Illusory Security

Ai Generated Cyber Security
Pete Linforth from Pixabay

Are you protected?

How to answer this question? More precisely, how to answer it correctly? In today's world, cyber threats rank second only to natural disasters. How well are we protected from cyberattacks today? Cybercrime reached trillions of dollars in 2023, with over 33 billion records/personal data stolen by cybercriminals. Cyberattacks occur every 39 seconds globally, and the number of job openings in the field of information security is continuously growing.

Whatever a company does, its activities today can be reduced to data processing and storage. Every company today is primarily a digital asset. There is no industry where computers, networks, and the internet are not used. Everything is digital now. The world's largest bank does not actually have cash—it's a cryptocurrency exchange portal. The world's largest taxi fleet does not own cars—Uber. Finally, the world's largest hotel chain does not own real estate—Airbnb.

Think about your company. Whatever you do, you are part of the digital world and, therefore, of the information security threats.

Q: So, how well do you protect your digital data and your business?

I interviewed information security experts and IT infrastructure and development leaders to find out what actions should be taken when an attack or the first signs of an attack are detected. I asked them the same question: what they would do upon discovering a compromised server, computer, router, etc.? Surprisingly, their answers matched mine: "You need to isolate the compromised machine by disconnecting it from the network for further investigation." Understand that all you need to do is shut down the network port on the attacked object, and according to experts, this will prevent 90% of all attacks.

Q: Sounds simple and effective, doesn't it?

Effective? Yes, but is it that simple? Let's figure it out.

Today, many systems help us fight cybercrime, from antivirus (EDR), firewalls (FIREWALL), incident and event management systems (SIEM), to security operations centers and incident response (SOC, SOAR). Look at how many there are and how beautifully they are named: Firewall, EDR, MDR, XDR, NDR, SIEM, SOC, SOAR.

The main weakness of all existing information security systems is the use of signature or pattern-based detection. There are systems that perform behavioral and heuristic analysis. But how to deal with Living off the Land attacks, where attackers use legitimate programs to perform malicious actions on the target system? Or a disgruntled employee who decided to leak important data before quitting? No system can detect such actions.

Q: How to deal with zero-day vulnerabilities?

Nowadays, not even zero-day, but first and second-day vulnerabilities. All systems are based on a vulnerability database that needs to be constantly updated. But it can take a company a day or two to update it in time. During this period, we will always lag, and at this time, we are vulnerable. In two days, attackers can establish a foothold (Command and Control), secure themselves in the system, clean up traces of the hack, and, without the risk of detection, continue studying the compromised infrastructure. Two days is a very optimistic period. According to Secure Lab News, the average global time to detect an attack is 45 days. Just think about what can be done with your data during this period of time.

Cyber Security Expenses

A middle-size company with an infrastructure of 2000 computers and servers spends an average of about 200,000 US dollars on information security. So how to answer the question of how well security is ensured for that money?

You buy antivirus software, install a firewall, and implement monitoring, detection, and response systems to cyberattacks. You hire staff to monitor and oversee your system. Appoint a manager who manages human and technical resources. Everything seems to be according to the book, all according to the rules and best practices, and you are confident that your systems and data are protected.

Q: But will your company really be protected after implementing the basic information security procedures?

You have doubts and continue checking the reliability of the security system. You conduct a penetration test, identify vulnerabilities in your system, eliminate them, and, as a result of all the procedures, receive reports with nice graphs every month (hopefully every month). Information security specialists report that everything is under control in the company.

Q: But again, the question arises: Is the company reliably protected after penetration tests and by eliminating vulnerabilities?

Hackers never sleep, vulnerabilities appear constantly.

Let's analyze a typical working day of a department or an individual responsible for information security. An information security employee or team works five days a week from 9:00 AM to 6:00 PM with a lunch break, a standard workweek of 40 hours. During this time, the team or individual monitors all sorts of alerts and messages from the systems. Upon receiving any alerts, they take action to prevent attacks. At first glance, this looks safe. Even assuming that your department or individual continuously monitors and responds to potential incidents 40 hours a week, there remain 128 hours a week when your systems are unsupervised.

Q: What about 24/7 system monitoring, you ask?

Yes, you can organize shifts of employees who will monitor your system 24/7 with red eyes. If you're employed at such a company and can manage to sustain such a workforce, I envy you. No company can afford to keep a team 24/7 solely for monitoring information systems without compromising other processes. Practice shows that monitoring engineers also perform other functions in parallel; hence, there is always a risk that a person, being human, will simply miss something important, fail to track, or consider it unimportant and engage in a more interesting task. If you have read this far, you are familiar with this situation.

Q: What about Security Operation Center as a service, you ask?

If you can afford Security Operation Center as a service, I envy you twice, but then your budget for information security is automatically doubled. The sad part is that even by delegating the responsibility for your system to a third company, you cannot guarantee that your systems and data are protected. The reason is simple—the SOC is staffed by the same people. Moreover, people who do not fully understand your infrastructure will monitor your system.

Q: How is SOC different from your own 24/7 shift?

In terms of round-the-clock monitoring, nothing different. In terms of mistakes that people can make, nothing. In terms of monitoring quality—SOC is much better because it is assumed that your systems will be managed by experts. But what if I ask you how many companies your SOC serves at the moment? What priority does your company have compared to other companies served by this SOC? What if the SOC team, consisting of 100 people who are supposedly much more effective than your own team, serves or tries to protect the infrastructure of more than 100 similar companies? You end up with an average of one employee. Can one person monitor your IT infrastructure 24/7, and are you ready to pay real money for this illusory security? It looks like we are buying a false sense of security for real money.

Q: What to do, what is the way out?

Robots work, not humans—words from a childhood song of mine. Isn't this the ideal scenario for applying artificial intelligence to replace humans in this monotonous, tedious, but very important function, such as round-the-clock monitoring of your data? Nowadays, everyone is trying to replace, for example, a call center agent with a virtual robot based on artificial intelligence. If earlier these were simple bots answering standard phrases, now a virtual call center agent can respond with a certain mood, intonation, without accent, nervousness, and irritability, giving more professional answers than the best employee of your call center.

Q: Why not create a robot that knows your infrastructure, as well as your infrastructure teams, network administrators, developers, and support managers, know it?

A robot that can replace a 24/7 shift of employees who never sleep does not get tired, does not miss anything important, and truly does not give you a false sense of security. Teach artificial intelligence to understand what is happening in the network, how network devices interact with each other, what constitutes normal office work during the workday, weekends, and nighttime. What if we teach the robot to monitor our logs, read emails, detect any anomalies in the infrastructure, and, after multi-level verification, perform specific actions to prevent attacks? Namely, perform actions.

Isn't this the main duty of the information security service—round-the-clock monitoring, detection, and response to possible threats? Namely, perform actions, not just send another attack message or SMS, as SOC or SOAR service providers often do. We absolutely need someone to respond to a cyber threat when we cannot do it ourselves.

Q: What if the robot can shut down a critical service based on positive event analysis? What if shutting down the service causes more damage to the company than if we didn't respond at all?

Let's analyze the main problems of integrating artificial intelligence (AI) into our tasks. The main problems of artificial intelligence in the context of monitoring, tracking, and automatically responding to cyber threats include the following aspects:

  • False positives: A high level of false positives can lead to real threats being missed among many false signals. This is similar to the problems faced by classic monitoring systems SIEM, SOC, or SOAR.
  • Missing threats: There is a possibility that AI will not detect some types of threats, especially new and unknown ones. This issue is also relevant for traditional monitoring methods.
  • Training on limited data: Effective AI training requires large amounts of data, which can be challenging in the case of rare or new threats. The advantage of using your own artificial intelligence model lies in the fact that it only requires information about the normal operation of your infrastructure to determine its baseline. Any attack will inevitably manifest as a deviation/anomaly from this normal baseline state. Such analysis does not require significant computational resources.

    Data Confidentiality

    Using data for training and operating AI can pose risks to confidentiality if the data is not properly protected. This applies to SOC or SOAR, where data confidentiality can also be at risk. Remember that when you train your own AI, the data remains with you.

    AI Vulnerabilities

    AI itself can be the target of attacks, such as data poisoning or substitution attacks. This is a significant challenge for both this task and integrating artificial intelligence into other business processes. Artificial intelligence requires the same level of protection as any other critical IT service—confidentiality, integrity, and availability are all crucial.

    Transparency of Decisions

    Decisions made by AI are often "black boxes," making it difficult to explain and verify them. We must control the scenario in which conditions for specific actions are described, ensuring the system is trained to minimize your risks. Playbooks, testing, and multi-level verification can assist with this.

    Compatibility with Existing Systems

    AI systems must be compatible with the organization's existing technologies, applications, and cybersecurity processes. Effective use of AI requires integration with existing workflows and cybersecurity infrastructure, which is also relevant for SOC and SOAR.

    High Computational Costs

    Training and using complex AI models require significant computational resources, which can be expensive and not always available. However, a private AI model focused solely on your infrastructure does not require significant computational power.

    Conclusion

    Artificial intelligence can significantly reduce the workload on the information security team through round-the-clock monitoring and faster, more accurate threat response. Monotonous and accuracy-demanding tasks are performed more efficiently and precisely by robots than humans. AI allows you to create a system tailored specifically to your infrastructure and enables you to make decisions independently in response to cybersecurity threats. Under this approach, all data, logs, and events remain within your company, which is crucial for confidentiality.

    In a Security-as-a-service scenario, there is no guarantee that your SOC or SOAR provider will not become a target of attacks or data leaks. Therefore, it is important to consider which approach to cybersecurity best suits your needs and risks. Fully trusting round-the-clock monitoring and active response from a Security Operations Center (SOC) or SOAR provider can be challenging, especially if you do not have constant control over it. The best you can hope for is another email or SMS alert highlighting critical issues with possible escalation to your management.

    P.S. How to eliminate a false sense of security is up to you. I've already made my decision.

    Join the Discussion

    Recommended Stories

    Real Time Analytics