The threat landscape today is in a state of rapid growth and continuous change posing a serious risk to organisations’ assets, reputations, and business. Conventional threat protection solutions have relied on a several techniques to prevent cyber infections.
First, they rely on there being a patient zero – to write a signature for malware, legacy AV needs to have already seen it. Secondly, it relies on human experts – which is in short supply.
However, ransomware attacks such as WannaCry, ‘NonPetya’ and the most recent attack, ‘Bad Rabbit’, continue to make headlines and infect hundreds of thousands of computers across the globe.
This suggests that the traditional signature-based approach to security is no match for the attacks of today, not to mention those to come tomorrow.
Indeed, it seems that whatever security vendors do, the attackers always find ways and means to outsmart defense controls. However, an artificial intelligence/machine learning (AI/ML) security approach can allow organisations to confidently protect against today’s malware and predict malware of the future. AI/ML doesn’t forget, it doesn’t rely of having seen a particular piece of malware before and can identify malicious files and executables with no connection to the internet.
Without the use of signatures, associated burdensome updates, and minimal resource usage users will feel like they have a new machine when you adopt this AI/ML approach.
So, what is the role of AI and machine learning in combating modern cyber-attacks and how can such technologies help organisations stay one step ahead of hackers?
Classic security solutions have reached their limits
Nowadays, malware protection products rely on signatures as a primary method of detecting and removing malicious code on endpoints. However, signatures can only work against malware that has already been seen.
With the rise of unknown malware (aka zero-day malware) legacy security vendors were forced to expand their portfolio to include additional malware prevention techniques increasing their footprint on the endpoint. In addition, security teams have adopted technologies such as sandboxing to help automate the creation of signatures, such as identifying and blocking URLs or packets in the network data stream (for example, Bot-Net Command and Control / C2 Traffic).
However, in most cases, this does not prevent the first infestation of a victim; only subsequent infections are prevented, meaning the business is left to pick up the pieces. A costly proposition.
This has inevitably led to the attitude across security professional circles that zero-day malware cannot be prevented and can only be detected and stopped in an “inflagranti” manner (e.g. if a program reads files in a certain order, uses cryptographic libraries and writes them back to disk, etc.). Moreover, organisations must use other detection and response products to curb an active attack and try to undo the damage left by their prevention solution.
However, today’s ransomware attack waves, as well as sophisticated targeted attacks prove that many attacks are successful despite the expensive technical effort put forth by the security team.
AI technologies make anti-malware solutions more effective
Instead of reactive, today’s AI-based malware prevention solutions are focused on delivering proactive security. Their approach is built around AI/ML models trained to identify malware before it executes, without the use of signatures, frequent updates, or cloud connection. The AI models can calculate the risk of executable code damage and then decide whether a file is safe and can be executed or quarantined.
For example, a file is split into hundreds of thousands of features before execution. These features could also be understood as the DNA of a file. In addition to easily understandable features such as the creator, date, version, PE headers, digital signature, icon displayed, etc., there are today up to 2.7 million other relevant features, such as normalised byte strings, which are inconsequential to a human, but can be used by a computer for statistical evaluation.
These features are processed by a mathematical model to result in classification as a harmless or harmful file. In this case, the mathematical model replaces the active component that was previously fulfilled by signature databases.
In addition, because the AI model has been trained on millions and millions of files, constant engine updates are no longer necessary to detect and block unknown threats.
Indeed, a solution should be able to reliably address threats that have scripts (e.g. Powershell, Visual Basic, Macros), sometimes without payload, or exploit exploits. The prevention rate of AI based anti-malware solutions is high, in some cases twice as high as in traditional processes, with at the same time low false positives.
Even with the new technological approaches, there is no 100% malware prevention certainty. However, AI-based solutions save system resources and can make your business more secure, stopping malware before it executes.
AI is all around us, from the pizza you order for dinner, the book you order online, or the recommended show up next in your online streaming queue. Now is the time to embrace AI in the realm of cybersecurity as the most powerful way to thwart a data breach by preventing a cyber attack or data breach from successful execution.
Sourced by Steve Salinas, senior product marketing manager at Cylance