Cybersecurity has been important since even before the age of dial-up Internet when viruses spread via infected floppy discs. The battle between adversaries and IT professionals is ever escalating. Adversaries create new and different types of malware or attacks, and IT teams deploy new or improved types of defenses to protect their growing data stockpiles.
In the latest round of information security (InfoSec) attacks, adversaries are deploying new types of threats via new vectors and enhancing those attacks with the power of AI. The only way to realistically counter these attacks is to deploy the power of AI in cybersecurity defenses as well.
The cybersecurity threat is always growing
Attack surfaces are growing. In the "old days," computers stood by themselves or linked to a few other machines using closed networks. Then came local area networks, WAN, and Internet access. Now, half the applications are running in the cloud, and half (or maybe all) the users are working from home and accessing the network with mobile devices. This gives attackers many more potential entry points to the network by first hacking a user’s laptop or phone or by invading a cloud-based application instance. Supply chain attacks pose another type of threat where software from a trusted vendor could also contain embedded malware. Adversaries then use that compromised application or device as a beachhead to invade the rest of the network.
Data is growing exponentially, which isn’t news, but now IT is expected to protect most or all of it. In the old security model, InfoSec only required screening programs and other executable files, such as a document or spreadsheet with macros enabled, to make sure they didn’t carry malware. That was perhaps 5% to 10% of the data. But today, even non-executable data needs to be protected against ransomware and theft — you need to protect 100% of it. Distributed application architectures and hybrid cloud multiply the amount of communication required between servers, while network speeds have increased 2,000X in the last 25 years (from 100Mb Ethernet in 1995 to 200Gb Ethernet in 2020). More data is moving faster than ever across the network. There is exponentially more data to protect with exponentially more traffic to screen and analyze.
Regulatory compliance further increases the InfoSec burden by adding requirements on what to protect and how to protect it. Additional data encryption, access controls, privacy protections, authentication methods, and reporting must be done, depending on which regulations affect your organization. Cybersecurity professionals must now implement both the protections they deem necessary and additional protections the law requires and face penalties or disclosure requirements if they're hacked.
Adversaries will soon be using AI to augment their attack--if they aren’t already. Researchers have already shown how AI can customize phishing attacks to make them more effective or create “deep-fake” voices that mimic celebrities or sound exactly like your boss. Domain-generation algorithms automatically manufacture new URLs that can spread malware without being blacklisted by DNS-based security gateways. Botnets already use simple AI concepts to seek out the most vulnerable machines and work around cyber defenses. Newer viruses already alter their own code, repeatedly change their location, and even disable or modify anti-malware software on the infected machines to avoid detection. These are all examples of basic or simple AI being used to enhance cyber attacks, and it’s safe to assume that more sophisticated machine learning and natural language processing models will be added to adversaries’ arsenals soon.
To top off the challenge of the gathering threat storm, there is a severe shortage of IT security professionals. According to a recent study conducted under a US Department of Commerce Grant, there are approximately 950,000 people employed in cybersecurity but over 450,000 unfilled cybersecurity job openings across the country. So you can’t hire your way into security and compliance.
Why AI is needed
There are five areas where AI can help detect and prevent security threats as they happen:
1) Screen more data than humanly possible
The amount of data that needs to be checked is overwhelming, and it's becoming more than any person, or even team of people can reasonably screen. Human InfoSec investigation typically happens only after a breach has been confirmed or at least suspected. When threats were more limited, a few humans could reasonably react to all the antivirus and firewall alerts and feel confident they had a hand on most security threats. But now, all data on all servers and all traffic on every network connection is potentially suspect, and trusted users mix with untrusted users connecting through the VPN, web application gateways, and cloud-based apps. Humans with traditional logging or telemetry tools can at best sample a few gigabytes of data per day, but AI-powered cybersecurity can review and analyze terabytes of data each day to detect malware, hacking attempts, data exfiltration, or evidence of a successful or ongoing attack.
2) Catch suspicious behavior, not just suspicious bits
Old-school threats came in fixed, recognizable forms that didn't change once released into the wild. The vast majority of organizations would be protected as long as they regularly updated their security software signatures. Now, advanced malware modifies itself, and hackers' toolkits let bad actors create novel malware daily or even hourly. New exploits and viruses often attack data centers before the security companies can distribute updated signatures. These zero-day attacks haven't been seen before, so they don't show up in any threat databases. AI-powered security can detect these threats by finding suspicious behavior instead of only scanning for known signatures. AI can be trained to recognize suspicious application behavior or traffic patterns to detect new attacks, even if the specific attacks have never been seen before.
3) Identify bugs, vulnerabilities, and mistakes in applications and networks
AI has the power to improve security by finding and resolving problems beyond malware and leaked sensitive data. It can scan application, server, and network logs to identify misconfigurations, outdated software, or improper settings. AI can also scan application code before deployment or chip designs prior to tapeout to help find vulnerabilities before the products go into use. These uses don’t find threats or viruses but eliminate system, application, and network vulnerabilities, making hacks and attacks less likely to succeed.
4) Identify machines acting as humans and humans acting as machines.
Users authenticate themselves to access applications, and the various application, web, database, and middleware servers also authenticate themselves to other machines to share data. But what happens if a botnet learns to emulate what the human employees are doing? What if an adversary pretends to be a trusted server? AI-powered security learns the normal traffic and data access patterns and can rapidly detect whether machines are impersonating legitimate users (machines as humans). It can also detect when adversaries are impersonating trusted machines to gain access to sensitive data (humans as machines).
5) Identify never-before-seen or zero-day threats
Traditional security software references a database of known malware signatures that should be blocked from getting into the data center. The problem today is the databases of malware signatures, and sensitive information cannot be updated quickly enough to keep up with new malware creation or self-modifying malware. Likewise, a fixed list of sensitive data to be prevented from leaking out of the organization will always be out of date. AI-powered security can identify zero-day attacks by recognizing suspicious patterns of behavior or network traffic without relying on fixed signature databases. And AI can recognize categories or types of sensitive information instead of noticing only information that matches rigid, predefined lists.
As the amount of data, attack surface, and number of threats continue to grow, AI technology is the only plausible response. AI-powered data science provides the scale to cover all the relevant machines and network traffic along with the adaptability to recognize many new threats and vulnerabilities that InfoSec teams and their software tools haven’t seen before.
John F. Kim is Director of Morpheus Product Marketing at NVIDIA.