Author: Madhukar Govindaraju, Senior Vice President of Engineering
The fundamental principle of “defense in depth” is that layered security mechanisms increase security of the whole system. If an attack causes one security mechanism to fail, other mechanisms will kick in to cover the gaps and address different attack vectors, thereby providing the necessary security to protect the network.
The Unknown Presents A Different Set of Challenges
Many companies that are subscribed to the defense-in-depth strategy have adopted cybersecurity mechanisms in layers that complement each other to address threats as a whole. However, in today’s fast-paced world, many companies overlook “insider” risks — i.e., those users with inside access to high-value assets and applications, whether in production, test, or development. The rapid adoption of cloud computing by CIOs complicates this problem even further because insiders require access to multiple cloud-based applications and VLANs to do their daily work.
Protecting the enterprise against unknown internal and external cyber threats is a critical priority on the agenda of every CIO. When we look at the current state of the cybersecurity kill-chain for insider threats, it is clear that policy- and signature-based security systems are not suited to address this problem. In fact, these systems can open up the organization to more vulnerability because it is almost impossible to write security policies for a large company that will apply to every user and device. Policies and signatures are reactive by nature. In other words, they can only plug holes after the problem is known. This problem is even more complicated when CIOs need to integrate the networks of several independent subsidiaries.
Getting Ahead of the Game
Most CIOs are looking to get ahead of the curve and invest in systems that have a persistent, long-term view of all entities (users and devices) on their network to more proactively detect threats. However, they are faced with the following challenges:
- Severe shortage of personnel with top-tier cybersecurity skills within their IT teams.
- Lack of appreciation for the value of a defense-in-depth strategy.
- Too much data with which to do anything meaningful.
- Security teams using a multitude of tools and yet still missing threats – triaging alerts takes time away from remediation efforts, causing teams to be reactive, rather than proactive, when it comes to security strategy and tactical cyber defense.
- Most state-of-the-art tools focus on malware, which requires prior knowledge, and they lack context that is relevant to investigations, preventing security analysts from being able to prioritize and focus on the incidents that really matter.
- Many investigation tools do not provide the ability to proactively hunt for hidden threat activity, and hinder kill-chain reconstruction and compromised entity identification.
- Complex cybersecurity tools use inelastic infrastructure that isn’t scalable or well-suited to big data.
- The heavy burden of management overhead, because security teams must continually manage software updates, tool customization, and ongoing policy tuning.
An AI-in-Depth Solution
We believe that defense-in-depth using AI is the right answer to the cybersecurity challenges that most CIOs face today. Our technology is focused on delivering Assistive Cognitive Intelligence (AI) to CIOs and their cybersecurity teams by combining the principle of defense in depth with layers of machine learning models. We use this combination to identify user behaviors and anomalies at a granular level. These layered models work to deepen the insight of behavior patterns to identify threats hiding inside the organization more effectively.
However, behavioral analytics and machine learning-based anomaly and threat detection has one big problem: it must learn from imbalanced data — highly under-represented training datasets — because behavioral data of known threats within individual organizations is small. The performance of machine learning algorithms is a function of the data on which it’s trained. So machine learning models must be trained in small batches, as threat behavior data becomes available. Due to the inherent complex characteristics of imbalanced datasets, learning from such data requires new principles, algorithms, and tools to efficiently transform large volumes of raw data into meaningful information and effective threat graphs.
E8 Security’s models construct foundational and advanced user and device behaviors in multiple layers. Each layer of machine learning feeds new behavioral insight, represented as feature vectors, to the next layer of machine learning to derive suspicious behavioral patterns. The more layers there are, the deeper the machine learning algorithms can understand the data, and the easier it is for security analysts to derive insight to effectively defend the organization.
Deep Neural Net/Recurrent Neural Net/Convolutional Neural Net deep learning models could potentially replace these layers to generate an equivalent insight. However, this type of model does not deliver the explanation behind how it arrived at its answer, or the guided navigation that security analysts and threat hunters need for efficient investigations and effective responses. Threat or anomaly identification goes hand in hand with the explanation as to why the machine decided it was a threat or anomaly.
Defense in Depth with AI
Machine learning-based behavioral analytics is part of a good defense-in-depth strategy. We recommend that our customers develop processes to implement asset and entity prioritization within their business. This is critical for their protection and for the implementation of behavioral analytics for insider threat detection. Not all assets and entities are the same. CIOs should tailor their defense-in-depth strategy based on asset and entity sensitivity, and security teams should be able to understand this sensitivity from the additional context provided by the analytics. Organizations must build baseline behavior profiles — not only for individual employees, contractors and clients, but also for devices and other entities, as well as peer groups – in order to flag suspicious behaviors. AI can do all of this. AI adds another layer of defense that will help CIOs focus their organization to align processes, skills and expertise to get ahead of attacks.
Recent ESG research discusses these challenges and how AI and machine learning can help.