Threat Hunter: How AI helps protecting your business
Let’s get one thing straight right away: This article is not about classic perimeter protection. The perimeter is dead! In this article, you’ll learn how to truly protect your business model from cyber threats — both internal and external.
More than six out of ten U.S. IT leaders say the pandemic has made it harder to defend against cyberattacks. In Germany, the situation is likely to be significantly more devastating. Covid-driven digitisation and a mass migration to remote work with increasing consumerization (fka Bring Your Own Device, BYOD) are not entirely innocent of the rise in already numerous cyberattacks and high-profile data breaches in companies as well as governments.
Race against time. Or? OR?!
Cybercriminals are constantly developing new methods and getting better at disguising themselves as legitimate applications or connections. Traditional approaches to cybersecurity have never been able to keep up. Virus scanners, URL blockers, or IP and port filters have only ever responded. Not one of them is a match for zero-day attacks or inside perpetrators.
The first glimmers of hope came with the first true NG firewalls. Palo Alto Networks, Barracuda and Adyton (now LANCOM R&S®Unified Firewalls) were the first representatives of this guild. At the heart of this new generation of firewalls was (and still is) the single pass engine and its decoders. In the case of PAN, this was an in-house development; both Barracuda and Adyton relied on the deep packet inspection experience of Ipoque and its app and protocol decoders. In the meantime, Barracuda also has its own engine. Like Adyton at the time, Ipoque belongs to Rohde & Schwarz. Lancom, which was acquired later, probably still uses this technology today. If you know the history of the Saxons, you know that rhebo and cognitix also have their roots in the company, which was founded in Leipzig back in 2005.
Not only are the new generation firewalls much more reliable in detecting potential threats, they are also almost lossless and still operate at near line speed even under full load. The manufacturers quickly realised another advantage: unlike the cumbersome UTMs or proxy firewalls, the new generation are not just suitable for gatekeeping. NG firewalls can be placed transparently anywhere in the network, e.g. as segmenters, in the cloud or at the edge.
Soon, another feature was added: artificial intelligence. This opened up completely new possibilities. And new vendors entered the market: rhebo, Vectra, cognitix (now genua cognitix Threat Defender) and DARKTRACE.
But, but, but, … AI just learns from historical data, too!
Yes, it does. However, AI in network security products does not analyse past or known attacks. The algorithms are used to learn from the ground up what behaviour of applications, network traffic, devices and users is normal or harmless. Deviations from this can be flagged as an anomaly or blocked directly. In this way, zero-day attacks as well as internal perpetrators and advanced persistent threats (very complex attack scenarios) can be detected.
The other side of the coin: If a malicious pattern is already established, it is learned as normal by the AI. False positives are also possible, for example in the case of abrupt changes. This was the case when Covid struck and employees changed their behaviour from one day to the next. With Work from Home (WfH), it wasn’t just the connections in the network that changed. Employees’ schedules and company procedures were suddenly very different, too.
Whitelisting on Steroids
IT security of the new generation is essentially based on white listing. Only trusted applications, devices or users are granted access to specific processes and data.
With whitelisting, signatures comparable to fingerprints are used to check integrity. Every application, every file, every behaviour has a unique signature that is stored in a database. The integrity check compares whether it is an authorised access of a permitted application. If the application pattern does not match the stored signature, access is blocked. This procedure is not only effective, it is also very efficiently. In practice, the number of allowed applications is much smaller than the number of programs classified as malicious or unwanted. White-listing-based protection measures react faster and are much leaner than traditional solutions based on black-listing.
This approach plays a big role in behaviour-based security approaches and zero-trust models.
“THERE IS NO SILVER BULLET IN INFORMATION SECURITY. BUT PROPERLY DEPLOYED WHITE-LISTING PROVIDES EXCEPTIONAL PROTECTION AGAINST ZERO-DAY AND TARGETED ATTACKS.” THE POWER OF WHITELISTING, NEIL MACDONALD, GARTNER
So quo vadis?
Many cyberattacks are still old-fashioned. Phishing, trojans or viruses, and the disgruntled employee are the biggest threats. Yet attacks are becoming more sophisticated and numerous. The other side is also making greater use of AI –as it has already happened with the attack on SolarWinds.
The next big thing in IT security is root cause analysis, predictive analytics, graphs, correlation, and on-prem threat intelligence. One that has been blazing the trail recently is Riverbed. The network traffic and performance monitoring specialist now sees itself as “the root cause analysis experts.” Other vendors include startups such as Slovakia’s Minit or Germany’s KnowledgeRiver, as well as the more established Lana Labs. All of them also work with AI.
Cognitix, which was bought by genua and the Bundesdruckerei, as well as companies such as GlassWire, Vectra, Awake Security and ExtraHop work with graphs. In addition to Palo Alto Networks, Firemon and Guardicore, among others, have already integrated threat intelligence. The latter in particular could become a serious challenger in the firewall market.
This article has been published on data-disrupted.de originally.
