25 June 2023

Is AI revolutionizing cybersecurity? The answer isn’t as clear.

Mark Guntrip 

Peruse last quarter’s press releases from top cybersecurity vendors, and it’s hard to miss the focus on artificial intelligence (AI) and machine learning (ML). According to these vendors, traditional security tools are getting boosted by advanced algorithms that can analyze large amounts of event and behavioral data to trigger automated decisions that keep organizations safe from today’s threat actors.

Security teams can use AI to go from identification to remediation in just and handful of minutes. In a world where threat actors operate at the speed of business, this capability at scale can mean the difference between catching a threat in time or suffering the consequences of a breach.

This is great! However, AI/ML are hardly making cybersecurity solutions better. Sure, they are faster and are able to process an amazing amount of data quickly, but they aren’t casting a wider net or preventing emerging avenues that threat actors use to reach their victims. New Highly Evasive Adaptive Threats (HEAT) targeting web browsers are able to get around traditional security tools, and no amount of automation or scalability is going to change that. AI/ML is only as good as the data you feed into it. If you’re not providing the right information, your AI/ML engine isn’t going to learn or adapt on the fly to catch today’s evasive threats.
Meeting threats where they operate

Organizations need to look for AI/ML-powered cybersecurity solutions that can identify and provide context around the threats impacting today’s users. Today’s work is being conducted in the web browser. From private applications hosted by cloud service providers to Software as a Service (SaaS) platforms, data has moved out of the data center and onto the Internet where it can be accessed by any authorized entity from anywhere. Users can look up customer contact information, interact with a channel partner, sign documents or do just about anything without data leaving the web browser.

Today’s threat actors know this, of course, targeting the web browser as a way to gain an initial foothold and get around traditional security tools that focus on network or endpoint security. They know that these solutions have limited to no visibility into what happens inside the web browser. This crucial event and behavioral information is not getting fed into AI/ML algorithms and, as a result, they are leaving organizations that rely on these traditional cybersecurity solutions open to evasive browser attacks.

Get better, not just faster

In order for AI/ML to move the needle when it comes to cybersecurity, solutions need to feed information about what is happening inside the web browser into their algorithms. Only then will they be able to learn and adapt to evasive threats, like HEAT attacks, that target the browser. This isn’t to say that traditional security solutions aren’t necessary. They do a great job of protecting the organization from attacks that target the network and endpoints. It’s necessary, however, to augment those capabilities with visibility into and control over the web browser. This layered approach provides the best (not just the fastest or most scalable) protection that you can muster.

Ideally, AI/ML processing would happen in the cloud before content has a chance to interact with the user through the browser. This would trick threats into thinking they had reached their victim’s browser and force them to attempt to deliver whatever payload they are designed to deliver. Once they lay their cards on the table, AI/ML-powered cybersecurity tools could better analyze and understand the threat and make a decision based on this context.

For example, threat actors often use categorized domains to evade traditional URL filtering tools since most organizations tend to allow websites if they are “known”. Threat actors know that most organizations favor productivity over security, and they can get away with this evasive tactic.

However, further runtime analysis by AI/ML-powered browser security solutions could provide much needed context and nuance that may lead to a different decision making process. Going back to the original example, an AI engine could investigate the website behind the URL further and discover that it includes Microsoft logos but the URL has nothing to do with Microsoft. The added context leads the AI/ML engine to recommend the now-suspicious page be rendered in read-only mode. That way, users can still access the page without putting their credentials at risk. It’s identifying and analyzing multiple data feeds, characteristics, techniques and context in much the same way that humans can take in and process lots of information that really allows AI/ML to shine.
It’s all about the browser

While today’s AI/ML optimized cybersecurity solutions are more than hype, they fail to truly provide protection against today’s threats. They simply are not being fed the right information they need to learn, adapt and make critical decisions at scale. Visibility into and control over the web browser is critical to using AI/ML effectively in cybersecurity. Organizations need to feed browser-based information into their AI/ML engines to cast a wider net and stop today’s threats where they are most commonly found: in the browser.


*** This is a Security Bloggers Network syndicated blog from Menlo Security authored by Mark Guntrip. Read the original post at: https://www.menlosecurity.com/blog/are-ai-ml-revolutionizing-cybersecurity/

No comments: