AI solutions for enhancing an organisation’s cybersecurity are there, and they’re getting better all the time. Chris Fisher says it’s just understanding what they are and how they can be integrated for maximum benefit.
Security breaches and incidents are occurring with alarming regularity, with the big names reported in the media only a fraction of the actual number of breaches taking place.
Just recently, Latitude Financial, a major financial services provider operating across Australia and New Zealand has released details of a cyber attack and data breach that has impacted 14 million of its customers.
If we are to keep our people and systems safe, we must adopt an ‘not if, but when’ mindset and take steps to improve clarity of understanding and efficiency in catching and responding to threats.
Today’s world demands businesses to improve cybersecurity measures and gain greater visibility over threats and attack surfaces, else fall prey to sophisticated and targeted attacks. The more visibility an organisation has, the better equipped to detect and respond in a timely, meaningful way. Luckily, with security of increasing importance, there are more tools and solutions available, with the likes of artificial intelligence (AI) arming us with greater ability to understand our attack surface and catch threats fast.
Making unknowns, known
Let’s first consider unknowns. The last couple of years have led to significant changes in how we work, including a massive rise in remote working, notable changes in systems, including a huge rise in cloud adoption, greater financial pressure, and a struggle to find talent.
These changes have led to a larger attack surface, more vulnerabilities and exploits, more tools and alerts, and smaller, more overworked teams. Meanwhile, attackers are more evasive and more sophisticated in their infiltration methods.
Analysts at Gartner predict that nearly half of cybersecurity leaders will change jobs by 2025 due to mounting stresses and burnout.
Part of the problem, as highlighted by Gartner VP Analyst Paul Furtado, is insider risk and the fact that traditional cybersecurity tools lack the ability to provide visibility over threats not only from outside but within the network.
It is true that oftentimes our attack surface is far larger than we assume. Let’s say I’m leading a security team and I’m responsible for taking care of 4,500 employees. I have an asset register that has logged 4,500 laptops, 2,500 servers, and I have 7,000 assets total on my network. However, it also shows that I have 15,000 active IP addresses on the network.
It’s not an uncommon statistic to only see 50 percent of assets logged as endpoints, with the additional IP addresses routers, switches, printers, cameras, telephones and other services. These additional IP addresses could be personal devices on a guest network, cloud computing services and container workloads, or even traditional server application services that are running hosts of activities that aren’t being monitored.
Security teams are now tasked with defining vulnerabilities within each of these items and executing controls in those environments.
For instance, closed operating systems don’t allow endpoint control measures, but an attacker can still leverage it for an attack. As a result, having a full depth of view is critical, and this is where technology solutions can shine.
Gaining visibility over an attack surface means understanding threat vectors that sit beyond what you as a company own.
Consider unauthorised access. An increasingly common term, this refers to the act of gaining access to a computer system, network or application without express permission or authorisation – as the name suggests.
As was reported in March, Commonwealth Bank of Australia’s Indonesian unit was recently impacted by an incident involving unauthorised access of a web-based software application used for project management.
Similarly, AT&T has recently publicly announced that back in January, an unauthorised person breached a vendor’s system and gained access to the company’s Customer Proprietary Network Information.
We can’t take this lightly. Gaining visibility and clarity through expert tooling reduces the burden on security teams and greatly improves an organisation’s ability to understand threats, while also giving the chance to remediate quickly and effectively.
The role of AI in visibility and security
According to MarketsandMarkets, the AI in cybersecurity market size is valued at US$22.4 billion in 2023 and is anticipated to be US$60.6 billion by 2028, growing at a CAGR of 21.9 percent from 2023 to 2028.
Meanwhile, IDC finds that cybersecurity has been identified as a top investment in APAC, with one of the leading categories being AI and machine learning. However, the study found that only 13 percent of Asia/Pacific respondents stated this was an investment priority, hinting that the region is lagging.
AI is a powerful tool in driving signal clarity and maximising the use of our now more visible attack surface.
AI enhances signal clarity by allowing us to zero in on the behavioural aspect of attacks and considering all possible infiltration points.
Attackers may be utilising AI or automation to speed up their attacks, but this doesn’t inherently change their behaviour. There are still certain actions they need to take to compromise a network, and these behavioural markers are what we can pick up on.
Security teams are alerted to suspicious behaviour, improving efficiency and helping them to sift through the noise of alerts.
We hear from many organisations that they receive far too many false positives from their security tooling and security teams are inundated with information that they don’t know what to do with.
Leveraging AI is not about replacing a human being, it’s about making what we do far more efficient and clarified. We can automate mundane tasks to free up employees, amplify an attack, and improve our ability to respond.
When it comes to response, we must know what to do with the attack alerts that come through, otherwise all our clarity is for nothing.
First, we determine what the attack is, and second what to do about it. Remediation is a helpful metric because it highlights that our goal is to remove the attacker from the environment but considers that there will be various ways to do this, depending on the systems and environment.
There can’t be a blanket rule, we must be flexible, but we can create repeatable procedures that have flexibility built in. Metrics such as ‘meantime to remediation’ can showcase the value and benefit of AI in terms of real outcomes and returns.
Moving forward we expect to see CISOs and security leaders invest more into tooling that improves efficiencies and supports security teams in sifting through alerts and uncovering threats in a sprawling and broad attack landscape.
The solutions are there, and they’re getting better all the time, it’s just understanding what they are and how they can be integrated for maximum benefit.
Chris Fisher is the Head of Security Engineering for Vectra.ai in the Asia Pacific and Japan Markets. Vectra is a leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. www.vectra.ai.