There are new techniques that cyber defenders can use that can offer significant advantages, according to John Tolbert, lead analyst at KuppingerCole.
“An appropriately outfitted security architecture that makes use of technologies such as machine learning and user behaviour analytics can offer some defensive advantages,” he told Computer Weekly. “But because the threat landscape and defence options are continually changing, it is important for business leaders to ensure they keep up with what the latest developments are.”
Awareness of the threats that a particular organisation in a particular industry and geographical location could be facing, and the latest thinking on how to counter those threats to identify the best tools for solving particular business problems, said Tolbert, is essential.
At the most basic level, however, he said it is always important for organisations to follow the example of mature companies in the wake of WannaCry and NotPetya by also ensuring that all their software is kept up to date to take advantage of the good job many software suppliers are doing in terms of defending users from the latest cyber threats.
“Suppliers of antimalware software and business operating systems and applications deserve credit for doing a reasonably good job of keeping up with new cyber threats, but that needs to be matched with good software patching practices within organisations, which is still missing in many cases,” said Tolbert.
Beyond the basics, such as good patch management, he said organisation should be looking at the latest cyber defence technologies such as artificial intelligence (AI) based systems.
“But there has been a lot of marketing hype around AI and machine learning, so it is important for business leaders to look beyond that to understand what the real value of any particular AI-based security technology is for their particular organisation.”
Read more about AI and security
There is a role for AI in cyber security and there are many legitimate uses for it, said Tolbert, and so while these systems cannot be dismissed out of hand as hype, they also cannot all be considered to be of equal value. “This is why it is important to understand exactly what each can and cannot do,” he said.
When considering any product or service, Tolbert said organisations should ask how AI is being used to ascertain if it is being applied meaningfully and that there is a legitimate use that makes sense.
“Consider if it is the kind of thing where additional automation or the volume of malware samples or data that a particular security product has to deal with is such that you can see a real improvement or gain. It is also a good idea to find out what kinds of algorithms are being used, if the supplier is trying patent their technology, and what is their long-term strategy around AI.”
According to Tolbert, there are three main areas where AI is being most effectively applied. These are endpoint anti-malware protection, endpoint detection and response, and security event analysis.
“We are long past the point that signature-based anti-malware is anywhere close to being completely effective, so it is imperative that endpoint protection suppliers are using machine learning techniques to look at all the different kinds of behaviour that they may find on a system,” he said.
Patterns of behaviour
Common applications of AI include code pattern analysis, memory analysis at runtime and exploit analysis, using what is known good and known bad patterns and behaviour.
“If you can stop the things you know that are bad, flag things for follow up anything that appears questionable, and run things in sandboxes, these are all great ways of using machine learning, as is endpoint detection and response to deal with malware that makes it past initial defences by looking at patterns of activity on a given endpoint.
“Machine learning can also be applied to the network layer in terms of traffic analysis and security incident event monitoring,” he said. “Machine learning is enabling the next generation of analytics tools for pattern analysis for security events at the network, machine or process level.”
User behaviour analytics is another important application of AI technologies, said Tolbert, noting that it is starting to be incorporated in many different security products and platforms, even though it is not commonly found as a stand-alone service.
“Behaviour analytics is definitely another place where you see the application of machine learning techniques, looking at user interactions with machine systems and applications over time, and developing a baseline of what is normal,” he said.
Human analysts still necessary
While many suppliers have highlighted the shortage of people with cyber security skills and claimed AI-based technologies will save them from their inability to attract and retain talent, Tolbert said business leaders need to understand that although AI-enabled automation may take care of lower level security functions, it is unlikely to take the need for human security analysts out of the equation any time soon.
“AI is good for taking care of some of the routine, mundane security tasks, and even doing some very good filtering to reduce the noise and provide truly meaningful data for analysts to work with, but this is essentially a support for analysts, not a replacement for them.
“Business leaders who may be looking at AI technologies as a one-size-fits-all solution that will solve all their cyber security personnel problems should understand that it is probably never going to do that.”
Another key area of focus for business leaders, said Tolbert, is protecting identities. “It is important from the consumer perspective and it is important from an enterprise perspective.
“There is also real synergy between privileged identity management and some of the traditional antivirus and firewall security concepts because wherever an attacker gets in, they typically want to escalate privileges so they can move around the network.
“On the whole, I think organisations need to start bringing identity management and identity protection concepts back into the cyber security fold and treat them as parts of the whole that people in the information security business need to address.”
The importance of user security awareness
Although it is important for business leaders to stay on top of security threat and defence technologies, Tolbert said they should also not overlook the importance of user security awareness education and training.
“I don’t think most users want to be security experts, and I don’t think we will ever get to the point where they are, but we still need to provide them with the best information as well as tools to make the right decisions,” he said.
Tolbert notes that users continue to be targeted by phishing emails and other social engineering attacks that are commonly used by adversaries to get into networks and gain a foothold to enable further malicious activity that can be extremely damaging to the business.
Tolbert is to discuss these topics in more detail in a session entitled The state of the art of anti-malware protection at the Cybersecurity Leadership Summit 2018 Europe in Berlin from 12 to 14 November.