Cyber Defense eMagazine November 2019

More documents

Recommendations

Info

insights from the same reports includes the fact that 90ZBs will be created on Internet of Things (IoT) devices, nearly 30% of all data will be consumed in real-time, and almost half (49%) of data will be stored in public clouds – all by 2025. Furthermore, the increase in data, especially real-time data, is correlating to the number of devices that are connected to private and public networks, which does not show indications of slowing down anytime soon. Next-generation cyber warriors will be dealing with volumes of data never seen before occurring in real time making it difficult to spot, assess, and act on future cyber attackers. Attackers will likely attempt to disguise and blend into the noise using AI and ML techniques to mask their malicious intent. The challenge for cybersecurity professionals and organizations is how to harness automation and build next-generation SOCs using AI and ML, which will be crucial for keeping up with the volume and velocity of cyber-related data, created by more users and more machines. The Alerting Nightmare Many SOCs Face Millions of daily alerts: This is a normal day as a SOC manager, and it raises several challenges: • Eliminating false positives to focus effort on prioritizing “real” alerts based on severity and probability. • Reviewing all alerts may be impossible. • Many SOCs will avoid some alerts because they are considered low-level or have fired off too many false positives. Remember, however, 10-15 low-level alerts that, when combined and based on the sequence or the nature of those alerts, could equal a high alert translating into a full compromise. • It is common for many SOCs to fall into the alert fatigue trap and not consider how adversaries operate. Just as military operatives, they always attempt to fly below the radar. Therefore, they focus on exploiting weaknesses to which that they feel SOCs are less likely to be giving careful attention. What are some of the solutions to these challenges? Writing correlation/behavioral rules can help, but this has its own limitations and they can be easy to evade if not written correctly. Writing behavioral rules is also complex and requires unique skills – which are in great shortage within the cyber community right now. A better approach is to save profiles for users, workstations, servers, networking devices, etc., and use ML to generate anomalies and determine behavioral patterns in the form of classifications. This approach is better because it more easily scales and can solve two major problems: The cybersecurity talent shortage and attacks that attempt to evade detection systems by hiding in the noise as we previously explained above. Using AI and ML together, anomalies can be generated that are then passed through a series of AI models to determine their probability and severity as well as to determine if any specific example crosses a threshold which should trigger an event/alarm. For example, an anomaly is triggered off a user behavioral pattern that has drifted from its normal operation. It is then analyzed by machines to determine if that anomaly occurred before, at what frequency, and if it can be predicted with a reasonable level of probability that the event is actually abnormal. If so, it may be passed to an AI-bot that triggers an alert to the user text or an alternative email address to ask if the action was prompted by them or not. If not, then an alarm is triggered by the AI intrusion system and the incident response process begins. This is 34
just one of many examples of how AI and ML can help with alert fatigue and scaling limited talented resources while also having the ability to respond in seconds versus minutes and hours. How Organizations Should Start Using AI and ML for <strong>Cyber</strong>security First, organizations should define what they want to teach a system to help augment and/or automate response actions. In my opinion, I think AI and ML is at a point where it can be of more help in augmenting than it can in automating. (The day where machines will be able to fully think like humans may come, but operationally, that is many years away.) Having worked in several SOCs and managed my own Managed Security Service Provider, I have seen analysts and incident responders performing repeated tasks day in and day out that could be augmented by AI. The AI-bot example provided above is one way this could work. In another example, Thomas Caldwell from Webroot provided a great demo of his AI bot using Amazon’s Alexa device at an RSA Conference session named the “Evolution of AI Bots for Real-time Adaptive Security.” Here’s one note of caution: Using AI/ML for response actions is complicated. It requires the right skills and data to be analyzed in order to create the feature sets that are viable candidates for AI and ML modeling and are specific for how your organization operates. If a vendor offers you a solution that allows you to run ML algorithms from your data and calls that AI or behavioral detection, turn and run as fast as you can! The great news is that today, a good portion of data created by machines and users are using standardized formatting and language, making it easier for the cyber community to share and build off of others’ AI and ML feature data sets. Keep in mind, however, that just as defenders are using AI and ML, adversaries are as well. To get started I recommend following some best practices that include, but are not limited to: 1. Spend the time to create well-defined outcomes and measurable targets for challenges you need to solve in security. What tasks/problems do you want a machine to learn and what tolerance do you have for false positives? 2. Consider if more simplified tools could achieve a more efficient and effective outcome than an AI and ML model. For example, running models to determine behaviors of where applications are executed from can help detect abnormal operations. However, it might be easier to standardize and baseline where all applications are allowed to run from and trigger an alert if one executes from a different file path outside of the baseline. Application whitelisting is an easier solution to this problem as well. 3. Brainstorm and pair data scientists with cybersecurity expertise to create features derived from your existing cybersecurity data to solve a relevant problem/outcome. The data that is being generated on the network is not necessarily what gets fed into the model. For instance, financial traders using algorithms to hedge stock portfolios tend to use ratios as an input set of data that is computed based lower level data sets such as fluctuations of price, volume of trades, etc. 4. Experiment with various combinations of features, algorithms, and classifiers to find the best fit model for the desired outcome and achieving the measurable target you had established beforehand. If the model doesn’t predict an event at the same rate or better than a human, what value does the model provide? Trial and error is the best approach and interestingly, machines 35
Page 1 and 2: Detrimental Ransomware Effects 3 Mu
Page 3 and 4: How to Keep Your Customer’s Credi
Page 5 and 6: @CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 7 and 8: 7
Page 9 and 10: 9
Page 11 and 12: Your website could be vulnerable to
Page 13 and 14: 13
Page 15 and 16: 15
Page 17 and 18: 17
Page 19 and 20: The click opened the door for the s
Page 21 and 22: Achieving Cybersecurity Readiness w
Page 23 and 24: valuable in cyber skills developmen
Page 25 and 26: Talk About a Disaster Fema Exposes
Page 27 and 28: Discussion When you demand and requ
Page 29 and 30: 3 Must-Do Tasks to Make Vulnerabili
Page 31 and 32: Intelligent automated solutions are
Page 33: • ML focuses on acquiring knowled
Page 37 and 38: From Guards to Detectives: Evolving
Page 39 and 40: analysts to focus on its more inter
Page 41 and 42: Where Property Insurance Ends and C
Page 43 and 44: to have in-depth conversations with
Page 45 and 46: There is no doubt that insider thre
Page 47 and 48: IT sabotage • Monitor high privil
Page 49 and 50: How to Build an Effective Insider T
Page 51 and 52: Incident Response Workflows When a
Page 53 and 54: Technology The technology should su
Page 55 and 56: Modernize the Mission: Implementing
Page 57 and 58: With the massive influx of data fro
Page 59 and 60: “Cyber threats such as ransomware
Page 61 and 62: On the 16th anniversary of National
Page 63 and 64: The significance of cyberattacks ca
Page 65 and 66: John Ford, Chief Information Securi
Page 67 and 68: Open Banking is a great illustratio
Page 69 and 70: The Social Engineering Methods and
Page 71 and 72: equest kindly from you to give your
Page 73 and 74: How to Address the Top 5 Human Thre
Page 75 and 76: How do most organizations attempt t
Page 77 and 78: How to Suggest Your Manager to Inve
Page 79 and 80: The purpose, the impacts and the bu
Page 81 and 82: So, Ya Wanna Be A Pen Tester, Huh?
Page 83 and 84: Does the world need you? The short
Page 85 and 86:
which nmap calls paranoid slow. Por
Page 87 and 88:
eport. What chance then do SMBs, ma
Page 89 and 90:
protection that was in place. They
Page 91 and 92:
WannaCry hacking that shut down hun
Page 93 and 94:
About the Author Stephanie Douglas
Page 95 and 96:
Global Information Sharing CBS News
Page 97 and 98:
Finally, when presented with a fore
Page 99 and 100:
cybersecurity threats seriously eno
Page 101 and 102:
There are other tactics available f
Page 103 and 104:
You can run a Discovery Scan in Met
Page 105 and 106:
When the task configuration bullet
Page 107 and 108:
You will see a list of Compatible P
Page 109 and 110:
How Organizations Can Best Avoid GD
Page 111 and 112:
Alongside this, an organisation mus
Page 113 and 114:
Here’s How You Can Secure Your Ap
Page 115 and 116:
potential cyber-attack. The purpose
Page 117 and 118:
cooperation with other Allies) also
Page 119 and 120:
operational-level commander, as opp
Page 121 and 122:
When Google sees that your site is
Page 123 and 124:
How to Erase Data from Mobile Devic
Page 125 and 126:
About the Author Mark Dobson is an
Page 127 and 128:
With this major shift to cloud-base
Page 129 and 130:
(https://www.csoonline.com/article/
Page 131 and 132:
Cybersecurity Essentials for Small
Page 133 and 134:
Cybersecurity essentials to remembe
Page 135 and 136:
New Cybersecurity Trend: Hackers Im
Page 137 and 138:
adversary due to intellectual prope
Page 139 and 140:
a multi-dimensional connectivity wi
Page 141 and 142:
To conclude, we can say that SDP ce
Page 143 and 144:
The Launch of Curiosity IoT The clo
Page 145 and 146:
Stressing Security Teams By Jody Ca
Page 147 and 148:
Playbooks are most widely known in
Page 149 and 150:
The Importance of Cybersecurity Whe
Page 151 and 152:
You don’t want problems with the
Page 153 and 154:
fairly simple - software in our con
Page 155 and 156:
used to exploit the system was, wha
Page 157 and 158:
As you can imagine, as technology g
Page 159 and 160:
A10 Networks Cloud Access Proxy Pro
Page 161 and 162:
About the Author As VP of Product M
Page 163 and 164:
in 2020.” 2) “AI and speech tec
Page 165 and 166:
operating system is vulnerable to e
Page 167 and 168:
About the Author Mr. Ryan is Co-fou
Page 169 and 170:
In some cases, the RPA bots work to
Page 171 and 172:
About the Author Kevin Ross is a Sr
Page 173 and 174:
Whenever you are in a public place,
Page 175 and 176:
175
Page 177 and 178:
177
Page 179 and 180:
179
Page 181 and 182:
181
Page 183 and 184:
183
Page 185 and 186:
185
Page 187 and 188:
187
Page 189 and 190:
189
Page 191 and 192:
191
Page 193 and 194:
193
Page 195 and 196:
You asked, and it’s finally here
Page 197 and 198:
TRILLIONS ARE AT STAKE No 1 INTERNA
Page 199 and 200:
199
Page 201 and 202:
201
Page 203 and 204:
203
Page 205:
205
show all

Cyber Defense eMagazine November 2019

Create successful ePaper yourself

Delete template?

Save as template?