Article
17 minute read 07 December 2021

Cyber AI: Real defense

Augmenting security teams with data and machine intelligence

17 minute read 07 December 2021
Curt Aubley

Curt Aubley

United States

Ed Bowen

Ed Bowen

United States

Wendy Frank

Wendy Frank

United States

Deborah Golden

Deborah Golden

United States

Michael Morris

Michael Morris

United States

Kieran Norton

Kieran Norton

United States

As organizations struggle with security breaches, cyber AI can be a force multiplier, enabling security teams not only to respond faster than cyberattackers can move but also to anticipate these moves and act in advance.

  Explore the trend
  • Despite making significant investments in security technologies, organizations continue to struggle with security breaches: Their adversaries are quick to evolve tactics and stay ahead of the technology curve. Humans may soon be overwhelmed by the sheer volume, sophistication, and difficulty of detecting cyberattacks.

    People are already challenged to efficiently analyze the data flowing into the security operations center (SOC) from across the security tech stack. This doesn’t include the information feeds from network devices, application data, and other inputs across the broader technology stack that are often targets of advanced attackers looking for new vectors or using new malware. And as the enterprise increasingly expands beyond its firewalls, security analysts are charged with protecting a constantly growing attack surface.

    Meanwhile, the cost of cybercrime continues to climb; it’s expected to double from US$3 trillion in 2015 to US$6 trillion by the end of 2021 and grow to US$10.5 trillion by 2025.1 The average cost of a single data breach in 2021 was US$4.24 million,2 a 10% increase from 2019.3 According to insurer AIG, ransomware claims alone have grown 150% since 2018.4

    It’s time to call for AI backup. Cyber AI can be a force multiplier that enables organizations not only to respond faster than attackers can move, but also to anticipate these moves and react to them in advance. Cyber AI technology and tools are in the early stages of adoption; the global market is expected to grow by US$19 billion between 2021 and 2025.5

    AI’s ability to adaptively learn and detect novel patterns can accelerate detection, containment, and response, easing the burden on SOC analysts and allowing them to be more proactive. Bonus: It can help organizations prepare for the eventual development of AI-driven cybercrimes.

    Expanding enterprise attack surfaces

    Organizations’ attack surfaces are exponentially expanding. As discussed in The tech stack goes physicalthe adoption of 5G networks and an increase in network connections, together with a more distributed workforce and a broadening partner ecosystem, may present new risks. They’re exposing the enterprise outside of its firewalls and pushing it into customer devices, employee homes, and partner networks.

    More remote workers. Before COVID-19, only about 6% of employees worked from home. In May 2020, about 35% of them did.6 In the first six weeks of the 2020 lockdown, the percentage of attacks on home-based workers increased fivefold from 12% to 60%.7 One survey found that 51% of respondents saw an increase in email phishing after shifting to a remote working model.8

    For many workers, remote work is expected to remain the rule, not the exception, providing cybercriminals with many new opportunities. For example, outside of the safety of corporate firewalls and web security gateways, remote workers are easier to target. They rely on home networks and VPN connections and often use unsecured devices to access cloud-based apps and data. And legacy on-premises security equipment is typically designed to support enterprise-grade networks, not home-based internet access.

    As the enterprise extends into its employees’ homes, user behavior and data activity become more diverse and deviate from previous norms. With employees logging in from atypical locations and devices at unusual times, it can be more challenging to identify anomalous behaviors, potentially leading to an increase in false positives.

    Increase in network-connected devices. 5G, IoT, Wi-Fi 6, and other networking advances are driving an increase in network-connected devices. When seeking a soft attack vector, cybercriminals will be able to choose from a growing number of network-connected physical assets—29.3 billion by 2023, according to one estimate.9

    The unprecedented number of devices connected to these networks produce data that needs to be processed and secured, contributing to the data logjam in the SOC. It can be challenging to keep track of and manage active assets, their purpose, and their expected behavior, especially when they’re managed by service orchestrators.

    Rather than being centrally located and controlled, many of these devices are spread across various remote locations, operating in multiple edge environments where they collect data to send back to the enterprise. Without proper security precautions, devices can be compromised and continue to appear to operate normally on the network, essentially becoming intruder-controlled bots that can release malicious code or conduct swarm-based attacks.

    Broader ecosystem of third-party partners. An increasingly global supply chain and hosted data, infrastructure, and services have long contributed to third-party risk. And as more and more organizations integrate data with third-party applications, APIs are a growing security concern. Gartner predicts that by 2022, API abuses will become the enterprise’s most frequent attack vector.10

    Third-party breaches are growing in complexity. Five years ago, an intruder might use widely available malware to target specific computer systems, gain contractor credentials, and steal customer data—messy, to be sure, but with a clear source and the ability to monitor and remediate the damage.

    Such an attack pales in comparison to today’s sophisticated intrusions, in which information stolen from one company can be used to compromise thousands of its customers and suppliers. Supply chain attacks can do the same by exploiting the least-secure embedded components of complex supply networks. A breach with no boundaries can be nearly impossible to monitor and remediate, with active theft potentially continuing for many years.

    Adoption of 5G networks. 5G is expected to completely transform enterprise networks with new connections, capabilities, and services.But the shift to 5G’s mix of hardware- and distributed, software-defined networks, open architectures, and virtualized infrastructure will create new vulnerabilities and a larger attack surface, which will require more dynamic cyber protection.

    5G networks can support up to a million connected devices per square kilometer—compared to only 100,000 for 4G networks11—enabling highly scalable and densely connected environments of devices. By 2025, market watchers predict there will be 1.8 billion 5G mobile connections (excluding IoT), up from 500 million in 2021;12 and about 3.7 billion cellular IoT connections, up from about 1.7 million in 2020.13

    As public 5G networks expand, organizations in government, automotive, manufacturing, mining, energy, and other sectors have also begun to invest in private 5G networks that meet enterprise requirements for lower latency, data privacy, and secure wireless connectivity. From autonomous vehicles and drones to smart factory devices and mobile phones, an entire ecosystem of public and private 5G network–connected devices, applications, and services will create additional potential entry points for hackers. Each asset will need to be configured to meet specific security requirements. And with the increasing variety of devices, the network becomes more heterogenous and more challenging to monitor and protect.

    AI defense against today’s cyberthreats

    Expanding attack surfaces and the escalating severity and complexity of cyberthreats are exacerbated by a chronic shortage of cybersecurity talent. Employment in the field would have to grow by approximately 89% to eliminate the estimated global shortage of more than 3 million cybersecurity professionals.14 AI can help fill this gap.

    Accelerated threat detection. Threat detection was one of the earliest applications of cyber AI. It can augment existing attack surface management techniques to reduce noise and allow scarce security professionals to zero in on the strongest signals and indicators of compromise. It can also make decisions and take action more rapidly and focus on more strategic activities.

    Advanced analytics and machine learning platforms can quickly sift through the high volume of data generated by security tools, identify deviations from the norm, evaluate the data from the thousands of new connected assets that are flooding the network, and be trained to distinguish between legitimate and malicious files, connections, devices, and users.

    AI-driven network and asset mapping and visualization platforms can provide a real-time understanding of an expanding enterprise attack surface. They can identify and categorize active assets, including containerized assets, which can provide visibility into rogue asset behavior. Supply chain risk management software incorporating AI and machine learning can automate the processes of monitoring physical and digital supply chain environments and tracking the way assets are composed and linked.

    Force multiplier in containment and response. AI can also serve as a force multiplier that helps security teams automate time-consuming activities and streamline containment and response. Consider machine learning, deep learning, natural language processing, reinforcement learning, knowledge representation, and other AI approaches. When paired with automated evaluation and decision-making, AI can help analysts manage an escalating number of increasingly complex security threats and achieve scale.

    For example, like its predecessors, 5G is vulnerable to jamming attacks, in which attackers deliberately interfere with signal transfer. Researchers from the Commonwealth Cyber Initiatives at Virginia Tech and Deloitte, who are collaborating to understand 5G network security design and implementation, are working to identify low-level signal jamming before it brings down the network. By implementing an AI-based interference scheme and machine learning models, a real-time vulnerability assessment system was developed that could detect the presence of low-level signal interference and classify jamming patterns.15

    Automation can help maximize AI’s impact and shrink the time between detection and remediation. SOC automation platforms embedded with AI and machine learning can take autonomous, preventative action—for example, blocking access to certain data—and escalate issues to the SOC for further evaluation. When layered on top of the API management solutions that control API access, machine learning models trained on user access patterns can inspect all API traffic to uncover, report on, and act on anomalies in real time.

    Proactive security posture. Properly trained AI can enable a more proactive security posture and promote cyber resilience, allowing organizations to stay in operation even when under attack and reducing the amount of time an adversary is in the environment.

    For example, context-rich user behavior analytics can be combined with unsupervised machine learning algorithms to automatically examine user activities; recognize typical patterns in network activity or data access; identify, evaluate, and flag anomalies (and disregard false alarms); and decide if response or intervention is warranted. And by feeding intelligence to human security specialists and enabling them to actively engage in adversary pursuit, AI enables proactive threat hunting.

    Organizations can leverage AI and machine learning to automate areas such as security policy configuration, compliance monitoring, and threat and vulnerability detection and response. For instance, machine learning–driven privileged access management platforms can automatically develop and maintain security policies that help enforce zero-trust security models. By analyzing network traffic patterns, these models can distinguish between legitimate and malicious connections and make recommendations on how to segment the network to protect applications and workloads.

    Pairing vulnerability analysis and reinforcement learning, security specialists can generate attack graphs that model the structure of complex networks and reveal optimal attack routes, resulting in a better understanding of network vulnerabilities and reducing the number of staff required to conduct the testing. Similarly, cyberattack simulation tools can continuously mimic the tactics and procedures of advanced threats to highlight infrastructure vulnerabilities and routes for potential attack.

    Evolving the role of human security analysts. In one survey of security analysts, 40% said their biggest pain point was too many alerts; 47% said it was hard to know which alerts to prioritize for incident response.16 Another survey found that analysts increasingly believed their role was to reduce alert investigation time and the volume of alerts, rather than to analyze and remediate security threats. More than three-quarters of respondents reported an analyst turnover rate of more than 10%, with nearly half saying the rate was between 10% and 25%.17

    AI can’t replace human security professionals, but it can enhance their work and potentially lead to more job satisfaction. In the average SOC, AI and automation could eliminate the tedious functions of Tier 1 and Tier 2 analysts. (Tier 1 evaluates incoming data and decides to escalate problems, and Tier 2 responds to trouble tickets, assesses the scope of each threat, determines response and remediation actions, and escalates when required.) These analysts could be trained to function in more strategic roles that are more challenging to hire for, such as higher-level Tier 2 analysts and Tier 3 analysts who handle the thorniest security challenges and focus on proactively identifying and monitoring threats and vulnerabilities.

    A table-stakes weapon against future AI-driven cybercrimes

    The same features that make AI a valuable weapon against security threats—speedy data analysis, event processing, anomaly detection, continuous learning, and predictive intelligence—can also be manipulated by criminals to develop new or more effective attacks and detect system weaknesses.

    For example, researchers have used generative adversarial networks—two neural networks that compete against each other to create datasets similar to training data—to successfully crack millions of passwords.18 Similarly, an open-source, deep learning language model known as GPT-3 can learn the nuances of behavior and language. It could be used by cybercriminals to impersonate trusted users and make it nearly impossible to distinguish between genuine and fraudulent email and other communications.19 Phishing attacks could become far more contextual and believable.20

    Advanced adversaries can already infiltrate a network and maintain a long-term presence without being detected, typically moving slowly and discreetly, with specific targets. Add AI malware to the mix, and these intruders could learn how to quickly disguise themselves and evade detection while compromising many users and rapidly identifying valuable datasets.21

    Organizations can help prevent such intrusions by fighting fire with fire: With enough data, AI-driven security tools can effectively anticipate and counter AI-driven threats in real time. For example, security pros could leverage the same technique that researchers used to crack passwords to measure password strength or generate decoy passwords to help detect breaches.22 And contextual machine learning can be used to understand email users’ behaviors, relationships, and time patterns to dynamically detect abnormal or risky user behavior.23

    The way forward

    Humans and AI have been collaborating to detect and prevent breaches for some time, although many organizations are still in the early stages of using cyber AI. But as attack surfaces and exposure outside of traditional enterprise networks continue to grow, AI offers more.

    Approaches such as machine learning, natural language processing, and neural networks can help security analysts distinguish signal from noise. Using pattern recognition, supervised and unsupervised machine learning algorithms, and predictive and behavioral analytics, AI can help identify and repel attacks and automatically detect abnormal user behavior, allocation of network resources, or other anomalies. AI can be used to secure both on-premises architecture and enterprise cloud services, although securing workloads and resources in the cloud is typically less challenging than in legacy on-premises environments.

    On its own, AI (or any other technology, for that matter) isn’t going to solve today’s or tomorrow’s complex security challenges. AI’s ability to identify patterns and adaptively learn in real time as events warrant can accelerate detection, containment, and response; help reduce the heavy load on SOC analysts; and enable them to be more proactive. These workers will likely remain in high demand, but AI will change their roles. Organizations likely will need to reskill and retrain analysts to help change their focus from triaging alerts and other lower-level skills to more strategic, proactive activities. Finally, as the elements of AI- and machine learning–driven security threats begin to emerge, AI can help security teams prepare for the eventual development of AI-driven cybercrimes.

    Sections

    Lessons from the front lines

    Sapper Labs fights software with software

    To help Canadian and US military, government, and critical infrastructure operators solve security challenges, Sapper Labs Cyber Solutions provides cybersecurity thought leadership, intelligence, R&D, implementation, operational security platforms, and training support to solve complex problems. AI is an increasingly important tool in Sapper Labs’ technology toolkit.

    The Ottawa-based cyber defense firm—which takes its name from the military term for combat engineers who support ground troops through surveillance, scouting, defense engineering, and other proactive defensive activities—starts its projects with the premise that every network, system, and capability is already compromised, and that organizations simply don’t have the human resources to defend against or combat this. “The growth of the talent pipeline is not keeping pace with either the growth of the attack surface or the expansion of business and government innovation agendas, so we can't produce enough talent to protect our institutions and assets,” says Al Dillon, Sapper Labs’ cofounder and CEO. “That’s where AI comes in for an assist."24

    To that end, Sapper Labs is working with several Canadian and US security, defense, and intelligence organizations to create AI systems that aim to flex in real time with evolving threat tactics and procedures of our adversaries. These systems can do much more than inform decisions; they can learn how to defend themselves against threats, regardless of human engagement. “Today, cyber defenses that use machine learning, AI, and automation focus primarily on human-led cyber engagement,” says Dillon. “Because of the pace of today’s innovation and the proliferation of networks and devices, especially outside of the organization, we’re going to need embedded automated system capabilities.”

    Dillon says the collective goal for national security and defense organizations and other public and private sector organizations should be to shift toward military-grade, software-led engagement: AI-driven software defending—and fighting back against—AI-enabled adversaries. “We’re all under threat of attack by nation-state actors and other bad actors with equivalent intent, expertise, and tools,” he explains.

    For example, Sapper Labs and government agencies are developing a multilayered threat detection system that fuses information and data feeds from a variety of sources, known as all-source intelligence—from satellite-, land-, and sea-based sensors to digital sources such as social media and other public and private network information. Examining this data in the traditional manner might take human-led security teams months or even years. Automating the process of synthesizing this data and intelligence and applying algorithms to it enables evaluation and decision-making to take place 10 or even 15 times faster than with conventional methods. Within three years, Dillon expects cyber AI and automation technologies to have advanced so far that they will be able to evaluate intelligence, reach a conclusion, and make a decision 50 times faster than in the past.

    Therein, says Dillon, lies one of cyber AI’s toughest problems. “Overcoming the people, societal, and cultural challenges to cyber AI will be far more difficult than solving technology problems,” he says. “The biggest hill to climb will be getting people to trust decisions made by AI when they’re more comfortable with decisions made by human leaders, even if it takes 50 times longer to get those decisions.”

    Education is one of the keys to building this trust. Through partnerships with other private companies, public-sector organizations, and academic institutions, Sapper Labs is working to help build awareness of automated cybersecurity more broadly. “We’re in an exciting transition in terms of technology adoption and innovation, but it’s alarming that we don’t fully understand the societal impact with regards to defending national security, personal data, intellectual property, and other crown jewels,” Dillon says. “We have to internalize that AI-enabled security platforms may become the only way that we can stay ahead of the bad actors.”

    My Take

    Mike Chapple, information security leader and IT, analytics, and operations teaching professor, University of Notre Dame

    Over the last year, the nature of cybersecurity attacks has transformed. Previously, one of the main concerns for an organization would have been ransomware attacks, wherein bad actors would gain access to enterprise data through phishing or internet malware, and then encrypt that data to hold it for ransom. Such attacks were opportunistic because criminals would take advantage of whoever fell prey to malware, and they didn’t always succeed if organizations were prepared with data backups.

    The stakes are now higher because bad actors are engaging in organized crime, akin to cyberwarfare by nation-states. We’ve seen hospitals targeted during COVID-19 outbreaks, pipelines unable to deliver fuel, and other highly targeted attacks. The bad actors’ new paradigm is to present two extortion threats on stolen enterprise data: holding the data hostage and threatening to leak sensitive information, including customer records and intellectual property. Such threats are especially salient for large organizations, which have the money and data desired by cybercriminals. Moreover, the attack surface for such crimes is ever-expanding as trends such as the adoption of 5G mobile networks and work-from-home policies push enterprise technology beyond its traditional borders.

    How can organizations respond to this atmosphere of heightened risk? They have two options: hire more people, which is difficult because of the burgeoning skills gap in the talent market, or rely on AI, automation, and analytics to detect and respond to threats in real time. Due to recent shifts in technology, the latter option—cyber AI—is becoming increasingly effective.

    The intersection of AI and cybersecurity has been talked about for nearly a decade. Until now, those conversations revolved around buzzwords and rule-based products. Thanks to advances in compute power and storage capacity, we now see cybersecurity vendors starting to truly incorporate machine learning and AI into their products. Today, large enterprises can rely on such vendors to advance threat intelligence.

    Premier cybersecurity vendors have deployments across many enterprises, which serve as sensors for picking up data. By applying AI to the anonymized data from each customer, vendors can use the threat data from one organization to look for signs of similar breaches elsewhere. The network effects can be exponential: The bigger and more diverse the dataset, the more these vendors’ detection improves, and the greater their protection. For this reason, medium and large enterprises alike could benefit from working with managed service providers. Or, alternately, they can have their data science and cybersecurity teams work together to train AI models in their own cybersecurity warehouses.

    Today’s computing power allows the development of sophisticated user and entity behavior analytics (UEBA) that detect signatures of bad actors or deviations from normal behavior. UEBA might flag a user who is detected downloading terabytes of data on a Saturday morning—certainly not a habit. By connecting these profiles and patterns, threats can be identified in a far more refined manner.

    While these signals always existed, it was previously impractical to analyze them and draw meaningful patterns. Now, these AI-flagged threats can be fed into security orchestration, automation, and response (SOAR) platforms, which can shut down access or take any other immediate actions.

    The history of cybersecurity, and really any type of security, is an age-old game of cat and mouse. Just as we develop AI tools to protect ourselves, antagonists are developing AI to further complicate their attacks. Nation-states are already entering this territory, and we may see more from private cybercrime actors in the next 18 to 24 months. If organizations don’t want to be a victim, they’ll want to act now to future-proof their users, systems, and data by seeking out opportunities for AI support. When the nature of cyberattacks inevitably transforms again, they can be ready.

    Are you ready?

    1. How has your enterprise attack surface expanded due to an increase in remote workers, network-connected devices, and third-party risk, and what steps are you taking to protect it?
    2. How are you currently using AI tools to detect, contain, and respond to cyberthreats? In which areas can the use of AI be expanded to create a more proactive security posture?
    3. Do you have the skill sets and organizational structure needed to meet your cybersecurity objectives today? In two years? How do you plan to acquire these skills?

    Learn more

    Download the trend to explore more insights, including the “Executive perspectives” that illuminate the strategy, finance, and risk implications of each trend. And check out these links for related content:

    • 2021 Future of cyber surveyGain insight from nearly 600 global C-level executives who have visibility into the cybersecurity functions of their organizations.

    1. Steve Morgan, “Cybercrime to cost the world $10.5 trillion annually by 2025 ,” Cybersecurity Ventures, November 13, 2020.View in Article
    2. IBM, Cost of a data breach report 2021 , accessed November 17, 2021.View in Article
    3. Ibid.View in Article
    4. CNBC, “Cybercrime could cost $10.5 trillion dollars by 2025, according to Cybersecurity Ventures ,” March 9, 2021.View in Article
    5. PR Newswire, “Artificial intelligence-based cybersecurity market grows by $19 billion during 2021-2025 ,” June 21, 2021.View in Article
    6. NCCI, “Remote work before, during, and after the pandemic: Quarterly economics briefing—Q4 2020 ,” January 25, 2021.View in Article
    7. Jasper Jolly, “Huge rise in hacking attacks on home workers during lockdown ,” Guardian, May 24, 2020.View in Article
    8. Fleming Shi, “Surge in security concerns due to remote working during COVID-19 crisis ,” Barracuda, May 6, 2020.View in Article
    9. Cisco, Cisco annual internet report (2018–2023) white paper , accessed November 17, 2021.View in Article
    10. Gartner, “API security: What you need to do to protect your APIs ,” accessed November 17, 2021.View in Article
    11. David Flower, “5G and the new age of fraud ,” Forbes, December 30, 2020.View in Article
    12. GSMA, The mobile economy , accessed November 17, 2021.View in Article
    13. Steve Rogerson, “Cellular IoT connections grew 12% in 2020, says Berg ,” IoT M2M Council, August 4, 2021.View in Article
    14. (ISC)², “(ISC)² study reveals the cybersecurity workforce has grown to 3.5 million professionals globally ,” accessed November 17, 2021.View in Article
    15. Wendy Frank (Cyber 5G leader at Deloitte & Touche LLP), interview, October 1, 2021.View in Article
    16. Palo Alto Networks, The state of incident response 2017 , accessed November 17, 2021.View in Article
    17. Critical Start, The impact of security alert overload , accessed November 17, 2021.View in Article
    18. Matthew Hutson, “Artificial intelligence just made guessing your password a whole lot easier ,” Science, September 15, 2017.View in Article
    19. Lily Hay Newman, “AI wrote better phishing emails than humans in a recent test ,” Wired, July 2021.View in Article
    20. William Dixon and Nicole Eagan, “3 ways AI will change the nature of cyber attacks ,” World Economic Forum, June 19, 2019.View in Article
    21. Ibid.View in Article
    22. Matthew Hutson, “Artificial intelligence just made guessing your password a whole lot easier .”View in Article
    23. Tony Pepper, “Why contextual machine learning is the fix that zero-trust email security needs ,” Help Net Security, February 16, 2021.View in Article
    24. Al Dillon (cofounder and CEO, Sapper Labs Cyber Solutions), phone interview with authors, October 19, 2021.
      View in Article

    Senior contributors

    Wil Rockall

    Partner | Deloitte LLP

    Jan Vanhaecht

    Partner | Deloitte Belgium CVBA

    Sam Holmes

    Senior manager | Deloitte LLP

    Ryan Lindeman

    Senior manager | Deloitte & Touche LLP

    PaPa Yin Minn

    Specialist master | Deloitte Tohmatsu Cyber LLC

    Cover image by Bose Collins.

    Technology

    Today, business and technology are inextricably linked. And keeping pace with the emerging technology landscape can be difficult for even the most tech-savvy leaders. Deloitte can help. Our technology professionals have deep experience applying technologies to help you achieve your business goals.

    Scott Buchholz

    Scott Buchholz

    Managing Director | Deloitte Consulting LLP

    Subscribe

    to receive more business insights, analysis, and perspectives from Deloitte Insights