Machine learning (ML) and artificial intelligence (AI) are in the process of changing almost every aspect of our lives. My last post focused on how AI can be used to help businesses manage their IT environments better. This post will look at the impact ML has on security.
The biggest challenge with cybersecurity is that it’s hard and getting more difficult. Despite spending billions of dollars on security tools to help fight the bad guys, businesses are actually falling behind. A recent study from the Ponemon research group found that the mean time to identify a breach was 197 days and another 69 days to contain the breach.
My research shows that this number has actually increased over the past five years as environments have become more complex. Looking ahead, trends like the cloud, containers and the internet of things will only add to the chaos that is corporate IT and those numbers (197 and 69) will continue to rise if things don’t change.
One of the problems in cybersecurity is that the focus of the tools is incomplete. We have many tools that only protect company borders. While this is a key requirement, it’s insufficient.
Security That Focuses on Finding Breaches Isn't Totally Effective
Then there are the security technologies that are focused on finding breaches. As the Ponemon study has found, these generally don’t work. The main cause is that they try and show the security administrator everything, and it’s up to that person to decide what to act on and what to ignore. For example, the breach at Target in December 2013 was seen by the company’s security tool several days earlier, but it was buried in thousands of other messages and went ignored.
An even bigger challenge is that all of these classes of tools have their own management frameworks and dashboards, and it’s up to a human to correlate the information across all of them. In essence, there is no single source of truth. Multiple “single panes of glass” don’t solve problems; they just create havoc, because there is far too much data today for people to connect the dots between them in order to make sense of them.
Recently I ran across a startup called Red Lambda that offers an AI-based security tool called MetaGrid. I have been particularly bullish on AI-based security for some time. As a I mentioned above, legacy tools can’t keep up because there is too much data for people to manually analyze. Machines can do this far better than people and can spot even the smallest anomalies that can indicate a breach.
Also, the threat actors today are using AI as a way of attacking businesses so security teams need to use AI to “fight fire with fire.” Our military goes into battle with the latest technology, and security teams should think the same way.
Red Lambda’s flagship product, MetaGrid is an AI-based tool that can spot threats as they happen through real-time analysis of streaming telemetry. The MetaGrid dashboard is intuitive; it automatically scores and prioritizes high-risk incidents for immediate remediation. Red Lambda virtually eliminates false positives by using AI instead of the old, outdated signature methodology, which threat actors have learned to avoid. AI can find the smallest anomalies in the behavior of endpoints, allowing the tool to find the “low and slow” breaches that have historically been impossible to find.
Finding Risks Based on Behavior
Recently I interviewed a security professional for a government agency that is using Red Lambda as part of their next-generation security strategy. Due to the sensitive nature of the topic and the risk the data below could pose, both the interviewee and the department wished to remain anonymous. To date, this agency has spent tens millions on security, and with the tools it has, it is three times better than the industry but still far too slow.
MetaGrid works in what was described as “stream time,” in which the telemetry data is constantly being analyzed, enabling risks to be found based on behaviors. MetaGrid prioritizes the risks, so the security operations center (SOC) administrator knows which ones to immediately kill and which ones can be isolated and monitored for research purposes.
The benefit of the AI-based system is that it gets better as time goes on. Like all AI-based products, MetaGrid uses training data to teach the AI. When MetaGrid is first installed, it does show some false positives, but as those are trained out of the system, it gets more and more accurate to the point where false positives are eliminated.
AI-based solutions are on the rise, but the feature this agency believes set Red Lambda apart was its graphical front end. The product is so easy to use that personnel who do not have a cybersecurity background are able to use it in less than a day. Risks show up as red and in a few mouse clicks, the source is identified and the security team can immediately remediate.
Why MetaGrid Works Only with Windows at This Point
I asked the interviewee what the product was missing, and he told me that MetaGrid only works with Windows endpoints. This is fine for now, because 85 percent of the breaches that occur in this organization happen on Windows devices. My research shows that this is the consistent with industry data. The use of Android endpoints is growing and is a distant second to Windows with respect to risk. I discussed this with Red Lambda’s founder, Chairman and President, Bahram Yusefzadeh, and Android is on the roadmap, but the company strategically set out to nail the more prolific Windows challenge first.
While Red Lambda’s focus on Windows logs only might seem like a gap in the product, it’s actually one of the thing things the agency liked most. They have many security tools that try and be “Swiss army knives” and do a mediocre job at multiple things. By focusing only on Windows, Meta Grid has virtually eliminated the risks coming from the largest threat vector.
The experience this agency has had with Red Lambda is a good lesson for other security professionals to think about cybersecurity differently. Protecting a business is no longer about only having security products at various points in the network. Those are still required, but breaches are going to happen, and when they do, it’s important to find a tool that can see them at the endpoint in real time to remediate it before it becomes harmful to the business.
Without it, SOC operations just react to breaches long after they have infiltrated the organization, and by that time, it’s often too late to avoid irreparable damage. The only way this can be done today and into the future is with ML-based tools that can see things in real time, becausepeople can no longer correlate information fast enough.
Zeus Kerravala is founder of ZK Research.