You are here

Keys in door

Antivirus is dead: How AI and machine learning will drive cybersecurity

public://webform/writeforus/profile-pictures/rajiv.jpg
Rajiv Raghunarayan, Technology evangelist, SentinelOne

As the number of cyberattackers and exploits continues to grow, hiring the teams needed to combat cyberthreats has remained a challenge. While budget and access to the right training infrastructure have contributed to the issue, another big problem is that we are still reliant on outdated security methods.

Attackers are constantly leveraging new attack techniques, such as bots and other automated tools, as their primary attack methods, making it nearly impossible for outdated solutions such as legacy antivirus (AV) to keep up.

Last year brought some of the largest and most advanced cyberattacks to date, and attackers have come out of the gate swinging in 2017, with ransomware attacks such as WannaCry and NotPetya making worldwide headlines. Although we can never be quite certain as to when the next large-scale or targeted attack will hit, one thing remains certain: Traditional solutions and approaches that have served us well for decades are not cutting it.

Here's a look at how to move the needle on cybersecurity in a post-antivirus world.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

Look back to plan forward

My company's 2017 Enterprise Risk Index report found that only 50% of file-based attacks had been previously submitted to malware repositories. Of those submitted, only 20% had corresponding signatures from existing AV solutions—in other words, typical endpoint security solutions are flying blind 90% of the time.

What if it stops being about files altogether? Memory attacks more than doubled in 2016, and if this trend continues, the value of AV will increasingly be in doubt. Threats such as fileless malware attacks cannot be caught by signatures (which are file-based), which means that networks guarded by traditional AV systems are vulnerable to attacks.

Along with the increase in memory-based attacks, attackers have also expanded their use of automation to amplify their efforts. Several cybersecurity experts were surprised by the scale and virulence of the WannaCry attack, which affected more than 200,000 machines in a matter of hours. Put simply, IT and security professionals, with their outdated security software, cannot keep up with such intense and persistent attacks.

And the plethora of false positives causes many security teams to drown in alerts, in turn, making it very hard to prioritize and respond in a timely fashion. As a result, threats are missed entirely. Even if they do catch wind of an attack, humans are not efficient enough to manually tackle the problem at scale.  

What to do about the trend?  

Now that you know what is out there, you need to prepare your systems to be ready to protect your assets against the next generation of cyberthreats.  

Several new technologies that have matured over the last few years could be truly revolutionary in strengthening security and accelerating businesses. Chief among these are machine learning and artificial intelligence. McKinsey Global Institute studies estimate that automation driven by technologies such as AI and machine learning could increase productivity at an annual rate of 0.8% to 1.4% over the next half century. In comparison, it says that the adoption of information technology increased productivity by an average of 0.6% annually from 1995 to 2005. 

However, these technologies must be used right to leverage their strength and overcome adoption challenges. Some of the basic tenets include doing the following:

  • Ensure the right visibility and protection: Make sure you have visibility and protection at the right level and of the right type. Nearly all attacks (95%) start at the endpoint, and most critical data typically resides in the data center or (increasingly) the cloud. Ensure that these edges have rich visibility and protection. This means that you are looking for more than just files, but also at running applications and fileless threats that may not leave a footprint. It also means that these edges need to be autonomous in their security workflow to reduce protection latency and to support local threats (when you have no cloud support) or regulatory compliance (when sending data outside predefined perimeters is prohibited). Finding a threat and stopping it before it makes an impact makes your job easier later. 
  • Keep it simple: Simplicity is the ultimate sophistication. Complexity creates barriers, ultimately costs more time and money, and reduces security. Ensuring that your organization is equipped with the right tools to prevent, detect, respond, and investigate will allow for more seamless operational workflows and increase productivity. The right tools will also reduce end-user productivity impact by minimizing agent overload and improving integration across platforms.
  • Automate, automate, automate: Automation can make your security platforms easier to use, moving security from a limiting force to an enabler for sustainable business growth fueled by technological advancements. And that is possible only when we move from humans doing most of the heavy lifting to a place where machines do the job as directed by humans.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

The reality is clear, so act now

Hackers are continuing to beat organizations at every step because they know that some of the most widely used security tools such as AV and IDS are flawed, and they are well aware of how to evade them.     

The increasing commercial value of the digital economy only creates more incentive for the attackers to morph their techniques. A 2014 McKinsey study with World Economic Forum highlights that $9 trillion to $21 trillion of global economic value creation depends on the robustness of the cybersecurity environment. And the attackers are indeed winning that fight right now—adopting new and better techniques to evade defenses, such as polymorphism and obfuscation, targeted attacks to evade already overloaded security teams, and automation to scale.

Several of these evasion techniques are well documented, and the tools are also shared across the attacker landscape using as-a-service business models. Today, one can buy code that is effective at hacking for as little as a $150. Relying on traditional approaches in this environment is equivalent to bringing a knife to a gunfight.

Governments and businesses need to be nimbler than ever in dealing with threats against today’s attackers. Effective security today requires speed and resilience. It necessitates detection and real-time response before attacks get a chance to compromise sensitive assets and information.

New technologies such as sandboxing and endpoint detection and response have improved discovery capabilities for the whole industry, but they’ve done little to actually address improve resilience: the need to quickly and accurately respond to today’s evolving threats operating at machine speed.

Without this capability, companies are forced to manually manage detection and response post-breach, which takes more time and resources, increases risk, and diminishes business agility. Ask any company hit by ransomware and you’ll know why response speed is critical.

Has your cybersecurity team looked at machine learning and AI to move the needle? Share your experiences in the comments below.

 

[ Find out how to take control of credentials privilege in your organization in this Webinar. You'll learn best practices, more. ]