters of 2017, according to McAfee Labs.

Yet that inside view only increased my desire to help security professionals fulfill their mission of securing organizations against cyberattacks through client and industry partnerships, advanced technologies such as artificial intelligence (AI), and incident response (IR) training on the cyber range.

Cybersecurity Is Shifting From Prevention to Remediation

Today, the volume of threats is so overwhelming that getting ahead is often unrealistic. It’s not a matter of if you’ll have a breach, it’s a matter of when — and how quickly you can detect and resolve it to minimize damage. With chief information security officers (CISOs) facing a shortage of individuals with the necessary skills to design environments and fend off threats, the focus has shifted from prevention to remediation.

To identify the areas of highest risk, just follow the money to financial institutions, retailers and government entities. Developed countries also face greater risks. The U.S. may have advanced cybersecurity technology, for example, but we also have assets that translate into greater payoffs for attackers.

Remediation comes down to visibility into your environment that allows you to notice not only external threats, but internal ones as well. In fact, internal threats create arguably the greatest vulnerabilities. Users on the inside know where the networks, databases and critical information are, and often have access to areas that are seldom monitored.

Bring the Power of Partnerships to Bear

Once you identify a breach, you’ll typically have minutes or even seconds to quarantine it and remediate the damage. You need to be able to leverage the data available and make immediate decisions. Yet frequently, the tools that security professionals use aren’t appropriately implemented, managed, monitored or tuned. In fact, 44 percent of organizations lack an overall information security strategy, according to PwC’s “The Global State of Information Security Survey 2018.”

Organizations are beginning to recognize that they cannot manage cybersecurity threats alone. You need a partner that can aggregate data from multiple clients and make that information accessible to everyone, from customers to competitors, to help prevent breaches. It’s like the railroad industry: Union Pacific, BNSF and CSX may battle for business, but they all have a vested interest in keeping the tracks safe, no matter who is using them.

Harden the Expanding Attack Surface

Along with trying to counteract increasingly sophisticated threats, enterprises must also learn how to manage the data coming from a burgeoning number of Internet of Things (IoT) devices. This data improves our lives, but the devices give attackers even more access points into the corporate environment. That’s where technology that manages a full spectrum of challenges comes into play. IBM provides an immune system for security from threat intelligence to endpoint management, with a host of solutions that harden your organization.

Even with advanced tools, analysts don’t always have enough hours in the day to keep the enterprise secure. One solution is incorporating automation and AI into the security operations center (SOC). We layer IBM Watson on top of our cybersecurity solutions to analyze data and make recommendations. And as beneficial as AI might be on day one, it delivers even more value as it learns from your data. With increasing threats and fewer resources, any automation you can implement in your cybersecurity environment helps get the work done faster and smarter.

Make Incident Response Like Muscle Memory

I mentioned malicious insider threats, but users who don’t know their behavior creates vulnerabilities are equally dangerous — even if they have no ill intent. At IBM, for example, we no longer allow the use of thumb drives since they’re an easy way to compromise an organization. We also train users from myriad organizations on how to react to threats, such as phishing scams or bogus links, so that their automatic reaction is the right reaction.

This is even more critical for incident response. We practice with clients just like you’d practice a golf swing. By developing that muscle memory, it becomes second nature to respond in the appropriate way. If you’ve had a breach in which the personally identifiable information (PII) of 100,000 customers is at risk — and the attackers are demanding payment — what do you say? What do you do? Just like fire drills, you must practice your IR plan.

Additionally, security teams need training to build discipline and processes, react appropriately and avoid making mistakes that could cost the organization millions of dollars. Response is not just a cybersecurity task, but a companywide communications effort. Everyone needs to train regularly to know how to respond.

Check out the IBM X-Force Command Cyber Tactical Operations Center (C-TOC)

Fighting Cybersecurity Threats Alongside You

IBM considers cybersecurity a strategic imperative and, as such, has invested extensive money and time in developing a best-of-breed security portfolio. I’m grateful for the opportunity to put it to work to make the cyber world a safer place. As the leader of the North American security unit, I’m committed to helping you secure your environments and achieve better business outcomes.

The post Fight Evolving Cybersecurity Threats With a One-Two-Three Punch appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Casey George

Advanced Threats, Cognitive Security, Command-and-Control (C&C), Encryption, Firefox, Incident Response (IR), Mozilla, Penetration Testing, Phishing, Phishing Email, Security Operations Center (SOC), Security Services, Threat Intelligence, Vulnerabilities, X-Force,

Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red

As you may know, IBM X-Force Red is IBM Security’s penetration testing team. The team features professional, world-class testers who help organizations find and manage their security vulnerabilities on any and all platforms, including software and hardware devices. Our motto is “hack anything to protect everything.”

This post features a case study from IBM X-Force Red that shows how we ran into trouble on a black-box penetration testing assignment, worked against a well-prepared blue team, and overcame the obstacles to ultimately establish a solid adversarial operation. Let’s take a closer look at what we did to get through security and, more importantly, what your team can do to better secure your organization in an ever-evolving adversarial landscape.

A Tale of an Undeliverable Payload

On one of our red team’s recent engagements with a customer’s blue team, we were tasked with delivering a malicious payload to network users without setting off security controls or alerting the defensive team.

As a first attempt, we sent a phishing email to feel out the level of awareness on the other side. The email message was rigged with our malicious payload, for which we selected the attachment type and a lure that would appear credible. However, the blue team on the other side must have been lying in wait for suspicious activity. Every one of our emails was delivered, but our payloads were not. The payloads did not call home to the control server we had set up, and we started getting visits from the defensive team in the form of an anti-malware sandbox.

Within minutes, additional sandboxes hit on our command and control (C&C) server’s handler, and soon more than 12 security vendor clouds were feasting on the payload. We understood at that point that our payload had been detected, analyzed and widely shared by the blue team, but since this was a black-box operation, we had little way of knowing what went wrong after sending out our rigged emails.

If the Phish Fails, Send in the Fox

Going back to the drawing board, we realized that we must have triggered the blue team’s dynamic malware detection systems and controls. We had to find a new way to deliver the payload in a more concealed manner — preferably encrypted — and to have it detonate only when it reached its final destination to prevent premature discovery.

To do so, we had to overcome some hurdles, including:

  • Sidestepping traffic inspection controls;
  • Opening a siloed channel to send information from outside into the organizational networks;
  • Decreasing repeatable sampling of our externally hosted content;
  • Minimizing the chance of attribution at the initial visit/download/delivery stages; and
  • Bypassing URL inspections.

Some creative thinking summoned a good candidate to help us overcome most controls, mostly because it is a legitimate service that people use in daily interactions: Mozilla’s Firefox Send (FFSend).

Before we continue to describe the use of FFSend, we would like to note here that it is a legitimate tool that can be used safely, and that it was not compromised. We also disclosed information in this blog to Mozilla ahead of its publication and received the company’s support.

The Right Fox for the Job

FFSend is a legitimate file transfer tool from Mozilla. It has several interesting features that make it a great tool for users, and when files are sent through, its developers indicate it will generate “a safe, private and encrypted link that automatically expires to ensure your stuff does not remain online forever.” This makes FFSend a useful way to send private files between people in a secure manner.

To send a file, the sender, accessing FFSend via a browser, uploads the file he or she wants to share with the recipient through a simple web interface. He or she receives a URL for a shared link and can send it to the recipient. The recipient visits the shared link and downloads the file, at which point the FFSend service “forgets” the link and removes shared content from the server.

Red Team Research

Figure 1: Basic flow of events using FFSend

From our red team’s perspective, FFSend was a good fit for sending encrypted files. Let’s see how it answered some of the needs we defined.

FFSend allows for large file sizes up to 1 GB, which is large enough an allowance to both send a payload and exfiltrate data. This answered our need for a siloed, covert channel into the organization. It would encrypt and decrypt the payload for us with an AES-GCM algorithm directly in the internet browser, yet we won’t have to deal with any key generation or distribution. The payload would evade the inspection of intercepting proxies that can unwrap Transport Layer Security (TLS), and would remain private and won’t be shared with any party along the way, including Mozilla.

Red Team Payload Delivery

Figure 2: Schematic view of FFSend’s automated encryption

Since firefox.com is a trusted domain on most organizational controls, we gain yet another advantage by using FFSend. We won’t have to labor to set up a fake site that would raise suspicion, and we can still get our file’s link across to the recipient. The trusted Firefox domain is also more likely to slip through URL inspection and anti-phishing controls, as well as blacklists that organizations deploy to catch malicious content coming from rogue resources.

Red Team Research

Figure 3: FFSend is considered a trusted source

As for reducing repeated sampling of the payload, we get that as well by setting a strict one-time-only limit on the number of times our FFSend link can be accessed after it’s generated, avoiding the sandbox attempts and threat sharing. Moreover, FFSend automatically expires links after 24 hours, which effectively makes the path to our payload self-destruct if the target has not opened it. Self-destruction is also featured on FFSend’s application program interface (API), so it can also be ordered ad hoc after a link is sent but before its default expiration.

Red Team Research

Figure 4: FFSend’s link expiration and self-destruct schema

Avoiding attribution is also easier when using a legitimate service that implements ephemeral storage of the files it delivers. Using such a service allowed us to avoid any links back to our testers, since there was no account required to send a file, nor was information on the owner of the encrypted data sent, required or kept.

This meant our ownership of the malicious file would be anonymous, though there would still be a tie to our originating IP address and browser fingerprints. With most information concealed, we deemed this level of anonymity good enough for the desired outcome.

Red Team Payload Delivery

Figure 5: No sender identity required, no attribution links back to red team

Setting Up a Communications Channel

With the file sending issue resolved, we still needed a covert communication channel to help us establish an ongoing operation without being ousted by the blue team.

To set up a communications channel, we did not wish to start from scratch. We decided to use FFSend to make it work as the siloed, covert channel we needed. That was one problem solved, but to coordinate the sending and receiving of data over that channel, we would also need a side channel of communications to avoid inspection and detection.

Communication gets inspected by a number of security controls, so it is essential that we blend in with the environment. To do that, we would have to choose a communication protocol that would allow us to look like everyone else on the network. Looking at the typical choices — Hyper Text Transfer Protocol Secure (HTTPS), Internet Control Message Protocol (ICMP) and Domain Name System (DNS) protocols — we selected DNS for its decent packet capacity and overall better chance of blending in with legitimate user traffic.

DNS fit our need to implement a data channel to FFSend. Also, a command channel can offload to DNS. To make everything work together, DNS record content could be encrypted with the same FFSend shared key used to post the data link, keeping things consistent.

In our command protocol, we can accommodate short instructions and differentiate between the types of requests we want to task agents with, to run or receive responses on. For example, we can encode instructions such as fetch me or execute . The agent would then carry out the request and post the results over our FFSend data channel.

On the wire side, channel interaction will look like a well-formed dynamic DNS request, separate from an HTTPS channel used for data. This split would ensure avoiding traffic correlation.

The Foxtrot Control Server Rises

Once we knew how to set up our covert communications, we set up a rogue control server and named it Foxtrot. Foxtrot was a mechanism we used to facilitate communication between any number of the remote agents.

Having created Foxtrot with a modified FFSend service and a DNS side channel, IBM X-Force Red testers were able to push the initial payload to unsuspecting recipients. The payload circumvented dynamic defenses, helped our red team gain a foothold in the environment and established persistence to freely move data across intercepting proxies. We were also able to execute commands on compromised hosts, even when the defensive team had its security controls and monitoring turned on.

A Word to the Wise Defender

Red teams have the advantage of only needing to find one way in, while blue teams are tasked with securing all ways in and out. This one-sided advantage means that defenders have to keep a close eye on attack tactics, techniques and procedures (TTPs) and expect encryption and covert side channels to challenge existing automated controls.

After having achieved our goals, we came away with some tips for defenders that can help security teams prepare for the TTPs we used.

  • Expect to see the use of client-side encryption gain more prominence in adversarial workflows, and choose security controls accordingly.
  • Expect to see split-data and command channels grow in popularity among attackers, because this technique can help break automated analysis patterns employed by traditional security tools. Defenders should look into behavioral, heuristics-based detection, augmented by a fully staffed security operations center (SOC) to continuously detect split-channel operations.
  • X-Force Red encourages defensive teams to test their incident response (IR) processes against simulated attacker workflows that employ custom tooling capabilities.

What can teams do right now to get ahead of determined threat actors? Step up your security with pre-emptive action in the shape of professional penetration testing, and make sure the scope of the testing gradually covers both hardware and software. You should also consider adopting cognitive solutions to augment analysts’ capabilities and scale up as attacks grow more frequent and complex.

Listen to the X-Force Red in Action podcast series

The post Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Dimitry Snezhkov

Artificial Intelligence (AI), Cognitive, Cognitive Security, Incident Response (IR), Machine Learning, Security Intelligence, Security Intelligence & Analytics, Security Leaders, Security Professionals, Threat Intelligence,

Security Analysts Are Overworked, Understaffed and Overwhelmed — Here’s How AI Can Help

Times are tough for security analysts. In addition to the growing industrywide talent shortage, the threat landscape is expanding in both volume and sophistication — and security teams lack the resources they need to keep up.

To some extent, static processes — such as vulnerability assessments, firewalls and activity monitoring — can help organizations determine who is accessing enterprise data, identify vulnerabilities and detect risky behavior.

However, these systems can’t think on their own or react to deviations or unexpected circumstances. The threat landscape is simply too dynamic, and cybercriminal tactics evolve too quickly for programmatic processes to keep up.

Is AI the Answer to Common Security Pain Points?

How can security teams gain ground in this never-ending race against malicious actors? One solution is to adopt tools that learn, adapt and proactively detect threats — even in a rapidly changing environment.

Let’s take a look at some common pain points for analysts and explore how artificial intelligence (AI) can help shed light on the many frightening unknowns of cybersecurity.

Too Many Alerts, Too Little Time

Today’s largest enterprise networks can generate billions of events per day from a wide range of data sources, including security devices, network appliances, mobile applications and more. The staggering volume of alerts strains security analysts and diminishes the speed and accuracy with which they can process threat data.

Limited Budgets Lead to Limited Talent

According to a recent survey, 66 percent of information security professionals believe there aren’t enough qualified analysts in the field to handle the increasing volume of security threats. In addition, many organizations have limited budgets, restricting security teams from hiring the talent they need to protect their networks. AI-powered tools can automate security processes and perform complex tasks, freeing overworked analysts to focus on more pressing matters.

The Problem of False Positives

A security analyst typically investigates 20–25 incidents every day. This investigation entails gathering information from local logs, correlating indicators of compromise (IoCs) with threat intelligence feeds and conducting outside research for additional context. This process is extremely time-consuming and leads to false-positive rates as high as 70 percent.

Not Enough Hours in the Day

Time is a critical resource for security analysts, who must determine whether to escalate an alert or write it off as a false positive in under 20 minutes. Due to the around-the-clock nature of incident response, security teams should invest in machine learning tools that can filter out the noise and present reliable analysis with speed and scale.

Keeping Up With Cybercriminal Innovation

Attackers are innovating every day, and evasion techniques are becoming increasingly sophisticated — making it harder and harder for security teams to identify potential threats. AI can detect these threats more reliably and learn from features that most human analysts would miss.

Sampling of security incidents by attack type, time and impact, 2015 through 2017

Untapped, Unstructured Data

Many security teams are letting a big chunk of valuable intelligence go to waste. On average, 80 percent of the unstructured, human-generated knowledge found in security blogs, news articles, research papers and more is invisible to traditional systems. AI-based systems can curate this wealth of information, extract crucial threat data and tie it to IoCs found in the network.

A universe of security knowledge, dark to your defenses

Take the Pressure Off Security Analysts

Today’s threat landscape is as volatile as ever, and the ongoing battle between malicious actors and cyberdefenders will only intensify as attack tactics evolve. While there’s no end in sight, AI and machine learning can help level the playing field.

By investing in tools that automatically ingest and prioritize threat intelligence — including unstructured data — and proactively identifying new cybercrime patterns, security leaders can take some of the pressure off their human analysts and free them to focus on day-to-day incident response and bigger-picture defense strategies.

The post Security Analysts Are Overworked, Understaffed and Overwhelmed — Here’s How AI Can Help appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Moazzam Khan

Artificial Intelligence (AI), Cognitive, Cognitive Security, Endpoint, Endpoint Protection, Endpoint Security, Machine Learning, Security Strategy,

It’s Time to Infuse AI Into Your Endpoint Security Strategy

Computing and cybersecurity aren’t changing — they’ve already changed. End users have transformed the way IT works, and this means the widely accepted definition of endpoints has morphed. End users want to be connected to everything, which means virtually everything is (or can be) an endpoint today.

This has opened new possibilities for how we do business, but it has also created more opportunities for bad guys to infiltrate your system. To adapt to the way our modern, hyperconnected world operates, organizations must adopt a new endpoint security strategy built around artificial intelligence (AI) and machine learning.

End the Old Endpoint Security Strategy

The way we think about cybersecurity must shift to keep pace with the increasingly volatile threat landscape. According to Mark Barrenechea, CEO and chief technology officer (CTO) at enterprise information management provider OpenText, we have entered a new era of cognitive computing. Barrenechea spoke at the May 2018 OpenText Enfuse conference in Las Vegas, Nevada, and warned that cybercriminals are no longer after organizations’ money — they are now focused on stealing valuable data and intellectual property.

Today’s cybercriminal community is largely made up of nation-state actors and sophisticated thieves who use this information to commit other types of crime. Data weaponization is becoming increasingly common, with bad actors leveraging stolen information to blackmail executives, facilitate social engineering schemes and more.

This new generation of cybercriminals targets Internet of Things (IoT) devices, such as voice assistants, vehicles and medical devices. Traditional approaches to network security simply won’t work in this new, connected environment.

Cybersecurity currently focuses primarily on malware infections and keeping threat actors out of corporate networks. Malware isn’t going away — it remains an effective way for cybercriminals to gain access to the information they want. While firewalls, antivirus software and other perimeter defenses are still needed, they are no longer sufficient on their own.

The perimeter approach to endpoint security doesn’t address the actual theft of data or how it can be manipulated. It also fails to account for the unique needs of individual organizations. Healthcare, education and financial services, for example, all have different types of data to protect and different entry points through which customers access their networks.

Most importantly, the traditional perimeter security approach doesn’t recognize where data is located: on the endpoints.

Endpoint Security Is a Shared Responsibility

Recent research has forecast that there will be four connected devices for each human on Earth by 2020. What’s more, Bloomberg reported that there will be a total of 1 trillion IoT devices by 2030.

That’s a lot of endpoints to protect.

As a result of this rapid proliferation of connected devices, Barrenechea asserted during his presentation, we are all responsible for endpoint security. That means both companies and their employees have a stake in the security of all endpoints that connect to enterprise networks. However, many organizations simply lack the manpower and expertise to address this responsibility. That’s where AI and machine learning can help.

Machine vs. Machine: Redefine the Role of the Human Analyst

Cybersecurity isn’t about humans versus humans anymore. Of course, humans are still involved, but criminals are increasingly turning to machines to do their heavy lifting. On the security side, however, we still depend too heavily on the human touch. While people will always be necessary, the time has come to think of security in the context of machine versus machine.

Barrenechea advised security leaders to think of AI more as augmented intelligence — machines working with humans. Machine learning can handle the complicated algorithms necessary to defend data in today’s hyperconnected IT landscape. Practical uses for AI include facial recognition technologies and processes that ensure that the right security tools are used in the right situations. This promotes improved situational awareness and communication about potential risks. AI does the grunt work of protecting data and preventing intrusions by other machines, while human analysts act as the second line of defense, verifying the situation and putting plans into action.

Most importantly, AI can defend the data sitting on those billions of endpoints. This is another way to look at machine versus machine: Organizations already struggle to protect devices — especially employee-owned devices connecting to enterprise networks. Machine learning can provide the “manpower” to protect these endpoints.

Machine learning and AI could also be the answer to the cybersecurity skills shortage. This technology can provide the extra assistance overworked analysts need to keep networks safe. When things go wrong, AI can help teams discover and recover from advanced threats.

Information is the world’s most valuable resource, and just one event can take down an entire business. Since you can’t separate data from the device it lives on — and since the bad guys have already figured out how to infiltrate it — your endpoint security strategy must focus on data protection instead of malware. Fortunately for security teams, AI’s time as an essential cyberdefense tool has finally arrived.

Read the peer-authored research report: CISOs Investigate — Endpoint Security

The post It’s Time to Infuse AI Into Your Endpoint Security Strategy appeared first on Security Intelligence.