Automated cyberattacks present IT security organizations with extraordinary challenges. Malicious actors are leveraging artificial intelligence (AI) and machine learning (ML) to launch new attacks with breathtaking scale and frequency. Check Point Research reports that organizations worldwide experience an average of 1,200 attacks per week.
The effort required to track, investigate and mitigate that many threats is more than most security teams can reasonably be expected to handle. To effectively counter these attacks, organizations must fight fire with fire by incorporating AI and ML capabilities into their security frameworks in order to automate repetitive tasks and minimize human intervention.
The best way to incorporate automation is with security orchestration, automation and response (SOAR), a framework for automating workflows and orchestrating multiple security technologies using API connectors. This unified framework can ingest and correlate vast amounts of threat intelligence from the network, subscription services and other sources in order to learn the difference between normal and suspicious network activity.
A key to this strategy is the use of gathered intelligence to create “adversary playbooks” that document the behaviors and methodologies used in cyberattacks. Once information about an attack’s unique tactics, techniques and procedures (TTPs) is fed into AI-powered systems, the SOAR system can detect attack patterns and interrupt attacks by anticipating and shutting down the next step in the attack sequence.
Over time, ML-trained systems will become increasingly familiar with threat characteristics and won’t have to wait until the network is under attack to respond effectively. Remote learning nodes placed at the edges of the network act as reconnaissance sensors, identifying threat attributes such as code artifacts or payloads as part of an early warning system that enables proactive intervention.
For example, Fortinet developed a playbook that organizations were able to use to thwart Emotet, a notorious banking trojan that evolved into one of the world’s largest email spamming botnets. It’s estimated that Emotet infected more than 1.6 million computers and caused hundreds of millions of dollars in damage before being taken down in 2021 by international law enforcement agencies.
The playbook described the Emotet infection process and its behavior after it infected a targeted device. Once that information was fed into AI-powered security fabrics, the system could automatically launch a variety of protective measures, such as blocking email attachments or IP addresses commonly associated with malware.
The use of playbooks and security automation enables a fundamental shift in cybersecurity practices. For years, security has been a reactive process designed to minimize the damage from attacks after they’ve occurred. Increased automation enables organizations to actively hunt for threats, using threat intelligence to find and disrupt threats in advance of an attack.
A proactive approach to threat detection will only become more valuable as organizations continue to blur the network perimeter. Cybercriminals are increasingly targeting edge networks, remote workers, cloud applications, IoT devices and other resources that lack the robust security of core networks. Automated security solutions can regularly query these dispersed resources to identify potential threats as well as any configuration, patching or upgrade requirements.
Conventional security measures requiring human interaction to respond to attacks after the fact are no longer practical. The scale, frequency and sophistication of modern threats call for increased use of automation. Give us a call to learn more about using AI and ML to build a smarter cybersecurity environment for your organization.