How AI Can Save Corporate America from Devastating Cyber Attacks

It certainly has been another long week in cybersecurity. First, news that a third party hacked a group allegedly connected to the NSA and made off with secret “hacking tools” rocked the industry. It was shortly followed by news of cyber attacks in the form of smart email “bombs” raining down upon the mailboxes of .gov employees in a way very similar to DDoS attacks (but more highly personalized). News of new ransomware-as-a-service platforms added to the headache, as did news of two big PoS hacks where credit card information may have been stolen from retailers, hotels and restaurants. As summer wanes and stretches towards Labor Day, it will also be hard to forget the hack of the servers at the Democratic National Committee. Is it safe to go back in the water yet? Well, probably not. Perhaps worse news, however, is the conundrum we face regarding the continuing skilled cybersecurity personnel shortage in the United States. One recent study revealed some pretty scary statistics:

1. 82% of those surveyed reported a skills shortage at their company;
2. 71% of the respondents said the shortage caused direct and measurable damages through cyber attacks, and
3. 22% of companies suffered reputational damages because of the skills shortage.

With an increasing use of cloud computing, coupled with the ramping up of the Internet of Things (two things which may increase the complexity of cybersecurity), the cyber HR skilled jobs shortage will reportedly only get worse by 2020. For a country that significantly depends on a digital economy (perhaps to a figure of over $421 billion dollars a year by 2020), and upon digital information to keep it safe from terrorism and nation-state physical and cyber attacks, none of the above facts are healthy signs that cybersecurity in this country is headed in the right direction. How do we shift our cybersecurity profile, arguably from “low-hanging fruit” in many cases, to the “Captain America” of cybersecurity profiles? The answer is by adopting artificial intelligent machines by virtue of existing technologies like machine learning, deep learning, and cognitive computing. They are here today and here to stay. Though we cannot guarantee any particular product will give you 100% safety from attack (no one can give that promise), here’s why we need AI and its three cousins: Machine Learning, Deep Learning and Cognitive Computing.

1. Our digital economy requires massive datasets. As a result, different, faster, and more robust cybersecurity solutions are required

The first reason why AI and machine/deep learning needs to become the new “normal” for cybersecurity is simple: our country desperately needs them. As we digitize every part of our economy, and move customer solutions from the desktop to the laptop to the iPad and the iPhone, we are creating an enormous highly interconnected economy. When I was a kid, our economy was based on going to the mall or the supermarket for what my family needed. My parents paid in cash or check. Things were rudimentary but, in some ways, very easy and the amount of unprotected personally identifiable information was minimal, at best. Today, our economy is smartphone-based and highly personalized to each buyer based upon his or her own buying habits, which the company selling the goods (e.g. Amazon) analyzes keeps in massive data sets stored in the cloud along with their credit card information and other personal data. Our shopping experience today starts with our smartphone or tablet. Our medical information, medical history, patient billing, health data and reimbursement (as well as our medical records) are all stored either on-premises or in a cloud environment. We do nearly all our banking by smartphone, very rarely needing ever to enter a physical banking institution. Convenience is what matters. In sum, nearly everything we do is online. And it is stored in big data sets that are crunched daily by machine learning computers in an effort to further personalize our shopping and banking experiences and create broad, hyper-efficient efficiencies for suppliers and retailers (and even our electric and gas companies). This leads us to believe that traditional cybersecurity appliances relied upon in years past will no longer be adequate to respond to the new threats to come (which we saw, in particular, this week). If allegedly our National Security Agency (or a surrogate thereof) isn’t safe or secure (and we, of course, don’t know either way what happened), then what is safe? Our mindset needs to shift to machine learning and deep learning to protect our companies, healthcare providers, and healthcare institutions, as well as the personal information they use, store, and create every day. Faster detection of malware will become even more important and more difficult as our digital economy takes off like a rocket ship, creating more and more network traffic to be dissected and analyzed. With one-off personalized malware, unknown zero-days and APT exploits, unpatched systems, ransomware, and today’s other threats, we cannot afford to chase hundreds of thousands of alerts a day, and we cannot afford to tolerate, at all, the average of 146 days it takes many companies to detect malware on their networks. This is called “dwell time.” The higher the dwell time, the more damage a hacker can do. Says one security expert about machine learning and deep learning cybersecurity products:

"It is faster by far than most if not all big data tools, as it can work in real-time to near real-time—seconds to minutes—and it does not need to wait for batching data sets. Organizations need capabilities that allow them to get in front of the threat, finding and eradicating them before they can do harm….”

We admit that machine learning and deep learning is a mindset shift. We are used to having our hands on the wheel, our foot on the throttle at all times. As a country, we must recognize that we are putting superhuman amounts of data in circulation every day. For some companies, the number of alerts they receive is akin to the “whack-a-mole” carnival game. Hit one over the head, and two more pop up. Machine learning and deep learning can help deal with these enormous data sets and the enormous amount of network endpoint traffic by more quickly and efficiently detecting network anomalies, trends, and patterns at network speed (in the cloud and on premises). Some systems today advertise a success rate of over 95% in finding malware. In minutes. And AI won’t force you to lose your job or retire early. Machines need humans, too.

2. Machine and deep learning won’t force you out of a job. Frankly, it might make your job more satisfying.

Yep, I can hear it in your brain. Here comes the bologna about machine learning and deep learning not taking replacing us humans. One of the many respectable articles that I have read over the last six months makes the following three points:

1. We have a severe of skill cybersecurity workers in the United States (more than 209,000 jobs are open in the US today);
2. We can’t train workers or students fast enough to ever catch up, and
3. The skilled cybersecurity workers we have today chase thousand of alerts a week, many of which are false positives and, therefore, take away valuable time from actual alerts.

Many schools and universities are now offering computer science and cybersecurity programs in epic proportion. But there is simply no way to catch up and knock down the shortage. We must do something different. And for more than one reason. The how’s and where’s of data storage are changing rapidly (note the massive shift to the cloud over the last 12 months), and they're becoming more complex. Not only do we need more cybersecurity workers; we need more skilled cybersecurity workers that can deal with both storage and breach detection issues. Until we can train them, we must consider something different.

3. As the IoT disrupts our economy, we must consider alternative methods to protect our data and economy by lessening “dwell time.”

As the FireEye M-Trends report for 2016 notes, the critical problem for cyber defenders is dwell time, meaning the amount of time an attacker is on a particular network before he is found. The average dwell time today is 146 days. That is almost 5 months. What can an attacker do in 5 months on your network? The answer: unspeakable, horrific things that will cause you to have a couple of bad weeks before understanding the total amount of damage done to your network and the total amount of information exfiltrated by attackers. Though 146 days is a number way down from previous years, it is still a long time to cause havoc. Now think about the idea of the potential dwell time in 2020, when the number of endpoint devices and connected devices is expected to grow. Indeed, Cisco expects over 26 billion devices and connections by 2020, up from 16 billion in 2015. Which direction would you expect the dwell point days to go in 2020? Up or down? We are such a tremendous nation of scientists and professionals. We constantly demonstrate that our potential for innovation is seemingly infinite. But as we showed extensively above, our digital world has changed and likely will never reverse course. And that is okay. But it is also a fact that what the last eight months has taught us is that our world is a more dangerous place than ever with both nation-states and cyber criminals active beyond belief. For some attackers, the cyber warfare is asymmetrical. For others, it is much scarier. Machine learning, deep learning, and cognitive computing cybersecurity hardware may be our only way to attack the hackers back, to protect our data and our critical infrastructure, and to protect our nation. The time to give this technology a chance is now. In our mind, there is nothing to be afraid of except not adopting this technology soon enough.  

Image

About the Author: Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.