Finding the Needle in the Haystack: Accelerating Threat Remediation with AI

9 November 2020 | 101 Shares

Source: Shutterstock

Elon Musk’s prediction that AI will outsmart humans in less than 5 years is a bold statement, predicting that machines will possess super-human qualities which help boost organizations’ profits and goals. For many, these ideas belong in sci-fi fantasies rather than as a future fixture of working practices.

In the broadest sense, there are no signs that AI comes close to human consciousness or sentience. When we talk about the power of AI, it’s more helpful to consider the specific use cases and sectors where it will, and is having, a transformative effect – and there is one area in particular where AI has been seen to mimic the capabilities of complex human thought processes: cyber security.

For organizations seeing more and more attacks against their digital infrastructure, cyber security is a top priority. Remote working has forced security teams to pivot to protect a workforce in flux, with cloud and SaaS adoption only widening the attack surface. At the same time, hackers have become savvier at exploiting new technology to their advantage, leaving organizations to re-evaluate the success of their initial digital transformation projects and how best to protect their data and digital systems.  The odds have been stacked against the defenders. Whereas cyber-criminals only need to be successful at compromising one weak link to begin an infiltration, security teams need to get it right every time. Thankfully, AI is always one step ahead.

Today, thousands of cyber security professionals have turned to AI to help them relive the burden of a whole range of tasks. This includes monitoring digital activity across different areas of the workforce, identifying anomalous behaviors, taking action to limit the spread of possible attacks, and bearing the brunt of time-consuming tasks, such as threat triaging and reporting.

There is little doubt that AI-augmentation is vital for protecting digital systems in an era of information overload. AI can handle terabytes of data every day – a scale unthinkable for humans, who have limitations on how much information they can process at a time and need regular breaks. But it’s more than just a scaling issue –  AI can uncover damaging cyber-attacks that human can’t – be that due to threats that are disguised as regular activity, bias reasoning, or simply time pressures.

Pinpointing abnormal activity that human teams are unable to detect amid the noise of normal network traffic is the first way in which AI augments human teams. The second way is more fundamental still – the AI can interrogate its own findings. In other words, instead of humans looking at the outputs of the AI and applying their human understanding, AI is now taking care of this too. Known as an AI Analyst, this technology applies contextual understanding to launch a full-blown investigation into what has happened on the network. The result of the investigation is a machine-generated, human-readable report about the incident.

As the cyber-skills gap widens, having AI that mimics an expert cyber-analyst’s investigative and reporting techniques is fundamental to ensuring that threats are remediated before the damage is done. For overwhelmed teams, such technology is the difference between a threat spreading and operational continuity. And AI Analyst results in huge time savings. Whereas a human security analyst would take 3 hours on average to interrogate a suspicious event, apply their domain expertise and knowledge to figure out the extent of the compromise, assess the likely impact, as well make recommendations for action, the AI does this in minutes. And the report can be generated in whatever language is required, producing not just a detailed response, but a global one too. Cyber AI is now carrying out 1.4 million investigations every week, which human teams then review and use to shape long-term strategies and policies.

By 2021, the role of the security analyst will be changed for good. While much of the focus in recent months has been on securing  the dynamic workforce, 2021 will see organizations looking beyond operational continuity to deploying a cyber security technology which allows their business to thrive. AI is fundamental to this – speeding up threat identification, comprehension of a security incident, and advising on next steps. Already, it is detecting and automating the investigation of the most sophisticated attacks out there including those from the Chinese cyber espionage group known as APT41.

When this group waged their attacks in March, organizations were in a state of turmoil. Lockdown had just been announced and many were still adjusting. The group moved fast, exploiting a Zoho ManageEngine zero-day vulnerability in organizations across the US and Europe. At the time of the attack, no associated signatures were available, and without public Indicators of Compromise (IoCs) or any open-source intelligence, successful identification and remediation of the attack would have been near impossible for humans alone.

That’s where AI stepped it. It recognized every stage of the kill-chain and flagged it to the security team. AI Analyst was fundamental to the remediation of this threat, summarizing the event into a concise report that took 2 minutes to review and was able to be actioned by even non-technical members of the team. The result? Security teams were able to jump on the actionable intelligence Cyber AI Analyst provided to prevent activity such as lateral movement and data exfiltration – containing the threat in its earliest stages.

Today, we are already reliant on AI in all parts of our lives, from recommending what to watch on Netflix to the customization of our car based on our real-time decisions. In security, AI will be investigating and recommending what actions to take in response to a cyber-attack.

AI’s ability to augment security teams has a fundamental role in the future of work. Amid the flood of information and alerts, AI brings clarity to the complexity of digital life and gives organizations time for the critical decision-making that only humans can do best. It  enables the human to step onto a bigger stage altogether and focus on shaping policy and longer term strategy.

With attackers continually innovating, tomorrow’s threats are set to be stealthier and more sophisticated than ever before. AI has proven that it can work alongside the human, detecting, understanding, and stopping cyber-threats. This step forward is necessary and should be welcomed – not feared.


Darktrace