Cyberattacks are happening faster, targeting multiple threat surfaces simultaneously using a broad range of techniques to evade detection and access valuable data. A favorite attack strategy of bad actors is to use various social engineering, phishing, ransomware, and malware techniques to gain privileged access credentials to bypass Identity Access Management (IAM) and Privileged Access Management (PAM) systems.
Once in a corporate network, bad actors move laterally across an organization, searching for the most valuable data to exfiltrate, sell, or use to impersonate senior executives. IBM found that it takes an average of 287 days to identify and contain a data breach, at an average cost of $3.61M in a hybrid cloud environment. And when ransomware is the attack strategy, the average cost of a data breach skyrockets to $4.62M.
Using AI to anticipate and lure attacks
A perfect use case for AI and machine learning (ML) is deciphering the millions of concurrent data connections a typical enterprise has with the outside world at any given minute. Training supervised machine learning algorithms with data streams helps them identify potential anomalies, even before the algorithm understands what the definition of an anomaly is, according to Boston Consulting Group.
Using AI and ML to lure attackers into simulated environments to analyze their attack strategies, components, and code needs to start at the transaction level. Transaction fraud detection is one of five core areas where AI and ML can improve cybersecurity this year. Additionally, malware detection and user & machine behavioral analysis are among the top five use cases delivering the most value based on their use of AI and ML this year.
Another report by Boston Consulting Group’ compares AI use cases in cybersecurity, comparing complexity and benefits. Cybersecurity vendors whose platforms are in the “high benefits, high complexity” quadrant are the best equipped to use AI and ML to lure attackers into simulated honeypots and reverse engineer their payloads, often down the executable file level.
How AI will improve cybersecurity in 2022
CISOs tell VentureBeat that the AI and ML use cases in which they see the greatest payoff are pragmatic and driven by the need to reduce the overwhelming workload their analysts face daily. While the apps and platforms each have advanced analytics and detailed modeling, the full feature set rarely gets used. Enterprises see AI and ML cybersecurity-based systems as relief for their overwhelmed staff. Fifty-six percent of executives say their cybersecurity analysts are overwhelmed, according to BCG. When CISOs take a more pragmatic view of AI and ML’s potential contributions to their operations, they often focus on better protecting machine-based transactions.
It’s the machine-based transaction attacks that most concern CISOs and their teams because they’re so quick, difficult to identify, predict, and stop. BCG found that 43% of executives see an increase in machine-speed attacks. With seven out of every 10 executives believing they can’t respond or thwart advanced cyberattacks without AI, the demand for AL and ML-based cybersecurity systems in the following five core areas continues to grow.
1. Transaction fraud detection – CISOs tell VentureBeat that the pandemic’s effects on their ecommerce sales are the primary catalyst for investing in AI and ML-based transaction fraud detection. Transaction fraud detection is designed to provide real-time monitoring of payment transactions, using ML techniques to identify anomalies and potential fraud attempts. In addition, ML algorithms are being trained to identify login processes and prevent account takeovers (ATOs), one of the fastest-growing areas of online retail fraud today.
Leading online retailers are training their cybersecurity analysts on transaction fraud detection systems and having their data scientists work with vendors to spot identity spoofing and the use of stolen privileged access credentials. Identifying behaviors that don’t fit with the legitimate account holders are also helping to stop impersonation and stolen credential attacks. Fraud detection and identity spoofing are converging as CISOs and CIOs want a single AI-based platform to scale and protect all transactions. Equifax acquired Kount in 2021 to expand its digital identity and fraud prevention solutions footprint. Leading vendors include Accertify, Akamai, Arkose Labs, BAE Systems Cybersource, IBM, LexisNexis Risk Solutions, Microsoft, NICE Actimize, and several others.
2. Account Takeover (ATO) – Cybersecurity teams who define multifactor authentication (MFA) as a standard to pass audits and attain regulatory compliance are missing the point and often get hacked with successful account takeover (ATO) attempts. The most reliable approaches to MFA need to include three core areas of something only the user knows, something only the user holds, and something the user is or does. True MFA will include at least two of these three attributes by the user. However, getting users’ behavior to change permanently is far more difficult and a longer-term challenge. That’s why enterprises adopt AI and ML-based platforms that can calculate and assign a risk score for each interaction using a broader set of external variables or indicators aggregated into a series of analytics. AI and ML-based platforms offering protection against ATO are configurable for the relative levels of risk management a given organization wants to take on. When risk scoring identifies a suspicious email or file, it automatically quarantines it to protect all users on the network.
Leading ATO providers include Avanan, Experian, Iovation, and others. Leading providers of passwordless authentication solutions include Microsoft Azure Active Directory (Azure AD), Ivanti Zero Sign-On (ZSO), OneLogin Workforce Identity, and Thales SafeNet Trusted Access. Ivanti Zero Sign-on (ZSO) is noteworthy for its use of adaptive authentication, including multifactor authentication (MFA) based on risk. Zero Sign-On also relies on biometrics, including Apple’s Face ID, as a secondary authentication factor to access work email, unified communications and collaboration tools, and corporate-shared databases and resources. It’s integrated into the Ivanti Unified Endpoint Management (UEM) platform.
3. Defending against ransomware – Organizations fell victim to a ransomware attack every 11 seconds by 2021, up from 40 seconds in 2016, and the average cost of a traditional breach reached $3.86 million. Absolute Software has analyzed the anatomy of ransomware attacks and provided key insights in their study. Their analysis of how a ransomware attack takes place is illustrated in the graphic below:
Taking steps to improve the security hygiene of an enterprise, including adopting MFA on every endpoint, is just the starting point. Getting patch management right can make a difference in how secure an enterprise stays when bad actors attempt to launch a ransomware attack. AI and ML are making a difference against ransomware by automating patch management with bots instead of relying on brute-force endpoint inventory methods. AI-powered bots use constraint-based algorithms to pinpoint which endpoints need updates and probable risk levels. Algorithms use current and historical data to identify the specific patch updates and provide the build any given endpoint device needs.
Another advantage of taking more of a bot-based approach to patch management is how it can autonomously scale across all endpoints and networks of an organization. Automated patch management systems need more historical ransomware data to train AI and machine learning-based models better and fine-tune their predictive accuracy further.
That’s what makes the approach taken by RiskSense, which Ivanti recently acquired, noteworthy. Ivanti gained the largest, most diverse data set of vulnerabilities and exposures through the RiskSense Vulnerability Intelligence and Vulnerability Risk Rating. The risk ratings reflect the future of ML-driven patch management by prioritizing and quantifying adversarial risk based on factors such as threat intelligence, in-the-wild exploit trends, and security analyst validation.
Microsoft accelerating acquisitions in cybersecurity reflects the priority they are putting on ransomware. In a blog post, Microsoft announced its acquisition of RiskIQ on July 12, 2021. RiskIQ’s services and solutions will join Microsoft’s suite of cloud-native security products, including Microsoft 365 Defender, Microsoft Azure Defender, and Microsoft Azure Sentinel.
4. Identity proofing – Bad actors attempt to create false identities and privileged access credentials with banks, educational institutions, financial services, and health care facilities to defraud the institution and potentially breach its systems. Identity proofing reduces fraud by verifying the identity of new customers when they submit applications for care, enrollment or services, account openings, and balance transfers for new accounts. AI and ML adoption are diverse across the identity proofing market, including identity affirmation and identity proofing tools. ML algorithms rely on convolutional neural networks to assess the authenticity of photo IDs and related photo-based documents, applying attack detection techniques to an image before attempting to match it to the photo ID.
Identity proofing and affirmation are both needed to reduce fraud, which is one of the challenges vendors competing in this market are addressing through API-based integration across platforms. Additionally, identity-proofing vendors are seeing exponential growth due to the pandemic, with venture capital firms investing heavily in this area. Identity verification startup Incode, which recently raised $220 million in a Series B funding round, led by General Atlantic and SoftBank with additional investment from J.P. Morgan and Capital One, is one of many new entrants in this growing market.
5. Process behavior analysis – AL and ML are paying off in this area of cybersecurity today due to their combined strengths at quickly identifying potential breach attempts and acting on them. Process behavior analysis concentrates on identifying anomalous, potentially malicious behavior earlier based on patterns in behavior. As a result, it’s proven particularly effective in thwarting attacks that don’t necessarily carry payloads.
An excellent example of process behavior analysis is how Microsoft Defender 365 relies on behavior-based detections and machine learning to identify when endpoints need to be healed and carry out the necessary steps autonomously with no human interaction. Microsoft 365 does this by continually scanning every file in Outlook 365. Microsoft Defender 365 is one of the most advanced behavioral analysis systems supporting self-healing endpoints capable of correlating threat data from emails, endpoints, identities, and applications. When there’s a suspicious incident, automated investigation results classify a potential threat as malicious, suspicious, or “no threat found.” Defender 365 then takes a series of autonomous actions to remediate malicious or suspicious artifacts. Remediation actions include sending a file to quarantine, stopping a process, isolating a device, or blocking a URL. A Virtual Analyst is also part of the Microsoft 365 Defender suite that provides autonomous investigation and response.