Virtualization Technology News and Information
Good AI Cybersecurity Requires Overall Monitoring, Detection and Response


By Dave Martin

Welcome to the year 2022. We are all getting our bearings after a pandemic affected the entire world for longer than anyone expected. We're starting to go out again and socialize, but things have changed dramatically as we move forth with a new skepticism, keenly aware that unpredictable events catch us off guard at the most inconvenient times. However, there have been positive changes and benefits to the world since COVID that prompt new considerations.

One example is the shift to remote work (whether it be work from home or a hybrid design), which has become the new normal and is projected to prevail at least through 2023Remote work has met with success overall and the job market has seen a boon. Experts say these new work styles are not a passing trend for many companies and they will be sticking around. The downside is that there are more points of entry for cyber attackers than ever before as it is increasingly difficult to shore up a company's network and protect all its critical assets with employees working from multiple locations. As a result, cybersecurity threats are growing in volume, variety and sophistication. Due to the craftiness of bad actors, a rise in artificial intelligence (AI) based attacks can catch an organization by surprise. The power of those breaches is their machine-scale speed.

Keeping Up With Cyber Attackers

The reasons threat actors have started using AI are that they are able to change tactics rapidly and they've developed novel ways to avoid detection faster. Security professionals need to keep up, accounting for hacks configured with AI's machine learning (ML) while remaining vigilant about traditional attacks that are common due to their simplistic-yet effective-nature (i.e., theft of login credentials through password spraying and phishing, adding malicious code to vendor software, etc.). Combating AI attacks with AI cybersecurity alone is not the answer to maintaining a good overall security posture, and it is crucial to establish that because how we handle IT complexity now will provide a model for how we respond to more complex, AI-driven attacks in the future.

Enter the monitoring, detection and response (MDR) service provider, an asset to any company that cannot handle multiple approaches to fully operationalizing cybersecurity by itself. A good MDR provider accounts for any and all types of breaches with eagle-eyed, round-the-clock vigilance and a team of engineers in its security operations center (SOC). It is attuned to AI-based threats while looking out for the more traditional ones and is prepared to thwart attacks and always remain one step ahead, even when the speed of ML is a complicating factor. While AI is used by the MDR provider to detect AI-based attacks and intercept them with an even more rapid approach than the cybercriminal employs, a good MDR provider is also armed with the most competent, mission-driven human engineers to weed out any false positives that ML might yield. It is crucial to combine human expertise with AI because the technology simply is not good enough yet without human oversight. The human engineer also can determine what is normal versus abnormal in an organization's specific environment. That awareness is key to immediately detecting a threat, then either stopping it in its tracks or going into remediation mode.

The Benefits Of 24/7 Support

Threat actors will employ ML in the development of malware used to conduct attacks and a good MDR provider not only combines vigilance with speed to combat that but employs AI capabilities to protect organizations and their critical assets, providing 24/7 support from the most skilled and knowledgeable SOC engineers. This approach is not AI-specific; it accounts for every attack method from the most basic to the most intricate, the optimal approach to fully operationalizing cybersecurity. Some of the most nefarious hackers act so stealthily that they catch organizations by surprise time and again, leaving professionals baffled afterward.

In a nutshell, when defending against an AI-based attack, the fundamentals are the same that the MDR service provider has always had: to develop a single source of truth in the environment for sensing suspicious behavior, to ensure the MDR provider has the right data to work with and to decide whether something is malicious or not enriching. Data enrichment is an important process; it brings you more meaningful insights and contextual information about attacks.

As mentioned above, it is essential to have a detection methodology regardless of how the attack is crafted. AI only changes the equation to the extent that it allows threat actors to bury their tactics and commit their actions faster. The approach is not one of "how do I use AI or ML to replace the human who is coming to the conclusions?" Rather, it is one of "how do I arm human engineers to succeed against AI-based attacks?" A good MDR provider does that by using ML to reduce noise and amplify signals for the human, enabling the human to oversee, analyze and work to restore order. AI is an aid while the human engineer looks out for any flaws requiring their expertise.

Pivoting And Switching Tactics

Speed is not the sole challenge of AI-based attacks. Engineers also need to be attuned to the ability of bad actors to pivot from one tactic to another. Often, the threat actor attempts to infiltrate a network and establish a foothold and then do reconnaissance, assessing the overall environment and getting to know it well enough to manipulate it in more sophisticated ways. Depending on what they see, they'll launch different types of attacks. Therefore, AI allows them to shorten the learning cycle and pivot more easily to even sneakier attacks as they learn to evade detection. They may try to identify the servers in the environment and then once they do, they identify the domain controller housing identity information. This allows them to launch specific attacks on the identity layer once they've established critical assets. In this example, pivoting means they get in and they learn; then they turn to the next phase of the attack.

For an MDR provider, cybersecurity consists of devising the best countermeasures to attacks and cyber breach attempts at the highest levels. Defenders assess what is going on and threat actors develop countermeasures for evading that detection and prevention layer, and it's a never-ending cycle. As a result, from an MDR provider's perspective, it is necessary to continually enhance detection capabilities to keep pace with the evolving nature of how threat actors commit their attacks.

The importance of round-the-clock security from the MDR provider, especially with AI breaches, is that bad actors sneak up on companies when they aren't looking. An MDR provider offers threat feeds that are monitored for new zero-day disclosures of an attack mapped back to its detection and prevention model. It is all about remaining one step ahead and being cognizant of new and evolving methods attackers use to breach the environment. A good security operations center (SOC) engineer then addresses these questions: "What is the methodology? What tactics am I trying to observe? What data do I need from the environment to identify those new tactics?" They bear in mind that traditional risks are a concurrent factor as breaches evolve in sophistication. They then scan for vulnerabilities of any nature, prioritizing a company's critical assets to protect the organization. A highly skilled MDR service provider is armed at the ready with detection engineering functions and a thorough understanding of the latest tactics cyber attackers are using, bearing in mind that successful traditional ones haven't gone out of style.




Dave Martin is vice president of managed detection and response (MDR) at Open Systems, which has been providing managed security services for more than 30 years. He is responsible for the strategic direction and product roadmap of SaaS, hardware and software cybersecurity products.

Published Friday, June 10, 2022 7:31 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2022>