AI for Cyber Security

AI for log analysis and correlation of discrete events to identify threat patterns

Log files are potent weapons in your organization’s fight against hackers.

However,

• Incredibly large volumes of data have to be analyzed from these files.
• Your security professionals just don’t have the time and resources to go through all the log data.

While technologies like SIEM do a good job of isolating individual threats, such methods need complementary modern approaches like artificial intelligence (AI). AI can mimic what a human does. This means it can find complex threat patterns from logged data.

As an example, your email infrastructure may comprise several email servers for load-sharing and failure redundancy.

1. The DNS entries for these servers are stored in Mail Exchange (MX) records.
2. Hackers target these records to hijack your emails to one of their own server, commonly called a command and control server (C2).
3. Typically, these C2 servers are hidden in suspicious IP addresses, which look like 0.0.0.0, 1.1.1.1, 255.255.255.255, etc.

As a result, your cybersecurity experts have to look for this known pattern—involving a suspect IP address, MX queries, and communication with an unknown server—among tons of records. Moreover, effective remediation involves analysis of additional information, such as IP address of the compromised machine(s), number of failed/successful logins, volume of transactions on the suspect C2 server, and so on.

You can imagine that with an incredibly large number of such known patterns out there—documented in well-known threat databases such as MITRE ATT&CK—the task of identifying clear and present threats from heaps of logged records can be daunting and time-, effort-intensive.

AI tools can be trained to recognize known risky patterns to not only flag such combinations instantly but also promptly shut down access to the suspicious server. A report of threat detection and action performed will also be generated for further human action, if necessary.

In this manner, AI can be used to correlate seemingly discrete events into specific threat patterns and trigger a corresponding automated response. Such an approach drastically reduces the time to respond to a threat, a life-saver in implementing ironclad security for your IT infrastructure.

This reliable approach involving multiple factors in decision-making and response saves precious time and money for your organization. Most importantly, it saves your valued IT security professionals from burnout by executing certain cognitive tasks on their behalf.

Keeping up in real-time with the ever-changing cybersecurity landscape

According to Avast, 350,000 malicious software and potentially unwanted applications (PUA) are created every day.

This means

• Known patterns of attack are decreasing, making signature-based anti-malware safeguards redundant in many attacks.
• A more cognitive approach has to be used to respond in real-time to suspicious malware activity.
• There is no one way to detect behavior-based threats.

For instance, the symptoms of an insider threat would be different from that of a sophisticated external attempt to hack into your systems. This creates myriad contexts and numerous suspect behavior patterns within each context.

AI can be used to mimic a human security analyst, not replace one. AI uses context-based good and bad behavior models to detect and respond to specific threats. Such

modelling can also eliminate false positives, minimizing alerts fatigue that security professionals are commonly prone to.

After detecting the threat initially, AI can be trained to perform additional checks and thereby arrive at an automated decision to allow a transaction or terminate it.

An ounce of prevention is better than a pound of cure

Your experts are regularly recceing and closing potential threat gates through scans, patch identification and management, upgrades, and other such activities. The modern cybersecurity ecosystem involves several security tools to carry out these activities.

Such security tasks can be many and may be dependent on several triggers, such as

• Preset schedules;
• An incident, internal or elsewhere;
• News bulletins;
• New employees;
• A new suspect IP detection;
• Digital transformation projects, broadening the scope of equipment and devices in use;
• Remote locations for business operations; and/or
• A new supplier or partner business.

AI tools can be trained, through machine learning and deep learning, to automatically trigger recce actions based on any, or a combination, of such factors. This releases your precious security experts for proactive planning- and analyses-related activities.

Most importantly, remember that AI is self-learning. As you deploy AI, it can be set up to learn continually to constantly increase its scope of activities.