Effective security requires both cutting-edge technology and highly qualified human beings. Artificial intelligence (AI), machine learning and data analytics are increasingly being used in cybersecurity, but they are not panaceas. The key is knowing how to use these tools in combination with the best people. Without cyber security expertise, companies can spend a lot of money on the latest and greatest technology, yet still not achieve a better security posture.
This white paper explains how BTB Security’s Managed Detection & Response – Rapid Advanced Detection and Response (RADAR) – combines the best of both worlds – machine and human – to deliver reliable and cost-effective cyber protection.
Hardly a day goes by without a report that AI and machine learning have automated something new. From smart speakers in the home to autonomous driving on the road, these technologies are revolutionizing the world. It’s no different in IT security.
“AI-enabled response to cyber threats is the new frontier in cybersecurity,” says a recent Capgemini Research Institute report1 based on a survey of IT security executives. Some 69 percent of respondents worldwide think AI will be necessary to respond to cyberattacks; among U.S. respondents, the percentage shoots up to 83.
It’s worth noting that CapGemini surveyed only the largest enterprises. The 850 executives polled (in seven different industries across 10 countries) came from companies with revenues ranging from $1 billion to over $50 billion. That doesn’t mean small and midsized organizations can’t leverage these technologies. However, they may be more likely to get the benefits by using a managed IT security service that incorporates AI and machine learning.
BTB’s RADAR does that. It is a complete end-to-end threat detection and response platform and service that BTB designed and developed from the bottom up. It grew directly out of BTB’s experience with SMB customers.
THE SERVICE IS BASED ON THREE KEY PILLARS:
1. Capture and analyze all meaningful security information in the organization, including data from network devices, security appliances, servers, end-user devices and applications.
2. Take the hacker’s perspective: Focus on how attackers operate.
3. Employ highly qualified security experts to investigate and mitigate threats.
INTRODUCTION
THE CREATION OF RADARTo appreciate the capability of RADAR, it helps to know BTB Security’s story. The company was founded in 2006 by three information security specialists. As they began providing security assessments and recommendations to their clients, they were surprised and frustrated when clients did not follow their advice. Despite BTB’s recommendations, systems and applications were left unpatched, IT was using default configurations and passwords and all too often the company had not installed monitoring systems, says Matt Wilson, BTB’s Chief Information Security Advisor.
BTB faced the reality that SMBs usually don’t have the time or the manpower to devote to IT security. Despite wanting to strengthen their security posture, IT was too busy supporting the business. As a result, following-up on BTB’s recommendations fell to the wayside.
Then, in 2013, BTB was tasked with helping a mid-market financial company that had experienced a breach. BTB’s experts approached the challenge from a hacker’s perspective. “We took a proactive approach,” says Wilson. “We asked ourselves: How would we stop BTB from breaking in?”
The success of BTB’s detection and remediation so impressed the finance company that it asked them to stay and just continue the service. “We had built the basis for RADAR without even realizing it,” saysRon Schlecht Jr., founder and managingpartner of BTB Security. “We soon operationalized it as a service and have continued to improve it ever since.”
1 Reinventing Cybersecurity with Artificial Intelligence: The new frontier in digital security, Capgemini Research Institute, 2019
It seems obvious that you must be able to see what’s going on across all your systems in order to have good security. But many companies have acquired a collection of point solutions – products that monitor only particular systems or that are designed for the security needs of a particular vertical industry. The problem is, even with best-of-breed products, these solutions usually do not work together to provide a comprehensive view of your organization. What’s more, point solutions can be expensive, and many include features you either don’t need or that duplicate what you already have.
Other managed service providers are limited in the information they collect and the systems they monitor. They ignore massive amounts of data produced by your network, systems and apps. RADAR uses all of that data. “We’ll process everything we can get our hands on,” says Ron Schlecht Jr., founder and managing partner of BTB Security. “Visibility and correlation are paramount to our service mission.”
BTB’s experienced team works with you to make sure RADAR covers 100 percent of your data sources producing meaningful security data. They will even develop custom scripts to connect specific, internally developed or proprietary systems or apps to the platform.
As RADAR processes your data, the system establishes a baseline of “normal” activity for your organization. Even at the beginning, however, RADAR proves its mettle. “No matter what security tools a client has been using, we typically find the first incident on the first day of deployment,” says Schlecht.
A typical RADAR implementation takes six weeks (to cover everything) and ingests data from 500 different sources on average. After establishing what’s normal for your company, it continues to update and refine the baseline on an ongoing basis. The machine is constantly learning from the data and refining how it detects anomalies.
THE MACHINE ELEMENT
HOW AI CAN IMPROVE CYBERSECURITY
Among the IT executives at the large companies Capgemini polled:
Three out of four executives said using AI allows their organization to respond faster to breaches.
Three in five said AI improves the accuracy and efficiency of cyber analysts.
A majority said that AI lowers the cost of detecting and responding to breaches by 12 percent, on average.
73 percent said they were testing use cases for AI in cybersecurity, and 28 percent were using security products with embedded AI.
Source: CapGemini Report
AVERAGE SALARY COSTS FOR IN-HOUSE CYBERSECURITY TEAM
The capabilities of RADAR range from applying simple logic rules – if it detects a number of failed log-in attempts over a short time span, for example, then it sends an alert – to more complex machine learning and AI. But the “intelligence” in the latter is still rudimentary. It will flag things, but cannot put it into context in order to gauge its importance.
That’s where human beings play a critical role. RADAR’s team of cybersecurity experts examine these alerts and determine which indicate real and present dangers.
The combination of machine and human intelligence is particularly valuable for SMBs. First, these organizations typically are very lean. Their IT staffs have their hands full without having to field hundreds of alerts a day. In fact, IT probably ignores log data it already has simply because there’s no time to deal with it. Remember all those point solutions? Each one is different and takes time to manage, not to mention trying to correlate data among them. Plus, IT and cybersecurity are different disciplines. IT professionals have an “availability-first” mindset. They are trained to keep everything up and running. Cyber analysts consider security first.
Second, even if a company has the budget to hire cybersecurity professionals, a severe talent shortage makes them hard to find. (ISC)2 - the world’s largest
THE HUMAN ELEMENT
nonprofit association of certified cybersecurity specialists — says there is a gap of almost 3 million cybersecurity professionals globally. In a survey by the Enterprise Strategy Group and the Information Systems Security Association (ISSA), two-thirds of respondents said the cyber skills shortage has increased the workload of their existing IT staff. Some 47 percent of respondents said that increases in workload left them little or no time to learn and use security technologies to their full potential.3
Even the largest companies have trouble finding talent; and they recognize that they need to use the specialists that they do have more wisely and strategically. These companies say that their cyber analysts are being overwhelmed by alerts, according to the Capgemini report, spending too much time doing grunt work like going through data logs and incident time sheets. “They are counting on AI to help these overwhelmed staff,” says the report.
The (ISC)2 report also hits on this theme. Security professionals want to do less security administration, incident response and endpoint security management. “They’d rather be spending time on more high value cybersecurity tasks such as threat intelligence analysis, penetration testing and forensics,” says the report.
AI HYPEAND REALITYMaintain realistic expectations. If the capabilities of the product sound too good to be true, they probably are. AI is far from perfect. In some applications, in fact, it can be fooled quite easily.
Remember that the key is good data. Algorithms are limited by the quality of the data that trains them. Unless the product can access all or most of your data, it won’t be effective.
Ask trustworthy partners for advice. Turn to vendors that have proven to be trusted advisors. Ask them what can be expected, realistically, from AI today. What are they seeing in the market? What’s real, and what is smoke and mirrors?
Look at what you already have. Revisit your current vendors and products. You may find that they already use some form of AI and machine learning.
As with any cutting-edge technology, hype sometimes overshadows the real capabilities of artificial intelligence in cybersecurity. If you’re evaluating products that claim to use AI and machine learning:
2 Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens3 ESG: The Life and Times of Cybersecurity Professionals 2018
RADAR combines the capabilities of the machine learning and human learning, creating a funnel that results in an efficient and effective security system. And both the machine and the humans are always learning.
Because RADAR is constantly analyzing data and feedback from human analysts, it learns more about the patterns of your organization and fine tunes rules. Here’s an example of how that works:
RADAR might start with a rule designed to catch spoofed emails. Consequently, it may block traffic that has the attributes of spoofed email – such as Constant Contact newsletters from your vendors or customers. But you may not want that information to be blocked. As it detects how analysts handle these “alerts,” i.e. they have cleared them as acceptable, the system will adjust and accept those emails as normal activity.
Over time, this reduces the number of false positives and increases the time human analysts can spend on real and significant threats. “By collecting, analyzing and learning from all that data, the machine part of RADAR is doing the heavy lifting. Machines are really good at repetition - executing things over and over again in the same way,” says Wilson. “Humans are good at intuition. So we task the machine with something that’s easily repeatable so you don’t have the human do the dumb work. You have the humans do the smart work.”
The human analysts then further narrow the funnel by bringing intuition, human intelligence, an understanding of context, and plain old common sense to address the issue at hand.
Envision your staff returning to work after a long holiday weekend, for example. An employee is logging into the system but mistypes his password a few times. The strict rules by which RADAR operates would flag these “unauthorized access attempts” as a possible threat. But the cyber analyst considers the context. First, it’s the first day after a long weekend. Second, the employee is trying to access email, not a mission-critical system accessible by only a few privileged accounts. Thus, the analysts knows this is not a threat. On the other hand, if there are 50 such attempts, not just five, or if there
THE RADAR FUNNEL
500LOG SOURCES
DAILY ALERTS
MONTHLY TICKETS
350
20
were 50 different employees repeatedly attempting wrong passwords, the analyst might suspect a brute force attack on your network, investigate further and sound the alarm if appropriate.
As they work together, the machine and human “winnowing” means that some 350 alerts a day are ultimately reduced to only a few potential threats deserving attention. “A RADAR customer is notified only about 20 times a month, and only with a thoroughly vetted security threat, along with recommendations on how to mitigate it,” says Wilson.
In summary, while the latest advances in AI can supplement cybersecurity, well trained cybersecurity professionals are still your best defense. Technology alone is not the answer today or for the foreseeable future.
With no end in sight to the shortage of cybersecurity talent, it makes sense to use technology to help make the most of the cyber talent you have. Some 63 percent of the large companies Capgemini surveyed said they plan to use AI by 2020, mostly to improve the accuracy and efficiency of their cybersecurity specialists. Small and midsized organizations can similarly benefit by engaging a managed service provider that uses a combination of technology and human intelligence to secure their organizations.
CONCLUSION
AI ARMSRACE
Hackers are starting to use artificial intelligence.
Criminals are using algorithms to increase the success of spear-phished tweets. The algorithms enable the crooks to send tweets six times faster, doubling their success rate.
Source: CapGemini Report
Hackers are using AI to learn and adapt to security tools, including ways to bypass security algorithms.
They are using AI to increase the speed at which malware can “morph,” meaning constantly changing its code so it cannot be identified, which makes it very difficult to remediate. One such piece of malware – called Trickbot – has already been seen in the wild.
