Security strategies need to undergo a radical evolution. Tomorrow’s security devices will need to see and interoperate with each other to recognize changes in the networked environment, anticipate new risks and automatically update and enforce policies. The devices must be able to monitor and share critical information and synchronize responses to detected threats.
Sound futuristic? Not really. One nascent technology that has been getting a lot of attention recently, lays the foundation for such an automated approach. It’s called Intent-Based Network Security (IBNS). IBNS provides pervasive visibility across the entire distributed network, and enables integrated security solutions to automatically adapt to changing network configurations and shifting business needs with a synchronized response to threats.
These solutions can also dynamically partition network segments, isolate affected devices and remove malware. New security measures and countermeasures can also be provisioned or updated automatically as new devices, workloads and services are deployed or moved from anywhere to anywhere in the network, from endpoints to the cloud. Tightly integrated and automated security enables a comprehensive threat response far greater than the sum of the individual security solutions protecting the network.
Artificial intelligence and machine learning are becoming significant allies in cybersecurity. Machine learning will be bolstered by data-heavy Internet of Things devices and predictive applications to help safeguard the network. But securing these “things” and that data, which are ripe targets or entry points for attackers, is a challenge in its own right.
One of the biggest challenges of using AI and machine learning lies in the caliber of intelligence. Cyber threat intelligence today is highly prone to false positives due to the volatile nature of the IoT. Threats can change within seconds; a machine can be clean one second, infected the next and back to clean again full cycle in very low latency.
Enhancing the quality of threat intelligence is critically important as IT teams pass more control to artificial intelligence to do the work that humans otherwise would do. This is a trust exercise, and therein lies the unique challenge. We as an industry cannot pass full control to machine automation, but we need to balance operational control with critical exercise that can escalate up to humans. This working relationship will truly make AI and machine learning applications for cybersecurity defense effective.
Because a cybersecurity skills gap persists, products and services must be built with greater automation to correlate threat intelligence to determine the level of risk and to automatically synchronize a coordinated response to threats. Often, by the time administrators try to tackle a problem themselves, it is often too late, causing an even bigger issue, or more work to be done. This can be handled automatically using direct intelligence sharing between detection and prevention products, or with assisted mitigation, which is a combination of people and technology working together. Automation can also allow security teams to put more time back into business-critical efforts instead of some of the more routine cybersecurity management efforts.
In the future, AI in cybersecurity will constantly adapt to the growing attack surface. Today, we are connecting the dots, sharing data and applying that data to systems. Humans are making these complex decisions, which require intelligent correlation through human intelligence. In the future, a mature AI system could be capable of making complex decisions on its own.
What is not attainable is full automation; that is, passing 100 percent of control to the machines to make all decisions at any time. Humans and machines must work together. The next generation of situation-aware malware will use AI to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection.
Just as organizations can use artificial intelligence to enhance their security posture, cybercriminals may begin to use it to build smarter malware. This is precisely why a security fabric approach is needed — security solutions for network, endpoint, application, data center, cloud and access working together as an integrated and collaborative whole — combined with actionable intelligence to hold a strong position on autonomous security and automated defense.
In the future, we will have attacker/defender AI scenarios play out. At first, they will employ simple mechanics. Later, they will play out as intricate scenarios with millions of data points to analyze and address. However, at the end of the day, there is only one output: whether a compromise occurred or not.
Threats are getting smarter and are increasingly able to operate autonomously. In the coming year, we expect to see malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and make calculated decisions about what to do next. In many ways, malware will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection.
This next generation of malware uses code that is a precursor to artificial intelligence, replacing traditional “if not this, then that” code logic with more complex decision-making trees. Autonomous malware operates much like branch prediction technology, which is designed to guess which branch of a decision tree a transaction will take before it is executed. A branch predictor keeps track of whether or not a branch is taken, so when it encounters a conditional jump that it has seen before, it makes a prediction so that over time, the software becomes more efficient.
Autonomous malware, as with intelligent defensive solutions, is guided by the collection and analysis of offensive intelligence, such as types of devices deployed in a network segment, traffic flow, applications being used, transaction details, or time of day transactions occur. The longer a threat can persist inside a host, it will be that much better able to operate independently, blend into its environment, select tools based on the platform it is targeting and, eventually, take counter-measures based on the security tools in place.
We as an industry also will see the growth of cross-platform autonomous malware designed to operate on and between a variety of mobile devices. These cross-platform tools, or “transformers,” include a variety of exploit and payload tools that can operate across different environments. This new variant of autonomous malware includes a learning component that gathers offensive intelligence about where it has been deployed, including the platform on which it has been loaded, then selects, assembles and executes an attack against its target using the appropriate payload.
Transformer malware is being used to target cross-platform applications with the goal of infecting and spreading across multiple platforms, thereby expanding the threat surface and making detection and resolution more difficult. Once a vulnerable target has been identified, these tools can also cause code failure and then exploit that vulnerability to inject code, collect data and persist undetected.
Autonomous malware, including transformers that are designed to proactively spread between platforms, can have a devastating effect on our increasing reliance on connected devices to automate and perform everyday tasks. Efforts to analyze data for competitive business insights will be hampered. Overcoming these challenges will require highly integrated and intelligent security technologies that can see across platforms, correlate threat intelligence and automatically synchronize a coordinated response. Artificial intelligence and machine learning will prove invaluable in this role, ultimately enabling the vision of Intent-Based Network Security (IBNS) that can automatically translate business requirements and apply them to the entire infrastructure.
A version of this article originally appeared in Dark Reading.