“Ransomware Hackers Demand $70 Million in Bitcoin, Claim Massive U.S. attack as Biden Investigates Possible Russian Involvement” – Forbes dated July 5th, 2021

Cyber risks are among top concerns for business owners, and there are a greater number of incidents getting reported from around the world especially when remote work has become a norm due to the pandemic. According to Gartner, 60 percent of Digital Businesses will suffer major service failures due to the inability of IT security teams to manage Digital Risk.

The new normal of working from home

The pandemic drove companies globally to shut their office, sometimes at a day’s notice. For the employees it meant switching to their home networks, which is not as secure as a corporate network. A work from home network is found to be at least 3 times more vulnerable to cyber-attacks. A security breach is somewhat a general term for any event that poses actual or potential risk to the confidentiality, integrity or availability of information or systems that process the information, also known as the CIA triad.

Businesses are mostly concerned about – security breaches, a hacker gaining access to financial systems, employees putting information at risk, becoming a cyber extortion/ransomware victim, theft or loss of customer or client records. Despite knowing the intensity of the risk, only few companies are taking steps to mitigate the risk such as – having a Hacker intrusion detection software, Cyber risk assessment, Multifactor authentication for cloud services, contracting outside vendor for IT security and having a business continuity plan in the possibility of an attack. According to Travelers Risk index 2020, still only 55 percent of businesses have a cyber insurance policy.

Making sense out of data

Security operations teams must handle huge volumes of data which include both operational as well as industrial data and are structured as well as unstructured. You get millions of alerts, new documents that you have never seen before, executable files, scripts, macros, alerts from log managements that is collecting alerts from all the different products deployed in your environment etc. From these you must collect data that your business needs. Support tickets and incident report tickets from enterprise network and from large industrial assets needs to be managed. You will have a tremendous amount of historical and time-sensitive data where you need to quickly understand what’s going on in the environment and where to prioritize and spend your time.

Artificial Intelligence or AI offers to scale up the capability of your security systems with the help of Machine Learning algorithms as well as Deep Learning which get better as they get exposed to greater volumes of data. An AI empowered system can be used to predict a malware and to see something that’s never seen before and classify it as malicious or benign before it does any damage and allow you to block and quarantine it.

Emerging challenges in Cybersecurity

According to Ponemon institute’s study, 69 percentage of organizations don’t believe that their antivirus can stop the threats that they are seeing. The attackers are on the other hand using the advanced technology to breach the security of an organization. Hacking as a service – Open source  tools and online services  that lower the technical barrier  to entry for attackers; Single Use Malware – Highly targeted, single use attacks with no two variants being the same; Polymorphism – Attacks that can automatically mutate to evade signatures; Trusted application attacks – attacks that leverage trusted applications like document, macros and scripts to deliver payload; In Memory attacks – Direct injection of code into memory space to evade file monitoring; Weaponized AI – Leveraging machine learning to generate adversarial malware. When white hat hackers where asked, how easy is it to bypass current firewall, IDS and IPS, 88 percent said it is unbelievably easy.

It is worth noting that your IT team will not scale, and it is never going to be the size that you want it to be due to budget constraints, negative unemployment in the cybersecurity field and so on. There are data that proves a human is no longer a tool to sit and watch the threat coming and block it. There are as much as 244 new threats coming in per minute, 22 percent growth in threats on an average yearly, and out of these there are ‘zero day’ which were never seen before. There are on an average about 75 security products used by a company which is too many, because they are very specific solution set to solve a particular problem. On an average it takes about 20 to 30 minutes per alert investigation.

Understanding Machine Learning

To understand Machine Learning, you can consider a bunch of input and describing features about a particular thing to a system and using these data a classification happens and based on that it decides whether the thing is good or bad. Similarly, in Machine Learning in threat detection, input is given in the form of URLs or files and its features like file type is described and it classifies that to be good or bad. There are two concepts supervised learning and unsupervised learning. In case of supervised learning, we label the data set that we have, for example if we have 5000 emails, we label them as spam and non spam and feed it to the engine. The engine learns and applies the logic to detect a new email as spam or not spam. Whereas in unsupervised learning, there is no specific predictions instead the data is fed to the engine and machine understands the pattern.

There are features that can be extracted from a file and decide whether it falls under the category of a Ransomware. For example, when you look at a file in a debugger view and look at the method calls or the ‘dll’s that being the import libraries that are used by windows, there is a pattern visible. When in a new file you get to see these method calls forming a similar pattern, we can conclude that it is a ransomware. Most of the malware follow the same pattern and same logic from the feature extraction can be utilized to detect it. This is how AI and Machine Learning plays a vital role. If you use machine learning and pass on these things to an AI system you are good to block a malicious file when it attempts to attack.

Going Forward

A risk is a combination of likelihood and the potential impact of a loss event. If you can reduce the likelihood or the potential impact or consequences of an event, then you are on the right track. A head in the sand approach, ignoring the risk, is never a good idea because no one is immune. Going forward it will be important for organizations to utilize strong and targeted machine/deep learning to close various human process loops. The future of AI in cybersecurity is in automated defense systems that can learn in dynamic contexts. Artificial Intelligence is indeed a requirement to keep ahead of threats today and even more so in the future.