Use AI as the missing piece of defence in depth

Use AI as the missing piece of defence in depth

Image:
Use AI as the missing piece of defence in depth

There is no silver bullet for cybersecurity.

That was the takeaway from Darktrace's Hanah Darley, speaking today at the first day of the Cybersecurity Festival in London.

In a quick audience poll, Darley identified several types of attack or compromise of major concern, including zero days, the supply chain and the human element. However, all of these tend to affect different parts of the network - and there is no one solution that can protect against all of them.

Defence in depth - using multiple tools to protect specific areas of the network - is "so important," said Darley, but there is a single solution that can enhance those disparate tools: autonomous AI.

"The next step is to fill in the gap in human resources, who unfortunately require things like sleep. I've left my phone over there [on my seat,] and a lot of our human analysts will do the same thing on the weekends. They'll want to watch Netflix, they won't necessarily be looking for every single alert on their phones.

"That human gap is natural and expected. How do we account for it? Using self-learning AI."

AI security systems like Darktrace can take work away from human analysts and respond to incidents in near-real-time - but even they aren't the end-all and be-all of protection. Darley described a new Darktrace customer, where a "highly privileged administrative credential" had been compromised a few weeks before installation - although the customer didn't know it.

"Darktrace picked up on it, but unfortunately, even though the autonomous response was available, it was in what we call Human Confirmation mode. Now in a security model, that totally makes sense because that is kind of the validation where you see how it would operate on your network... But if the human analysts are not focused, they're not looking at alerts or not paying attention. Then the AI warnings can only go so far.

"So, the attackers retained access to the system for about three weeks. And then they thought to themselves, ‘Let's move laterally and let's keep moving. Let's keep it going'. They had already exfiltrated data from the domain controller, but why stop on one if you can get by? So, they tried to move laterally. They started beaconing to a command-and-control infrastructure. And our AI analyst is, as we call it, generating investigations, there are alerts going off, there are recommended autonomous response actions. But again, because it's in human conformation, it's not able to take those actions.

"Ultimately, they got away with a load of data before the humans were able to put a stop to the attacks. But throughout the attack cycle, there were about 15 different AI Analyst investigations, and there would have been a load of autonomous response actions.

"So what's the takeaway from that?... It could have stopped there. And it also could have stopped at subsequent points during the attack as the attackers attempted to move laterally."

Autonomous response is applicable in many ways and industries, said Darley, and although you need a balance between AI and human, having 24/7 monitoring and response is more important now than ever before.