There is a concerning shift occurring in the mindset of security professionals. Today’s challenges bear little resemblance to tomorrow’s, and as cyber criminals arm themselves with increasingly sophisticated technologies and exploit new vectors of attack, time favours the adversary. That an organisation will be targeted is no longer considered a remote possibility — it’s just a question of ‘when’ it will happen, and ‘how’. For example, just this July, in the Kaseya breach – a supply chain ransomware attack – hackers leveraged a vulnerability in Kaseya VSA software against multiple Managed Service Providers and their customers. The attackers initially asked for $70 million for the recovery of the decrypted data of their victims.
To add to this hefty price tag, the cost of a successful breach – whether it’s large enterprises or government agencies – is far more than just financial. The reputation of any targeted organisation is as much on the line as the safety of its data. And the bigger the breach and more high-profile the victim, the more attention it will garner in the media.
What’s more, no company exists in a vacuum. Even businesses not directly targeted can be hugely affected by breaches that occur elsewhere on the broader value chain, negatively affecting the breached organisation’s important relationships.
The kryptonite of cyber resilience: web supply chain attacks
How do you solve the problem of contextualisation?
Large-scale supply chain attacks are here to stay, as such attacks provide bad actors with a literal menu of companies to choose from amongst an organisation’s suppliers, many of which have much less sophisticated security controls. This is one of the reasons it can be so difficult to detect and prevent threats, yet understanding the context of a threat or an incident is vital to having the capability to remediate the effects of an attack and stop them from happening in the future.
While there are several questions that need answering in order to find out the nature of an attack – how did this occur? Why was it successful? – the investigation of an incident typically begins at the end, or endpoint. The device that a successful hacker has used as a door into a network can begin a process of link analysis, where isolated activities are connected to build a holistic view of the incident as a whole.
The issue for security professionals, is that legacy Endpoint Detection Response (EDR) tools present an extremely complex picture due to the overwhelming amount of data from the huge range of endpoints. Robust EDR is unarguably helpful for comprehensive investigation, but with the amount of data being provided by these tools today, it’s become far too noisy for useful alerting or discovering unusual behaviours and static indicators of compromise that could point to a zero-day attack.
The end result is that analysts are faced with masses of data to sift through, while constantly being overloaded with long incident queues, leaving them little time to perform proactive analysis and take preventative action. Relying on a human-powered approach means handing the advantage to cyber criminals every time.
Complex attacks require an intelligent defence
To truly prevent incidents, organisations need the capability to stop breaches before they occur. However, it’s nearly impossible to manually monitor every single endpoint. Threat actors leverage the power of automation to hone their tactics. Enterprises have got to follow suit to have any chance of keeping up with emerging attack vectors, such as the supply chain-based SolarWinds SUNBURST attack.
This attack, which targeted numerous industries around the globe from its activation in early 2020, was not a simple system vulnerability. It consisted of a complicated series of actions in which the initial infection was simply the first stage. With such a sophisticated ransomware attack, AI and automation is the only way to neutralise the full range of threats from the variety of attack vectors involved.
Comparing different AI approaches to email security
Using AI to cover all bases
It can take just seconds to breach an organisation’s defences. AI can work to detect, respond and remediate threats and incidents immediately, using vast amounts of data to raise high-quality, prioritised alerts whenever threat behaviour is observed.
This enriched intelligence around the context of an attack is delivered through real-time threat modelling, incident correlation and tactics, techniques and procedures (TTP) analysis. All data points across an organisation can be contextualised into a single action thread, providing security professionals with the key to not just detecting threats but comprehensively preventing them at scale, before they become successful.
This converts a manual alert triage process into one with an autonomous AI-powered agent functioning like an SOC analyst on each and every endpoint. What’s more, using AI democratises an organisation’s response to threats, where everyone from SOC analysts to novice security teams can automatically remediate threats and defend against even the most sophisticated attacks.
Marrying prevention and remediation for comprehensive custom protection
Advanced technologies that automate threat response help organisations to finally transcend the arms race that cyber security has become, and take a proactive approach to preventing incidents, rather than simply reacting to breaches that have already occurred.
In addition, analysts can maintain full control over response processes, by configuring custom detection rules that address new or targeted threats – like threats that target specific industries – and trigger appropriate, pre-determined responses based on the level or type of threat. Incorporating custom detection logic combines human and AI capabilities to kill unwanted processes, such as by disconnecting an endpoint from the network, or alert on the highest priority processes for further investigation by analysts.
Many businesses that were able to thwart the Solarwinds attack employed just this sort of cyber defence. By leveraging autonomous AI, these organisations were able to apply robust anti-tampering and impregnable defences at every point of attack, leaving them unscathed in this advanced ransomware attempt.
Crucially, in the event of a company being impacted by ransomware, incorporating automation into a cyber security strategy can even affect remediation capabilities. Remediation can occur in real-time alongside detection and response, such as by – in the event of a successful breach – performing a rollback of the system to a point before the attack occurred.
Using AI to enhance, not replace, human capabilities
The industrial revolution of cyber security that is occurring right now has been necessarily borne out of a recognition that a human-powered approach is no longer adequate against the scale and sophistication of modern supply chain attacks. Those organisations that are serious about implementing advanced technologies to solve this problem will jump ahead in terms of cyber security while falling to the bottom of hackers’ potential target lists.
There will never be a catch-all answer to IT security, but a solution founded in AI can proactively blocks threats before they can breach defences, and automatically trigger response and remediation capabilities, all through a single XDR platform in real-time, before the effects of an attack are felt. Through such an ‘all-in-one platform’, the alert management becomes automated across an enterprise’s entire technology stack, from endpoints to IoT to the cloud.
Meanwhile, this AI and automation works to lessen the load on security professionals and gives them back the time to perform more important and complex threat analysis. In this way, humans and artificial intelligence can work together to deliver a robust, superhuman defence.