Human and machine: Working together to solve the biggest security problem
By Pete Nicoletti, Field CISO, Check Point Software.
Can you guess what the biggest problem in cyber security is?
It’s not ransomware, phishing, or some other disruptive cyber attack… even though we all know those will increase within the foreseeable future.
One of the biggest issues is that there simply aren’t enough security professionals to keep up with the rise in cyber threats and all the related problems created by this issue.
One significant solution to this issue is to leverage artificial intelligence and Machine Learning (AI/ML) to handle tasks that would typically be too time-consuming and too difficult for security professionals. Furthermore, the unstoppable barrage of events coming at your organization is too much for human analysts to handle.
Before I delve into how AI/ML can free up time and resources for your security staff, improve staff morale, increase retention, and radically enhance your resilience to attacks, let’s first discuss why the pressure on IT and security teams will only continue to increase:
Cyber attacks continue to rise
The landscape is changing, but only for the worse. The number of breaches and records exposed per year is escalating, despite billions of dollars of investment in cyber tools and the best efforts of security professionals.
Here are some startling cyber security statistics:
- In 2021, businesses experienced 50% more cyber attacks compared to the previous year.
- Cyber crime costs will gpost by 15% per year over the next five years, reaching $10.5 trillion in costs by 2025.
- 2021 experienced the highest average cost of a data breach, with the average cost rising from $3.86 million to $4.24 million on a year-over-year basis. This trend is expected to rise in 2022.
- Phishing attacks were related to 36% of data breaches, which is an increase of 11%. These figures are expected to rise further as we accelerate support for the remote work force.
Now, let’s examine the challenges that most organizations are facing, which contribute to the issues above.
Traditional security tools are not good enough any longer
First, conventional tools only combat known attacks. This is a huge problem because hackers are developing new and sophisticated cyber threats every day that are designed to bypass conventional tools. Many traditional security strategies are insufficient in detecting and preventing these new threats because signature-based tools, by definition, can’t prevent attacks that have never occurred before. While these tools have helped analysts better understand old-school conventional attack surface activity, they are simply inadequate in preventing unknown attacks, which can devastate your business.
Organizations try to use too many security tools
Secondly, many organizations have too many security tools, and it is difficult to have them interoperate and “talk” to each other. This lack of integration combined with having to manage multiple management consoles creates inefficiencies and coverage gaps. Think about it: When you have separate solutions for the network, email, cloud, mobile, IOT devices, and more, you don’t have a unified view of the bigger picture. This is just not conducive for effective or efficient security, especially when dealing with the new, advanced threats that are designed to bypass conventional tools and that may be missed by inefficient management or lack of coverage.
The efficacy of conventional security tools averages at only 85% for the following reasons: There is typically no centralized monitoring or management. Firewall configurations are often flawed and not up-to-date. Configurations of the tools in use are not optimized, with all features turned on and in prevention mode and then validated. Signature-based tools are not updated, or the signature arrives too late. In addition to those issues, many tools are not fit for enterprise deployments at scale and flunk out in MITRE ATT&CK 3rd party testing!
Alert overload!
Third, not only is there an increasing amount of data that your security teams must deal with, but this also results in alert overload – often in the thousands or tens-of-thousands of alerts generated daily. The volume of log, security, and application data collected continues to gpost exponentially. Alerts created by multiple tools overwhelm cyber security analysts, and analysts struggle to validate and escalate them. Further, on average, over 50% of alerts are false positives. The average time to research each alert is ~20 minutes, with the average time to respond or to fully resolve cases hovering around 4.35 days. This overwhelming challenge is simultaneously occurring as the statistics for initial compromise to exploit have been reduced to mere minutes in 2022!
Lack of skills and security professionals
Fourth, most organizations simply don’t have enough security professionals to handle the increased volume of threats. They also likely don’t have the skills, nor the time to learn the skills/get certified because they are already burdened with the weight of fighting yesterday’s threats and the new barrage of threats arriving every day.
The insights required by businesses are outstripping the small group of trained experts, and there aren’t enough experts available to service all organizations. There are over 3 million unfilled cyber security positions; it takes six months to fill these positions, and eight months to train the people in them. Finally, 25% of security professionals change organizations within two years. There is a huge problem in finding and retaining cyber security talent.
The data to be analyzed is far beyond human scale
Fifth, humans cannot conceivably analyze and associate millions or billions of alerts and log data records arriving each second. The human brain doesn’t scale at that level, and it can’t make the connections between disparate systems and events and spot the rare anomalous behaviors. Consider relating this challenge to the old idiom: “Finding a needle in a haystack.” A typical haystack weighs 2000 lbs., and the number of straws in a pound of hay is 1000, thus the needle is one in 2,000,000. With current zero days occurring in only 1 in 10 trillion events, the ratio to find a new zero day attack is one needle in 5 million haystacks!!! Only advanced AI algorithms can parse and identify malicious activity at that scale!
The cost of data breaches “should” motivate executives to increase security budgets…but…
The average time to fully contain a breach is gposting, and the length of time needed to identify a breach is barely improving. On average, companies take about 197 days to identify and 69 days to contain a breach. When your security team is too busy containing and identifying breaches, they don’t have the time to handle other cyber threats or help the business with strategic initiatives. The cost of a breach is already very expensive, and unplanned legal and related incident response expenses may cause a “budgetary creation event,” forcing the company to invest more in your security team and in new technologies. This is not the way to properly operate and fund a security program.
All of these problems paint a not-so-pretty future for many organizations, but there is a solution.
How artificial intelligence can help
What if, instead of using traditional security tools that miss threats, you had an ever-improving, intelligent system that actively prevents advanced, sophisticated attacks? Let’s examine how this works:
First, traditional security tools use signature-based methods to identify threats, but this is approach flawed and can miss up to 10% of attacks. Advanced security tools that use AI/ML can identify known and unknown attacks, resulting in near 100% detection rates while minimizing false positives. With AI/ML, there is no need for signatures to be updated, rules to be created, or configuration efforts to be managed. Yes, there may be the occasional “false positive,” but study after study points out that the occasional disruption caused by a false positive is worth the avoidance of a more impactful breach event.
Second, you can also use AI/ML to enhance the threat hunting process by using behavioral analysis. One example of this is developing a profile for every server, person and application within a company’s network by analyzing and processing massive volumes of data to identify anomalous behaviors. Attackers attempt to “fly under the radar” but can be identified with AI based tools looking for outlier events.
Third, AI/ML makes vulnerability management significantly easier to manage. Some poorly run organizations postpone updates until hackers exploit high-risk vulnerabilities and breach their networks before fixing the issue. Traditional vulnerability scanners can detect most vulnerabilities, but AI/ML techniques can analyze baseline behaviors of applications, users, and servers, and identify unexpected behavior that could be malicious behavior to be followed up on. AI/ML can spot the indicators of compromise on a “fully patched” server that is compromised or misconfigured.
Forth, let’s discuss how AI/ML can positively impact on your SOC (Security Operations Center) team. We all know the biggest problem that SOCs face is that the security staff are often overworked and burdened with keeping track of daily security threats. Even more alarming, a study showed that 30% of security teams ignored and did not investigate a majority of warnings they received. These insights paint a frightening picture for the future of the SOC.
How exactly can AI/ML help your SOC team? AI/ML and SOAR processes can automate incident analysis by automatically labeling each threat as “High,” “Medium,” or “Low” and creating the ticket and assembling and analyzing the appropriate data from all the various tools. From there, your staff can make immediate decisions on pre-filled out tickets that deserve the highest priority, and automatically and quickly update firewall rules. While AI/ML will not replace your SOC, it can also play an important role in automating other processes such as network traffic analysis, email threat analysis and threat prevention, endpoint protection, source code and user behavior analysis, and application or database server protections. By applying artificial intelligence and machine learning, your SOC team can improve efficiency while reducing risk. This also leads to better SOC analyst job satisfaction and will improve critical employee retention statistics!
Bonus section: Email protection needs the latest AI analysis to keep up with threats
If you are relying on your end users to be the last line of defense in preventing a devastating ransomware event, you are just one click away from a costly BEC or breach. No amount of end user training can prevent all attacks, but the latest AI and API-connected mail protection tools can get your organization the closest to security nirvana.
Since every hacker in the world is less than 500 milliseconds from your front door, expect to see threat actors leveraging AI to automate the creation, delivery and morphing of advanced cyber attacks that can penetrate corporate networks even faster than before and can cause even more disruption. To keep up with adversaries, it is critical to investigate how AI technology can improve your organization’s security in today’s threat landscape and to leverage all the prevention tools that are available.
When you need to protect your organization from cyber attacks, AI has emerged as the key technology to support your security team. Adding AI to your cyber security program and toolsets offers numerous benefits, including improved efficiency, reduced unplanned for costs, improving staff morale and improving program confidence so you’re getting more sleep at night.
Check Point has utilized AI capabilities in its solutions for many years. Our integrated platform utilizes over 60 AI and ML threat prevention engines to protect against unknown malware and attacks and prevent them from infiltrating and impacting your network. Our AI based offerings have prevented customer impact from the zero day attacks following the recent Solar Winds, Log4J, and other sophisticated threats, which have bypassed competitors’ tools. Reach out to a Check Point Partner or learn more at www.checkpoint.com.