By Taj El-khayat, Managing Director – South EMEA at Vectra AI
I have never met a cybersecurity professional whose reason for entering the field was “because it’s easy”. And yet the profession’s challenges have mounted to breaking point in the past few years. Unprecedented sprawl within the IT stack has led to a rapid and sizeable expansion of the attack surface at a time of stubbornly persistent skills gaps. In a recent Trellix poll of UAE cybersecurity professionals, 70% reported increased investment in their organization, and 67% indicated renewed interest by senior executives in security, especially as it related to compliance. But more than half (56%) said that the rapid evolution of the threat landscape was making it difficult to keep up with attackers.
This story repeats around the world, and while there are many stressors that make life more difficult for security professionals than it has ever been, one pain-point stands out. They simply cannot say where they are compromised. Unknown threats are the bane of the SOC in the age of hybrid environments. And these threats come in many forms. They could be lurking in the cloud; they could be roaming the digital estate unchallenged, in the form of a compromised user account; they could be gnawing their way through the supply chain. There are so many ways to infiltrate and so many paths for lateral movement that security teams’ heads are spinning trying to locate and contain harmful processes.
IBM paints a grim picture in its Cost of a Data Breach 2022 report, which reveals that 45% of breaches now originate in the cloud. And Verizon’s 2022 Data Breach Investigations study tells us almost half come from compromised identities. Meanwhile, security teams are addressing the expansion in the attack surface with an expansion in their toolsets, leading to greater complexity. They are addressing increases in attack sophistication with an increase in the number of rules, which leads to alert fatigue and a greater need for maintenance — which leads to stress, burnout, resignations, shrunken talent pools, and on, and on.
Fighting more with more is just fuel for the fire. The very survival of the security function is at risk. We must move away from multiple point solutions towards a unification and simplification of our security capabilities. Legacy pattern-matching and threat-intelligence approaches simply cannot match the modern threat ecosystem. A threat hunter might chase a modern vulnerability or domain only to find that the real threat has moved on. Today’s attack methods cannot be tied to signatures and rules. They are designed to evade and persist.
To discover the significant incursions — the ones that can turn a CISOs fears into a fearful reality that makes headlines — requires an allegiance with artificial intelligence (AI) and machine learning. With these technologies on our side, we can begin to parse the complexity of today’s digital estates. What we need is AI that cuts through the noise to extract the relevant and bring the environment into focus. In other words, we must do more with less. We must not collect data for collection’s sake; we must collect the right data and analyze it the right way. This AI-based approach, applied shrewdly, will allow security teams to break out of the pressure cycle and go after the right signals. So armed, they can think like an attacker and understand their behavior. Cyber-defenders can scan the kill chain and zero in on attacker TTPs (tactics, techniques, and procedures), making them more effective threat hunters.
Advanced AI gets to know its environment, allowing it to spot behavior patterns that are uniquely and contextually malicious to that environment, which helps to significantly reduce false positives and enhance the accuracy rate within flagged incidents. All of this is good news for the region’s beleaguered security teams, who will finally be able to go on the offensive. They will no longer be plagued by red flags that lead to dead ends, and will be able to prioritize warnings by severity.
When busting the unknowns, we follow this approach. We call it “Attack Signal Intelligence” and it supplements rather than replaces threat intelligence, which is still necessary to alert us to known threats. Attack Signal Intelligence differs from other AI-based cybersecurity methods because it does not just look for standout activity; it uses intelligence about a range of different entities to determine what is important and ensure that security teams learn of it in time to act.
Attack Signal Intelligence accomplishes this by continuously monitoring for patterns of behavior that match attacker methods, using AI models that are attuned to previously observed TTPs. The approach combines these models with an ability to learn about a unique environment and apply this knowledge against that of TTPs to fine-tune real-time assessments of anomalies. A further layer of AI adds in threat models and human threat intelligence. Bench tests on Attack Signal Intelligence systems have shown up to 85% increases in the efficiency of identifying genuine threats and have also recorded significant enhancements to the productivity of SOCs.
Threat intelligence has served us well in the past, but we do not live in the past. We must look to the emergence of new threats and deliver to security teams the means to detect, prevent, and mitigate them. Attack Signal Intelligence stands as the greatest protector of the moment, capable of understanding its patch and therefore rising to a threat in a more contextual and effective way than any other available methods. Battling the unknown requires a new kind of soldier. And it just so happens, we have one ready for the battlefield. All that remains is a call to arms.