How AI and machine learning improve corporate cybersecurity

A recent study by Information Risk Management indicates that 86 percent of companies will touch artificial intelligence (AI) in the next five years. If this technology is used correctly, it has a positive effect on the defense against cyber attacks, among other things. Currently, security analysts are often overwhelmed by the growing number of cyber attacks. More safety-related data is collected, which in turn generates even more alerts. This all leads to the so-called “fatigue problem”. On the other hand, the industry lacks enough trained security analysts to process such alerts. AI and machine learning (ML) can help automate tedious tasks like finding, assessing, and responding to threats. This relieves the analysts who are inundated with alerts. Cybersecurity is a very exciting field for the application of AI and ML because there is a lot of data about the security environment and many attacks follow a similar pattern.

AI uses algorithms to make decisions about what to do in certain situations. The algorithms are a plan for what the computer should do in the face of certain specific events. They attempt to mimic human cognitive functions, instructing the computer to find a solution to the problem within a defined problem environment. ML uses data and obtains results to learn what to do in similar situations in the future.

Anomaly detection – unsupervised learning

Put simply, when we talk about security, it means that a system can distinguish good from bad, normal from abnormal. This anomaly detection is based on unsupervised learning, i.e. a kind of self-organized learning. This method helps to find previously unknown patterns in a dataset without using any pre-existing classification. Essentially, a system based on unsupervised learning knows what is normal and identifies anything abnormal as an anomaly. As you might imagine, systems based on unsupervised learning generate many false positives – because many situations that are considered abnormal are perfectly harmless. Anomaly detection is good at spotting things that are different, but cannot reliably classify them as a security risk.

The supervised learning

In supervised learning, decisions are learned from a set of labeled data. These classifications specify normal or a threat. One such example is a URL classifier. First, large datasets of good URLs and bad URLs are used to train a URL classifier. Then this is used and compares the URLs extracted from incoming emails. For each URL, the URL classifier creates a label. This indicates whether the content is benign or malicious. A supervised learning algorithm analyzes the data and produces a derived function that can be used to evaluate new data.

Adaptive learning – the powerful combination

Supervised learning has proven to be more successful in security applications, but requires easy access to large amounts of tagged data, which is very difficult to generate for cyberattacks such as APT (Advanced Persistent Threats) and zero-day attacks on enterprises. Therefore, the monitored ML cannot be simply applied to solve all cyber attacks.

This is where unsupervised learning comes into play again. The combination of unsupervised and supervised learning – i.e. adaptive learning – improves the ability to detect these APTs and zero-day exploits. Unlike supervised learning, where we need to label a large number of attack cases, adaptive learning uses limited human guidance to control the direction or preference of anomaly detection to produce more accurate results. This is exactly what characterizes modern security monitoring systems, in order to reliably and efficiently alert in the event of real threats.

Correlation of different points

One of the big problems with simply detecting anomalies is the amount of false positives. And even when the results are indeed accurate, there is a lack of context for a security analyst to assess the impact on the security posture and take appropriate action. In addition, more and more data sources are added, which further complicates the task. In order to solve these problems, security monitoring must automatically correlate several events (points) in order to then assess whether it is a cyber attack. For example, a “point” could be an executive logging on to the network at 11 PM. While this alone is a safety-related signal, it is not enough to trigger an alarm. However, if the executive logs in at 11pm from an IP address in Russia or China, but only logged out in Switzerland a few hours before, this would trigger an alert. Because then there are three relevant points that, when combined, provide the context that it is more about an account takeover.

Best practice at the University of Zurich

With more than 25,000 students, the University of Zurich is the largest university in Switzerland. Due to the constant growth of the IT environment and the lack of human resources, a new platform for IT security was essential. The university’s centralized IT security service supports all areas and university departments, each with their own challenges. Exactly this complexity and the different needs were the reason why a large part of the security monitoring had to be automated using AI.

An installed security monitoring platform now collects data from all areas of the attack surfaces, correlates supposedly unrelated incidents and analyzes them. This allows it to determine whether it is a false alarm or a real threat. Even in the very complex IT environment of the university, threats that would be very difficult to detect with conventional tools are reliably detected. Automatic prioritization of alerts on the platform makes analysis much more productive and allows real threats to be eliminated much faster.

Cost reduction thanks to efficient monitoring

Despite the important task of protecting all university facilities from a variety of threats, this has to work efficiently and with a small team of specialists. The platform makes work much more productive; That saves time and money. Analysts who would otherwise spend days or weeks tracking down a threat can now do it in minutes thanks to AI. Furthermore, the automation, based on AI, allows the IT manager to be informed in real time about security-relevant events in his area of ​​​​responsibility and to initiate the first countermeasures. This offers 24/7 coverage without continuous manpower.

If you want to read more about cybercrime and cybersecurity, Sign up here for the weekly Swisscybersecurity.net newsletter. The portal provides daily news about current threats and new defense strategies.

#machine #learning #improve #corporate #cybersecurity

Leave a Comment

Your email address will not be published.