Industry Trends

Thoughts from Black Hat on Threat Intelligence and Automation

By Derek Manky | July 27, 2017

The biggest trend in security today seems to be information sharing. Everyone agrees that sharing threat intelligence is key to detecting and stopping attacks. The challenge isn’t that there aren’t enough sources for threat intelligence, but that there is simply too much information being generated, and that includes far too much redundancy. What we need an ecosystem to vet and process the information first – an information exchange and clearing house – like the cyber threat alliance (CTA) that Fortinet helped establish back in 2014.

But that’s just the front half of the problem. Even if threat data has been de-duplicated and processed, what do you do with it when you get it? Organizations have usually far too many security tools that are not interoperable. This makes information much less actionable because once it is received it has to be manually fed and correlated across multiple devices.

The process needs to be automated. Even if you solve the problem of interoperability through the adoption of open standards, you need to also automate the process of feeding that intelligence into your devices. Which is why we are hearing so much about machine learning.

But machine learning is still only part of the solution. What if you need to do something with all that great intelligence, like coordinate a response between devices to a sophisticated attack that your machines have learned about? How do you do that? Even supposing that your devices can talk to each other, and you have implemented machine learning to consume threat intelligence, what tools are available to launch a coordinated response to a threat?

Machine learning is only part of the artificial intelligence (AI) story. Active response using AI, woven across all security tools is critical when receiving threat intelligence. It’s what I call an expert system. It’s capable of applying intelligence to actionable information to and between different security and network devices, as well as across different network segments and ecosystems.

What are needed are expert systems, driven by AI, that are capable of ingesting, processing, and acting on threat intelligence on their own, without waiting for human intervention. When properly deployed, AI can establish an artificial neural network capable of reinforced learning cycles that can solve increasingly sophisticated problems over time. Of course, this isn’t a new concept. Alan Turing saw the need for a seeded solution set of accurate or known potential output. Only now are concepts of artificial neural networks (ANNs) being applied to modern cyber security solutions.

And the timing couldn’t be more critical since it is required to stay on level ground with black hats as they adopt this technology themselves. We are already seeing more and more automation being built into cybercriminal attack technology. What this means is that the time to respond to a cyber attack is shrinking drastically. Ten years ago, taking weeks or days to respond to a cyber attack was adequate. Today, we have begun to measure the time needed to respond in minutes (less than an hour.) Tomorrow/in the future, we will start measuring this in seconds. Humans cannot operate on this level, which is why developing security AI is crucial. We need to be able to respond at machine speed to the threat of cyber attack.

Effective AI for network security needs to combine Machine Learning and Deep Learning to effectively spot malicious patterns of activity using big data sets derived from analyzing viruses, network traffic, and so forth. Let’s define some terms here. Machine learning is how devices learn the malicious traits and features of attacks. It is simply a learning process, and there are various types of machine learning, including supervised approaches where humans and machines work side by side. Deep learning requires analysis at more layers (thinking further ahead in the future) so it is amplified, however, it requires much more computing power.

Once a malicious pattern has been detected, actionable intelligence then needs to be applied to a response. The combination of detection + application using automation is what we at Fortinet refer to as an expert system. In spite of all the hype around Machine learning, it will not benefit the industry unless it is applied to an expert system. We have been pioneers and leaders in this approach, creating the first real expert system through the Fortinet Security Fabric that integrates AI with automated defense.

Our first iteration of this was achieved in our FortiGuard Labs environment, where we have built a super computer comprised of billions of active nodes, divided into different functions. This system extracts features from viruses and other advanced attack patterns and converts them into actionable intelligence and threat updates that we feed to millions of Fortinet security products deployed by customers across the globe. This not only makes the detection of threats faster and more accurate, it significantly shortens the time between detection and response.

Which is why this same approach is also now part of our Self-Evolving Detection Systems (SEDS) that is now part of our FortiGuard security solutions. It combines deep learning with both local and global threat intelligence to create proactive threat signatures and provide active, predictive security intelligence and response.

When deployed at the enterprise as part of the Fortinet Security Fabric, SEDS provides advanced, automated security intelligence that can be distributed across the extended network. It enables the autonomous response to threats detected anywhere - not just at a single node, but as a coordinated effort leveraging security tools integrated across the entire distributed fabric.

The big questions are how do enterprises leverage the technologies they have today, like threat intelligence platforms, and build processes around them in order to be more proactive? And how do they then begin to create expert systems that can learn and respond to threats at machine speeds?

The Fortinet Security Fabric was designed for this purpose. It is a model of the type of expert system that organizations will need to design and deploy as they deal with an expanding network of devices and ecosystems processing growing volumes of data at accelerating speeds.