Be part of something bigger, join the Chartered Institute for IT.
Organizations must secure an increasingly large and diversified IT infrastructure. With the rise of remote and hybrid working, the attack surface is wider than ever. ML can be used to monitor this wide range of devices, containing any threats that may arise. Even simply alerting to threats as they emerge can provide much-needed visibility to enable small teams to act faster. ML can adapt and learn the “normal” patterns of devices on your network and quickly identify anything out of the ordinary.
This technology can also be applied to our cloud solutions. Whether it’s software, infrastructure or even a complete workstation, many elements are increasingly being provided “as a service”. Protecting cloud accounts requires monitoring unusual user behavior using trusted credentials to detect any threats or intrusions. If someone starts running VMs while working in payroll, you likely have credentials that have been compromised.
We do not know our unknowns. Often advanced threats hide on a network for a long time, slowly putting the pieces together to stage an attack. Attacks are inevitable in the modern world, the key is to detect and respond to intrusions and malicious behavior as soon as possible. Can you imagine trying to search through every hard drive, every package, every desktop to find something out of place? Instead, we can rely on our algorithms to do it for us and detect strange behavior.
Zero trust out of the box
Unlike people, ML is not inherently trusting. Increasingly, attacks caused by insider threats are becoming more common. Whether it’s a despised employee, a former employee who still has access to important systems, or an employee who, knowingly or unknowingly, is being exploited by an external attacker, insider threats can cause huge damage.
The key factor here is trust. We trust our employees to handle sensitive information responsibly, keep passwords secure, and not abuse their access to internal systems. It can cause enormous damage when that trust is abused. In 2014, the Lotería de Puerto Rico was infiltrated with the help of an insider who had access to the servers, resulting in the loss of millions of dollars in prizes distributed against ticket revenue. This was orchestrated by a drug and gun cartel that used the lottery to launder money.
Sometimes insiders abuse their access for personal gain. In February 2022, a Sussex officer was caught using the National Police database to search for a woman he wanted to date. You’ve no doubt also heard of people installing cryptomining software on corporate machines to make money using corporate infrastructure (this obviously also raises the issue of unauthorized software running on the machines of the company).
The solution is to use zero trust. We “never trust, always verify”, and in this sense, our ML solutions look for threats everywhere. They don’t assume that a senior engineer is more trustworthy because they’ve been with the company for seven years, that’s not assuming anything. A threat can come from anywhere, so you want your cybersecurity solution to always be on the lookout for malicious activity, regardless of how a device or account behaved in the past.
ML can also be used to detect if too many permissions have been assigned to a user. If a user uses only certain features of a software, their permissions may be limited automatically or after human review to allow them access only to what they need. It would also be possible to detect inactive accounts and lock them automatically to prevent abuse. This is essential to reduce the impact of compromised credentials.
One of the easiest vectors to use to compromise a network is email. By using a malicious payload or through social engineering, a trusted user may have their device or credentials compromised unintentionally, allowing an attacker to misuse them. It’s all too common, and monitoring account activity for abuse is key to identifying and stopping these threats before they penetrate deeper into your infrastructure.
His learning improves over time
The most important advantage of ML lies in its name. ML algorithms improve over time as they observe and monitor your infrastructure. Instead of simply trying to block attacks, ML can detect and respond to them. Instead of assuming that malware on our systems will match a particular signature, ML can detect malicious processes and block any extraordinary network traffic from them. As we know, insider threats are also a possibility and ML can detect this abnormal behavior.
Past data can improve the accuracy of future predictions and determine what normal behavior looks like. A notable drawback of such use of ML is that it can be difficult to onboard new devices or new employees. Since there is no history of activity, it is difficult to determine what is “normal”. Therefore, there are two possible outcomes, either a false positive where the activity is mistakenly flagged as malicious, or a false negative where the activity is malicious and goes undetected. Most systems, for obvious reasons, will tend towards the former. This can be mitigated by creating “profiles” of different types of users – a new HR hire is likely to have a very different business model than someone in development.
Another emerging threat to consider is attacks perpetrated using ML, either alone or in conjunction with a human adversary. The machine could probe the network for open ports, identify any applications running on it, and then compare them with reported vulnerabilities so that the adversary (or sophisticated ML) can then attempt to exploit them. This type of attack can happen at machine speed and therefore requires a quick response, and ML can be used to adapt to these threats so that your network survives.
ML will continue to revolutionize cybersecurity in the future, just as it has changed so many areas of computing. Remember, however, that there is no magic bullet and that ML must be combined with more traditional security solutions. With a holistic mindset and keeping your practices and policies up to date, you have every chance of building a strong cybersecurity defense.