Prepare for the new royal wedding of IT: AI and cyber securityPhishing, cyber bots, multi-cloud strategies, zero trust, diversity in cyber and blockchain and cyber: we are set to enter a tumultuous period for cyber crime: but AI and cyber security will become the partnership that both cyber security and cyber criminals will put their faith in
There will be a high priest at the IT wedding as AI and cyber security tie the knot regulation will help conduct the ceremony — this facilitator won’t create the union, love is what lovers do, but our beloved regulators around the world will formalise the union. As for the best Man/Best Women: that will be diversity.
There is much that can go wrong. Does anyone here know any reason why this wedding between a beaming AI and cyber security, blushing down the aisle should not go ahead? Well, there’s the dreaded password, there is that nagging suspicion that AI has been having an affair with cyber criminals, and there is the inevitable complexity of marriage — the internet of things, indeed the internet of identity will throw confetti but it is not clear where its loyalties lie. Finally, it is far from clear whether blockchain will be the embarrassing uncle, dancing without rhythm at the post-wedding party, or the scintillating wit that makes everyone roar with laughter during the speeches.
Mark Deem from the legal firm Cooley reckons we will continue to see customised phishing. He said it will be the “means of providing an entry point into corporate networks.” But no party pooper is Mark, because in keeping with the wedding atmosphere he said that well will also see “the use of AI as a means of threat detection.”
AI in cyber security: a help or a hindrance?
Cooley, which is known for its work in AI, predicts that we are set to see an increased focus on the quality of the data sets that underpin AI. Data is, of course, vital to AI, machines may learn, but they need good quality learning materials, which means data, accurate data, and lots of it. But Mark Deem is optimistic AI will continue its “evolution from a data analytics tool to driving business innovation and achieving societal improvement.”
Gaurav Banga, CEO and founder of Balbix sees it in numbers. “It is now mathematically impossible for humans to manage cyber security without the assistance of artificial intelligence.” He is right of course, but see it that way, and the union of AI and cyber security feels a lot less romantic. Gaurav explains: “Even the largest security team comprised of the most skilled IT professionals can’t sift through the thousands of vulnerabilities to determine which to prioritise. Tools leveraging AI that continuously monitor all assets, proactively predict what vulnerabilities are most likely to be exploited, and produce a prioritised list of fixes are entirely necessary just to keep up with constantly evolving attack methods.”
But a marriage needs trust, and as AI and cyber security make it up the aisle, it is tempting to speculate on the role trust will bring. Mark Deem put it this way: AI will “be critical to achieve the aims of regulatory bodies and legislatures around the globe, who are increasingly converging on the inter-related concepts of transparency and trust as drivers for future development.”
Not all see it that way, however.
Jay Coley, Senior Director of Security Planning and Strategy at Akamai Technologies talks about zero trust. “Zero Trust will march towards killing off corporate virtual private networks (VPNs) says Jay, and adds: “For years, virtual private networks have been the mainstay of remote, authenticated access. However, as applications move to the cloud, threat landscapes expand, and access requirements diversify; the all-or-nothing approach to security needs to change. Zero Trust, where each application is containerised and requires separate authentication, is stepping in to provide security fit for the 21st Century. Companies will increasingly turn to a cloud framework for adaptive application access based on identity and cloud-based protection against phishing, malware and ransomware, helping to improve the user experience and sounding the death knell for VPNs.”
Cyber security best practice
There is one thing a marriage doesn’t need and that is passwords. When the loved-up couple wake up in the morning, there is no need to check the partner’s ID by asking for their password before kissing them. Yet, alas, in the world outside of the bedroom, we have to prove that we are who we say we are.
Jim Ducharme, Vice President of Engineering and Product Management at RSA sees identity as a growing problem. He refers to what he calls the identity of things and says: “From personal assistants to wearables, smartphones, tablets and more, there is no shortage of connected devices. The explosion of IOT has finally reached a tipping point where the conversation of identity will start to take on a whole new meaning.”
This all creates risk, points out Jim who reckons he has a few answers.
Oddly he thinks the good old fashioned, but decidedly hackable four-digit pin may yet win out over biometric data. “How could a simple 4-digit pin, which has at most 10,000 possible combinations, give biometrics like FaceID with a 1 in 50 million entropy a run for its money?” he asks. The answer lies with our wedding, whether it be a marriage of love or convenience, the wedlock of AI and cyber security can give the four digit pin a new lease of life, reckons Jim. He said: “The industry will come to realise when 4-digit pins are combined with AI and machine learning, the four-digit pin, similar to what has been used for decades to protect access to our bank accounts, can provide a very high level of security. The ultimate goal for identity and access management is not to find the unbreakable or ‘unhackable’ code for authentication, but rather, to layer security to create a much stronger identity assurance posture. AI and machine learning will be a game changer, allowing for intelligence-driven authentication that will open up additional options of security layers for organisations.”
Weddings are good things, no one wants to see a death at one, unless that death relates to something unpleasant, like the need for passwords. And Jim even considers the death of the passwords. It appears, however, just like Mark Twain, it’s death was exaggerated. Jim said: “We have long seen predictions that passwords are in their final days. But it’s time to come to grips that passwords will be here for a long time. But perhaps there is still hope that while we may be living with passwords for generations to come, they may be a lot less scary than the monster we have created. It’s time to reverse the trend of how complex passwords have become (MyKitsH8Me!) and how hard they are to manage (having to change them every 60 days) in an attempt to improve password strength. We can uncomplicate the password and unburden it from having the ultimate responsibility of security. A much more simple password coupled with an additional layer of risk-based authentication, especially those factors invisible to the user like behavioral, location and device context, and even transparent biometrics can help businesses better secure access to critical resources.”
Who is responsible for cyber security in the enterprise?
This takes us to the Best Man/Women at the AI cyber security wedding — diversity. Lydia Ragoonanan, The Director of LORCA said: “The stereotype of young guys in hoodies has been cast out for some time, but under-representation means the sector is still portrayed as a jobs for the boys. As just one example only 11% of the cyber security workforce are women. But are set to see the needle shift. From the language that determines what we consider to be ‘cyber security’ through to the numbers entering the profession, we will start to see more of ourselves engaged in, and reflected in, the cause to keep the digital realm trusted and safe.”
There will be the unwelcome visitors — even the suspicion that AI and cyber criminals have been seeing each other in secret. The AI cyber security marriage can’t work if there are three people in it.
And Akamai’s Jay Coley, worries about bots. “Organisations will see an increase in cyber attacks but these will be ‘low and slow’, rather than ‘noisy’ incidents such as DDoS attacks. Launched by botnets, ‘low and slow’ attacks aim to remain under the radar for as long as possible, to steal as much data as they can. Often these take the form of credential stuffing attacks, where stolen credentials are used to access associated accounts and steal further personal data such as addresses and payment details. To protect themselves, businesses will need to adopt bot management solutions, which identify, categorise and respond to different bot types. The technology uses behaviour-based bot detection and continuous threat analysis to distinguish people from bots.”
Indeed, Akamai has found that 43% of all login attempts come from malicious botnets. Jay warns that “this is set to increase as credential stuffing and ‘low and slow’ attacks grow in popularity. More sophisticated bots will become capable of accurately mimicking human behaviour online – making it harder for bot solutions to detect and block their activities. Effective bot management tools are crucial for addressing this threat. They are able to use contextual information, such as IP addresses and past user behaviour data (neuromuscular interaction), to determine whether a visitor is a bot or human and respond accordingly.”
How to detect and remove botnets from your network: a best practice guide
And then we come to the enigmatic guest. Will blockchain and cyber security or indeed blockchain AI and cyber security be like the embarrassing uncle or the witty raconteur?
Jay says: “Blockchain technology will move from cryptocurrencies to mainstream payments.
“Today, most people associate blockchain with cryptocurrencies and the less-legitimate end of online payments. However, soon blockchain-based payment networks will properly make it into the mainstream as they enable next-generation payment transactions to evolve rapidly. The inherent security built into blockchain can streamline the online payments process, reducing friction, increasing speed and improving the user experience. In the coming year, we expect to see more and more blockchain-powered payment platforms, with high scalability and speed, being adopted by brand-name banks and consumer finance companies.”
Will blockchain solve the cyber security skills crisis?
Cyber risks are changing every day, becoming more and more complex. As some look to restructure their organisations, develop new workforce strategies and offer education for employees about new risks, the demand for cyber security professionals and solutions is increasing
Finally, no wedding is complete without the surprise guest. According to Stephan Chenette, CTO of AttackIQ: “DevOps is changing the way (and speed at which) software is being developed, and this greatly impacts security.”
He cites figures from Gartner: “that DevSecOps will be embedded in 80% of development teams by 2021, up from 15% in 2017.”
“I certainly hope that’s true,” says Stephan “as we will surely see even more breaches in 2019, if security does not adapt to the new processes, capabilities and tools of DevOps.
AI and Cyber Security — the union
The problem with AI is that up to now, the technology has fallen short of the hype — denigrating artificial intelligence to a kind of ugly duck status — in the eyes, of some stuck forever as a disappointment. In reality, it is just waiting for advances in technology and is on the verge of passing a tipping point, rising to that most favourable spot on the Gartner hype cycle. And as it blossoms into a beautiful swan, it would make an elegant addition to any union, including that of AI and cyber security.