It’s increasingly likely that the first publicly acknowledged, artificial intelligence (AI)-based network attack will occur in 2018. Administrators who recognize the potential effect of machine learning (ML) on the future of network and application security management are beginning to strengthen their understanding in this area. Vendors are also becoming more aware, simplifying observation tools to mitigate existing and future risk. In the age-old battle of good versus evil, the question now is: who will bring AI and ML to the fight first?
Consider a dedicated hacker who intends to breach a corporate environment. That attacker is limited by the overall amount of talent and resources available for the attack, including human technical skill, team size, and funding. But, as is always the case with automation, ML is able to discover and manage vulnerabilities and analyze attack surfaces far more efficiently, tirelessly, and at a cheaper price.
A typical small attack team is not capable of simultaneously doing social engineering, scanning networks, cataloging zero-day vulnerability exploits, monitoring password attacks, and launching a DDoS cover attack. It must make resource constraint-based compromises that buy admins time to detect and mitigate the effort. A machine, however, is capable of orchestrating all that and more, 24 hours a day, without stopping. It’s the very definition of advanced persistent threat (APT).
Using automation, which doesn’t exhaust motivation or patience, even an attacker with limited access to machines and a constrained budget can work slowly over weeks or months to identify vulnerabilities and get in unnoticed. Identifying a threat is actually significantly more difficult when it’s happening over an extended period. Admins simply can’t spend weeks watching systems, waiting for that one packet in a million, or, more likely, a billion.
Artificial Intelligence for Good
If IT professionals, along with their trusted vendors, take the initiative, we’ll soon be able to rely on ML, and perhaps even AI, to protect our networks and applications. And though many network administrators are concerned that machines will replace human enterprise security experts, that’s actually unlikely. The management demands of increasingly complex systems are likely to require roughly the same resources saved by automating day-to-day management.
Admins are already gaining breakthrough insight via modern monitoring and observability platforms, even without ML. New, easier-to-deploy tools mean metrics and events are able to be observed through IT systems’ continuous telemetry, not just sporadic scanning, watching a dashboard, or regular reports. In many ways, these new application performance management (APM) approaches actually drive the effectiveness of algorithms, rather than ML driving new data platforms. Data always comes first, then learning.
IT telemetry-enabled ML will allow network security experts to perform some amazing tricks. Consider a spear-phishing campaign that is sending well-crafted fake 401K account emails to employee spouses. A civilian recipient helpfully forwards it inside the firewall to his or her senior network security administrator spouse. Now, its potentially zero-day, vulnerability-based payload has a chance to compromise an admin workstation.
It’s challenging for a network administrator trying to prevent such an attack to deal with all these factors using traditional rules and techniques. However, anomaly detection algorithms based on data from millions of email messages make quick work of finding even one “perfectly” crafted spear-phishing attack. Sharp security administrators will be able to run comparison data sets to differentiate normal versus exceptional email by employee type, assessing trust and interest scoring for additional screening.
Getting There From Here
The first step toward AI for the enterprise is maturing past the perception that ML is too difficult, too expensive, or not valuable enough for IT. This viewpoint must be changed before we’ll see successful implementation. Fortunately, acquiring knowledge about machine and deep learning and how to apply algorithms to very large data sets is becoming much easier.
Until recently, trainable, neural net-based security products were only available to specific industries, and these tended to be highly complex and expensive. As with any emerging technology, however, complexity and cost will decrease over time. Vendors are already recognizing the need to simplify solutions. Microsoft, Google, and particularly Amazon Web Services (AWS) — as we saw at re:Invent 2017 — have realized ML tools are too complex for the average admin. They’re not building “ML for Enterprise Dummies,” but are instead creating tool sets that are truly smart and easy to use.
In the meantime, your environment can already benefit from the new telemetry being generated, or from broad observability of the network environment, even before they put an AI/ML cherry on top. Security configurations, topology, monitoring skills, events, and changing management requirements are all critical focus areas. It doesn’t matter if the processes are manual, hybrid, or fully automated.
Today, network administrators may already focus on incorporating visibility into all systems, so they will be ready to attach intelligent security applications on top of them. At the same time, administrators should also look to clearly define the security posture objectives, and begin utilizing data science to ensure that the information from security-related events is well understood.
2018 may be a glass half-empty and glass half-full year for network security and machine learning. As admins, we seriously hope that it’s half-full. We hope vendors expand their new-found interest in educating administrators in the ways of ML, and start providing AI-based technology that helps secure our networks and detects intrusion easier.
However, there’s still a possibility of the glass being half-empty. That is, attackers may get there first, become adept at using these technologies, thus making us more vulnerable and compromising our systems before we have a chance to learn how to combat them.
I’m still betting on half-full.