Security leaders investing in automation and AI, study shows

Nearly four in 10 organisations rely on automation, 34% rely on machine learning, and 32% are highly reliant on artificial intelligence (AI) for their cyber defences, according to Cisco’s latest security report.

The report revealed that security leaders plan to invest in these capabilities in the face of increased malware sophistication as adversaries begin to weaponise cloud services and evade detection by using encryption for command-and-control activity.

Although encryption is meant to enhance security, the report highlighted the fact that with about half of web traffic now encrypted, it is increasingly difficult for defenders to identify and monitor potential threats.

Cisco threat researchers observed a more than threefold increase in encrypted network communication used by inspected malware samples over a 12-month period.

Applying machine learning can help to enhance network security defences and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud and internet of things (IoT) environments, the report said, adding that although they are still in their infancy, machine learning and AI technologies will mature.

“Last year’s evolution of malware shows that adversaries are becoming wiser at exploiting undefended gaps in security,” said John Stewart, senior vice-president, and chief security and trust officer at Cisco. “Like never before, defenders need to make strategic security improvements, technology investments, and incorporate best practices to reduce exposure to emerging risks.”

However, the Cisco report coincided with a report by UK and US experts that warned that AI is also likely to be used by attackers, who are expected to not only use the technology to increase the effectiveness of attacks, but also to exploit weaknesses in AI technologies by poisoning data, for example. The report on the malicious use of AI called on those designing AI systems to do more to consider and mitigate possible misuses of their technology.

The Cisco report also revealed that more than half of all attacks reviewed in the past year resulted in financial damage of more than $500,000, including, but not limited to, lost revenue, customers, opportunities and out-of-pocket costs.

Supply chain attacks are also increasing in velocity and complexity, the report said, pointing out that these attacks can impact computers on a massive scale and can persist for months or even years.

Defenders should be aware of the potential risk of using software or hardware from organisations that do not appear to have a responsible security posture, the report said, citing two such attacks in 2017, Nyetya and Ccleaner, which infected users by attacking trusted software. Cyber defenders should review third-party efficacy testing of security technologies to help reduce the risk of supply chain attacks, the report said.

According to Cisco researchers, security is getting more complex and the scope of breaches is expanding. Defenders are implementing a complex mix of products from a cross-section of suppliers to protect against breaches, but this complexity and the growth in breaches have many downstream effects on an organisation’s ability to defend against attacks, such as increased risk of losses, the report said.

In 2017, 25% of security professionals said they used products from 11 to 20 suppliers, up from 18% in 2016. Meanwhile, 32% of breaches in 2017 affected more than half of organisations’ systems, compared with just 15% in 2016.

Security professionals see value in behavioural analytics tools in locating malicious actors in networks, the report said, with 92% of security professionals saying such tools work well. The biggest users of behavioural analytics tools are the healthcare and financial services sectors.

Use of cloud is growing, the report said, despite the fact that attackers are taking advantage of the lack of advanced security to defend these environments. According to the report, 27% of security professionals said they are using off-premise private clouds, compared with 20% in 2016. Of these, 57% said they host networks in the cloud because of better data security, 48% because of scalability and 46% because of ease of use.

However, the report noted that although the cloud offers better data security, attackers are taking advantage of the fact that security teams are having difficulty defending evolving and expanding cloud environments. “The combination of best practices, advanced security technologies like machine learning, and first-line-of-defence tools like cloud security platforms can help protect this environment,” the report said.

Trends in malware volume have had an impact on defenders’ time to detection (TTD), the report said, with the median TTD of about 4.6 hours between November 2016 and October 2017, which is well below the 39-hour median TTD reported in November 2015, and the 14-hour median reported in the Cisco 2017 Annual Cybersecurity Report for the period from November 2015 to October 2016.

“The use of cloud-based security technology has been a key factor in helping Cisco to drive and keep its median TTD to a low level,” the report said. “Faster TTD helps defenders move sooner to resolving breaches.”

The Cisco report also recommends that defenders:

• Confirm that they adhere to corporate policies and practices for application, system and appliance patching.
• Access timely, accurate threat intelligence data and processes that allow for that data to be incorporated into security monitoring.
• Perform deeper and more advanced analytics.
• Back up data often and test restoration procedures.
• Conduct security scanning of microservice, cloud service and application administration systems.