Meanwhile, the cost of cybercrime continues to climb; it’s expected to double from US$3 trillion in 2015 to US$6 trillion by the end of 2021 and grow to US$10.5 trillion by 2025.1 The average cost of a single data breach in 2021 was US$4.24 million,2 a 10% increase from 2019.3 According to insurer AIG, ransomware claims alone have grown 150% since 2018.4
It’s time to call for AI backup. Cyber AI can be a force multiplier that enables organizations not only to respond faster than attackers can move, but also to anticipate these moves and react to them in advance. Cyber AI technology and tools are in the early stages of adoption; the global market is expected to grow by US$19 billion between 2021 and 2025.5
AI’s ability to adaptively learn and detect novel patterns can accelerate detection, containment, and response, easing the burden on SOC analysts and allowing them to be more proactive. Bonus: It can help organizations prepare for the eventual development of AI-driven cybercrimes.
Expanding enterprise attack surfaces
Organizations’ attack surfaces are exponentially expanding. As discussed in The tech stack goes physical, the adoption of 5G networks and an increase in network connections, together with a more distributed workforce and a broadening partner ecosystem, may present new risks. They’re exposing the enterprise outside of its firewalls and pushing it into customer devices, employee homes, and partner networks.
More remote workers. Before COVID-19, only about 6% of employees worked from home. In May 2020, about 35% of them did.6 In the first six weeks of the 2020 lockdown, the percentage of attacks on home-based workers increased fivefold from 12% to 60%.7 One survey found that 51% of respondents saw an increase in email phishing after shifting to a remote working model.8
For many workers, remote work is expected to remain the rule, not the exception, providing cybercriminals with many new opportunities. For example, outside of the safety of corporate firewalls and web security gateways, remote workers are easier to target. They rely on home networks and VPN connections and often use unsecured devices to access cloud-based apps and data. And legacy on-premises security equipment is typically designed to support enterprise-grade networks, not home-based internet access.
As the enterprise extends into its employees’ homes, user behavior and data activity become more diverse and deviate from previous norms. With employees logging in from atypical locations and devices at unusual times, it can be more challenging to identify anomalous behaviors, potentially leading to an increase in false positives.
Increase in network-connected devices. 5G, IoT, Wi-Fi 6, and other networking advances are driving an increase in network-connected devices. When seeking a soft attack vector, cybercriminals will be able to choose from a growing number of network-connected physical assets—29.3 billion by 2023, according to one estimate.9
The unprecedented number of devices connected to these networks produce data that needs to be processed and secured, contributing to the data logjam in the SOC. It can be challenging to keep track of and manage active assets, their purpose, and their expected behavior, especially when they’re managed by service orchestrators.
Rather than being centrally located and controlled, many of these devices are spread across various remote locations, operating in multiple edge environments where they collect data to send back to the enterprise. Without proper security precautions, devices can be compromised and continue to appear to operate normally on the network, essentially becoming intruder-controlled bots that can release malicious code or conduct swarm-based attacks.
Broader ecosystem of third-party partners. An increasingly global supply chain and hosted data, infrastructure, and services have long contributed to third-party risk. And as more and more organizations integrate data with third-party applications, APIs are a growing security concern. Gartner predicts that by 2022, API abuses will become the enterprise’s most frequent attack vector.10
Third-party breaches are growing in complexity. Five years ago, an intruder might use widely available malware to target specific computer systems, gain contractor credentials, and steal customer data—messy, to be sure, but with a clear source and the ability to monitor and remediate the damage.
Such an attack pales in comparison to today’s sophisticated intrusions, in which information stolen from one company can be used to compromise thousands of its customers and suppliers. Supply chain attacks can do the same by exploiting the least-secure embedded components of complex supply networks. A breach with no boundaries can be nearly impossible to monitor and remediate, with active theft potentially continuing for many years.
Adoption of 5G networks. 5G is expected to completely transform enterprise networks with new connections, capabilities, and services.But the shift to 5G’s mix of hardware- and distributed, software-defined networks, open architectures, and virtualized infrastructure will create new vulnerabilities and a larger attack surface, which will require more dynamic cyber protection.
5G networks can support up to a million connected devices per square kilometer—compared to only 100,000 for 4G networks11—enabling highly scalable and densely connected environments of devices. By 2025, market watchers predict there will be 1.8 billion 5G mobile connections (excluding IoT), up from 500 million in 2021;12 and about 3.7 billion cellular IoT connections, up from about 1.7 million in 2020.13
As public 5G networks expand, organizations in government, automotive, manufacturing, mining, energy, and other sectors have also begun to invest in private 5G networks that meet enterprise requirements for lower latency, data privacy, and secure wireless connectivity. From autonomous vehicles and drones to smart factory devices and mobile phones, an entire ecosystem of public and private 5G network–connected devices, applications, and services will create additional potential entry points for hackers. Each asset will need to be configured to meet specific security requirements. And with the increasing variety of devices, the network becomes more heterogenous and more challenging to monitor and protect.
AI defense against today’s cyberthreats
Expanding attack surfaces and the escalating severity and complexity of cyberthreats are exacerbated by a chronic shortage of cybersecurity talent. Employment in the field would have to grow by approximately 89% to eliminate the estimated global shortage of more than 3 million cybersecurity professionals.14 AI can help fill this gap.
Accelerated threat detection. Threat detection was one of the earliest applications of cyber AI. It can augment existing attack surface management techniques to reduce noise and allow scarce security professionals to zero in on the strongest signals and indicators of compromise. It can also make decisions and take action more rapidly and focus on more strategic activities.
Advanced analytics and machine learning platforms can quickly sift through the high volume of data generated by security tools, identify deviations from the norm, evaluate the data from the thousands of new connected assets that are flooding the network, and be trained to distinguish between legitimate and malicious files, connections, devices, and users.
AI-driven network and asset mapping and visualization platforms can provide a real-time understanding of an expanding enterprise attack surface. They can identify and categorize active assets, including containerized assets, which can provide visibility into rogue asset behavior. Supply chain risk management software incorporating AI and machine learning can automate the processes of monitoring physical and digital supply chain environments and tracking the way assets are composed and linked.
Force multiplier in containment and response. AI can also serve as a force multiplier that helps security teams automate time-consuming activities and streamline containment and response. Consider machine learning, deep learning, natural language processing, reinforcement learning, knowledge representation, and other AI approaches. When paired with automated evaluation and decision-making, AI can help analysts manage an escalating number of increasingly complex security threats and achieve scale.
For example, like its predecessors, 5G is vulnerable to jamming attacks, in which attackers deliberately interfere with signal transfer. Researchers from the Commonwealth Cyber Initiatives at Virginia Tech and Deloitte, who are collaborating to understand 5G network security design and implementation, are working to identify low-level signal jamming before it brings down the network. By implementing an AI-based interference scheme and machine learning models, a real-time vulnerability assessment system was developed that could detect the presence of low-level signal interference and classify jamming patterns.15
Automation can help maximize AI’s impact and shrink the time between detection and remediation. SOC automation platforms embedded with AI and machine learning can take autonomous, preventative action—for example, blocking access to certain data—and escalate issues to the SOC for further evaluation. When layered on top of the API management solutions that control API access, machine learning models trained on user access patterns can inspect all API traffic to uncover, report on, and act on anomalies in real time.
Proactive security posture. Properly trained AI can enable a more proactive security posture and promote cyber resilience, allowing organizations to stay in operation even when under attack and reducing the amount of time an adversary is in the environment.
For example, context-rich user behavior analytics can be combined with unsupervised machine learning algorithms to automatically examine user activities; recognize typical patterns in network activity or data access; identify, evaluate, and flag anomalies (and disregard false alarms); and decide if response or intervention is warranted. And by feeding intelligence to human security specialists and enabling them to actively engage in adversary pursuit, AI enables proactive threat hunting.
Organizations can leverage AI and machine learning to automate areas such as security policy configuration, compliance monitoring, and threat and vulnerability detection and response. For instance, machine learning–driven privileged access management platforms can automatically develop and maintain security policies that help enforce zero-trust security models. By analyzing network traffic patterns, these models can distinguish between legitimate and malicious connections and make recommendations on how to segment the network to protect applications and workloads.
Pairing vulnerability analysis and reinforcement learning, security specialists can generate attack graphs that model the structure of complex networks and reveal optimal attack routes, resulting in a better understanding of network vulnerabilities and reducing the number of staff required to conduct the testing. Similarly, cyberattack simulation tools can continuously mimic the tactics and procedures of advanced threats to highlight infrastructure vulnerabilities and routes for potential attack.
Evolving the role of human security analysts. In one survey of security analysts, 40% said their biggest pain point was too many alerts; 47% said it was hard to know which alerts to prioritize for incident response.16 Another survey found that analysts increasingly believed their role was to reduce alert investigation time and the volume of alerts, rather than to analyze and remediate security threats. More than three-quarters of respondents reported an analyst turnover rate of more than 10%, with nearly half saying the rate was between 10% and 25%.17
AI can’t replace human security professionals, but it can enhance their work and potentially lead to more job satisfaction. In the average SOC, AI and automation could eliminate the tedious functions of Tier 1 and Tier 2 analysts. (Tier 1 evaluates incoming data and decides to escalate problems, and Tier 2 responds to trouble tickets, assesses the scope of each threat, determines response and remediation actions, and escalates when required.) These analysts could be trained to function in more strategic roles that are more challenging to hire for, such as higher-level Tier 2 analysts and Tier 3 analysts who handle the thorniest security challenges and focus on proactively identifying and monitoring threats and vulnerabilities.
A table-stakes weapon against future AI-driven cybercrimes
The same features that make AI a valuable weapon against security threats—speedy data analysis, event processing, anomaly detection, continuous learning, and predictive intelligence—can also be manipulated by criminals to develop new or more effective attacks and detect system weaknesses.
For example, researchers have used generative adversarial networks—two neural networks that compete against each other to create datasets similar to training data—to successfully crack millions of passwords.18 Similarly, an open-source, deep learning language model known as GPT-3 can learn the nuances of behavior and language. It could be used by cybercriminals to impersonate trusted users and make it nearly impossible to distinguish between genuine and fraudulent email and other communications.19 Phishing attacks could become far more contextual and believable.20
Advanced adversaries can already infiltrate a network and maintain a long-term presence without being detected, typically moving slowly and discreetly, with specific targets. Add AI malware to the mix, and these intruders could learn how to quickly disguise themselves and evade detection while compromising many users and rapidly identifying valuable datasets.21
Organizations can help prevent such intrusions by fighting fire with fire: With enough data, AI-driven security tools can effectively anticipate and counter AI-driven threats in real time. For example, security pros could leverage the same technique that researchers used to crack passwords to measure password strength or generate decoy passwords to help detect breaches.22 And contextual machine learning can be used to understand email users’ behaviors, relationships, and time patterns to dynamically detect abnormal or risky user behavior.23
The way forward
Humans and AI have been collaborating to detect and prevent breaches for some time, although many organizations are still in the early stages of using cyber AI. But as attack surfaces and exposure outside of traditional enterprise networks continue to grow, AI offers more.
Approaches such as machine learning, natural language processing, and neural networks can help security analysts distinguish signal from noise. Using pattern recognition, supervised and unsupervised machine learning algorithms, and predictive and behavioral analytics, AI can help identify and repel attacks and automatically detect abnormal user behavior, allocation of network resources, or other anomalies. AI can be used to secure both on-premises architecture and enterprise cloud services, although securing workloads and resources in the cloud is typically less challenging than in legacy on-premises environments.
On its own, AI (or any other technology, for that matter) isn’t going to solve today’s or tomorrow’s complex security challenges. AI’s ability to identify patterns and adaptively learn in real time as events warrant can accelerate detection, containment, and response; help reduce the heavy load on SOC analysts; and enable them to be more proactive. These workers will likely remain in high demand, but AI will change their roles. Organizations likely will need to reskill and retrain analysts to help change their focus from triaging alerts and other lower-level skills to more strategic, proactive activities. Finally, as the elements of AI- and machine learning–driven security threats begin to emerge, AI can help security teams prepare for the eventual development of AI-driven cybercrimes.