Industry Trends

Utilizing AI and Machine Learning to Defend Against Today’s Threats

FortiGuard Labs’ recent threat report shows some important takeaways about the threat landscape. From evolving variants to destructive attacks, the threat landscape continues to evolve at a face pace in a heightened threat environment. Fortinet’s Joe Robertson, Ricardo Ferreira, and Daniel Kwong offer their perspectives on the threat landscape today and some of the unique challenges around stopping more sophisticated threats. They also offer their views from the field about machine learning and AI-based security technology adoption as they become a necessity across the endpoint, cloud, and network to better capture the rapid changes in the threat landscape and help organizations triage and prioritize security incidents.

Cyber adversaries are moving faster, getting more sophisticated and more destructive. What does this mean for CISOs today?

Joe: The key message is that more and more; time is of the essence. Surveys are still showing that the average dwell time – the amount of time an attacker is present in the network before either acting or being discovered – is in the range of 6 months. This is a huge threat to the organization. CISOs need to move past the previous focus on preventing access by attackers and start assuming they have already been breached and put emphasis on detection tools. This includes deception technology, but also artificial intelligence and machine learning tools to sift through, correlate, and extract threat information from the masses of data collected by today’s cybersecurity tools.

Ricardo: For CISO's it means a re-evaluation of their cybersecurity posture (identification, detection, protection, response, recovery) aligned to the business by ensuring the impact analysis is updated and key areas are prioritized accordingly. Secondly, organizations need to invest in building training programs to build expertise on machine learning, API security, and DevSecOps for example. Also organizations need to evaluate security policies and make sure they are congruent as over time policies shift with long-established goals.

Daniel: Organizations are rapidly transforming their systems which are bringing in new risks. The record high number of 0-days discovered in 1H 2022 shows that the security team may not have full visibility of the long-term impact that their organization's new technology will have on its defenses. However, organizations are likely to continue using these technologies regardless of potential security risks.

How can organizations leverage AI and machine learning to protect against today’s advanced threats?  

Joe: Automated cybersecurity assistance is not an all-or-nothing proposition. You can add capabilities gradually, starting with, for example, creating orchestration and what-if scenarios in an analysis tool such as a SIEM or SOAR, and then adding more sophisticated facilities. One key will be to have staff with some skills in AI and machine learning, so training should be an early priority. This sort of training can also be a good staff motivator and part of a career plan. Managers are keen to find ways to retain staff; training in modern skills can be a very positive leverage point.

Ricardo: Any organization will benefit from using solutions that leverage AI and machine learning models to detect known and unknown threats, but where an organization can differentiate is leveraging AI for quick security decision-making. While there are no silver bullets, and AI is not one, it can enhance cybersecurity at scale by providing the required agility to respond to an ever-changing threat landscape.

Daniel: AI technology enables malware campaigns to generate dynamic attack scenarios such as spear phishing with different combinations of techniques to target an organization's system, especially on defense evasion tactics. However, AI technologies also provide an effective way to counter-attack, by learning the pattern of these attacks. For the foundational step, the organization should look at the endpoint and sandboxing solution that is equipped with AI technology for the effective countermeasure.

"Any organization will benefit from using solutions that leverage AI and machine learning models to detect known and unknown threats, but where an organization can differentiate is utilizing AI for quick security decision-making."

Where across the attack chain or attack surface are AI and machine learning critical? 

Joe: AI and machine learning can be useful anywhere, but it is important to prioritize and start where you can get the most bang for your buck. This will vary by organization. If you are large enough to have a SOC, you probably already know that your staff is running at full speed most of the time, so putting in place automated assistance can free them up from routine and mundane tasks to focus on areas where their analytical skills can be put to use in ways machines cannot touch. On the other hand, in another organization, putting in place intelligent analysis at the endpoints, such as an AI-based Endpoint Protection and Response (EDR) system, can provide enormous peace of mind, since it protects the point where the possibility of human error is most exposed.

Ricardo: I would say that AI can be used throughout the attack chain, the specific requirements where it will provide more value will depend on the organization and its challenge. Nonetheless, one pattern I've seen in successful organizations adopting AI is at the SoC level as Joe mentioned, especially as teams are fatigued by alerts. AI in this context can provide much-needed help as a "virtual analyst" to help triage and alleviate some of the most pressing issues in a tier 1 SoC by reducing the raw events that need to be processed and, in turn, reduce the time to detect.

Daniel: The report shows that 59.2% of hacker tactics use defense evasion to penetrate the organization's system. The first key area to adopt AI is to deploy AI-enabled endpoint technology such as EDR to provide full visibility of activities of the system process. Another key area in adopting AI is to assist automate security policy configuration, compliance monitoring, and threat and vulnerability detection and response to reduce the amount of alert fatigue.

What are some AI and machine learning challenges CISOs should be aware of?

Joe: The big issue with AI and machine learningis the same problem that has haunted IT since its inception: garbage in, garbage out. These tools are only as good as the data sets that go into training them. So, it is important to look at where your data sets are coming from. Ideally, you want to be training off of billions of data points coming from millions of devices around the world. This is the scale you find, for example, at FortiGuard Labs, dealing with over 100 billion events per day and over 6 million devices.

Ricardo: Understanding that AI/ML are not silver bullets, but getting some basics right goes a long way:

  • Being aware that the data needs to be of good quality, such as normalization across fields. Understanding there could be adversarial inputs into the data that support the AI/ML algorithms.
  • Getting resources with the right skills. Algorithms are becoming smarter, but experts are more important, especially as there is a clear trend in requiring explanation of AI algorithms outputs.

Daniel: The challenge is that if an organization does not deploy AI correctly, it will learn incorrect information. Therefore, it is important to select AI cybersecurity technologies that are supported by good global threat intelligence data. Moreover, CISOs should also understand their organizational system in the cyber kill chain and deploy AI solutions in the attack chain to stop these threats.

How can services such as digital risk protection service (DRPS) complement proactive cyber defense strategies?

Joe: I sometimes compare DRPS to a 360° evaluation at work, where you ask a number of your co-workers to evaluate your strengths, weaknesses, and other qualities. Getting a view from the outside gives you a better idea of what you need to do inside. DRPS is looking at your environment from the point of view of the attacker. It won’t find any holes an attacker couldn’t also find – but hopefully, the DPRS will find them first.

Ricardo: As organizations traditionally turn inwards regarding their security posture and perceived risk, DRPS helps organizations understand and quantify external risk from non-traditional sources such as the deep and dark web to mitigate underground and imminent threats to their brand. As any organizational brand is a strategic business-building block closely associated with ROCI, it's only sensible to mitigate the risk traditional security controls cannot.

Daniel: Most of the cyber defense technology focuses on discovering and protecting against the threat from an organization's internal view. Digital risk protection services complement traditional tools by providing an external attacker's perspective of an organization's true attack surface. It enables security team analysts and threat researchers to discover assets that belong to their organization and which might hide undetected.  It also helps them to identify active campaigns from the dark web and provide branding protection against threat actors targeting their employees.

Find out how Fortinet integrates AI and machine learning capabilities across our Security Fabric to detect, identify, and respond to threats at machine speed.