By Tim Crosby, Spohn Security Solutions
In a constantly evolving digital threat landscape where firewalls and antivirus programs are considered tools of antiquity, companies are looking to utilize more technologically advanced means of protecting crucial data. Artificial intelligence (AI) is becoming a global warrior against cyber threats as security technologies are incorporating AI programs that utilize deep learning to discover similarities and differences within a data set.
“AI to enhance our response!”
“AI, the future of threat intelligence is here!”
“AI enabled threat solutions!”
It all sounds great – science fiction for today. AI will make your life easier and eliminate all but the most sophisticated attacks by government-sponsored secret organizations that couldn’t possibly want to target you, right? The reality is it still requires you, the human responsible for securing the network, to make decisions.
AI, in terms of today’s marketing or social media-driven definitions, is machine learning. It is the combination of IPS, IDS, firewall, routers, switches, SNMP and logs all feeding data to a SIEM (Security Information and Event Management). The SIEM needs to be loaded with known threat analysis information (behavioral patterns, traits, and malicious software signatures from a subscription service and/or observed/logged behavior) which comes from humans that have identified these in responding to an attack or compromise. Every attack is new or modified to get around known defenses and still requires people/teams to identify these new attacks.
The latest SIEM 2.0 from AlienVault’s commercial product is approaching 100K known behavioral patterns that are indicators of malicious activity. As fantastic as this product is, it still requires human interaction. When an event is detected, it produces an alert or triggers positive action that ultimately requires a human to determine if it was an attack, a new plugin in your security scanner, or a human transferring a huge amount of data as part of a server/cloud migration.
The very best Supercomputer that won DARPAs ‘All-Machine Hacking Tournament’ (Defcon24 Cybersecurity Challenge) came in dead last when it went against humans – real hackers. Great for marketing, but the human element is still required to defeat a human hacktivist, nation sponsored criminal, or talented script kiddy.
The best approach is a ‘Defense in Depth’ that uses next generation firewalls, IPS/IDS systems, anti-virus/malware products, and a good SIEM product to automatically aggregate, filter, and categorize alerts for a Cybersecurity Response Team/NOC to review. The trained security professionals are always the key component.
Even this does not eliminate the human elements from introducing something new or unknown into the system through either ignorance, apathy or accident. ‘Day Zero’ (previously undiscovered vulnerabilities) attack vectors are found virtually every day. Your users can prove to be either your best defense, or your biggest attack vector.
Optimizing Your Human Components
Many organizations fall prey to repetitive computer-based basic training that has not been updated in years and provides little if any information about the threat landscape. One training plan we recently reviewed still listed “MySpace” and “Yahoo Messenger” as the primary social media attack vehicles. This training was required to meet minimum regulatory compliance and was used by this organization for many years to check that box on their “to do” list; but it did nothing to educate or prepare the user for today’s evolving cybersecurity landscape. Is there any wonder that social engineering and phishing emails have a success rate of 60% or better? If anything, this training told the users, “Please care about this organization’s cybersecurity as much as you care about the early 2000’s technology you are still using.”
Employees need to be trained to recognize a wide variety of cybersecurity threats, as well as security best practices. Every employee needs to be able to recognize email phishing attacks employed through phishing links including “Evil Twin” URL’s, dangerous hyperlinks, and malicious attachments. User training needs to indoctrinate employees into a culture of cybersecurity where they play a key role and share a significant portion of the organization’s responsibility to protect sensitive information and network systems.
Tips on Training:
- Show users where they matter most in protecting the network data and systems.
- Make them aware of modern phishing schemes including examples of emails and phone transcripts.
- Instill a healthy skepticism of all emails containing attachments and links.
- Empower users by encouraging them to report anything that does not look quite right.
- Send weekly or monthly reminder emails on security awareness with positive reinforcement. (“We want to thank Bob Jones for identifying a spam email that made it past our email security software – it contained malware…” Bob received a $15.00 gift card for helping keep out network and customer information safe.)
Optimizing Your Technical Components
All data owners within the organization who collect and/or generate information stored on the network should regularly review the data classification (i.e. importance of their data to the organization). In addition, this process needs to identify where their information is stored and that adequate access controls are in place to ensure users have appropriate privilege levels. Data classification and access control reviews should be conducted as regularly as user account audits (at least annually).
Most deployed security tools will rely on a system inventory (typically Microsoft Active Directory-AD) to determine if all critical patches and updates have been applied. Consequently, all organizations need to run regular internal and external network security audits or penetration tests. At the very least, quarterly scans of all network resources should be performed. Organizations should use a tool completely independent of other security products. A product like Nessus from Tenable, GFI LANguard or Retina Scanner from Beyond Trust will identify systems that were not patched or have missing/outdated AV/Malware products. These products help identify systems that were either never part of the hardware or software inventory or were added, but for some reason are no longer or never received software updates. Critical vulnerabilities should be immediately addressed, high vulnerabilities should be addressed within a week to 10 days, medium and low-risk vulnerabilities should be fixed as part of the normal change management process.
One day AI enabled tools may be able to intuitively identify the importance of the data stored on our network, who should have access to that data, and which new attacks are threatening our security posture; but, today, the human mind, human intellect, and human intuition are all required to form a complete web of cybersecurity and are the key to building a culture of cybersecurity.
About Tim Crosby:
Timothy Crosby is Senior Security Consultant for Spohn Security Solutions. He has over 30 years of experience in the areas of data and network security. His career began in the early ‘80s securing data communications as a teletype and cryptographic support technician/engineer for the US military, including numerous overseas deployments. Building on the skillsets he developed in these roles, he transitioned into network engineering, administration and security for a combination of public and private sector organizations throughout the world, many of which required maintaining a security clearance. He holds industry leading certifications in his field, and has been involved with designing the requirements and testing protocols for other industry certifications. When not spending time in the world of cybersecurity, he is most likely found in the great outdoors with his wife, children and grandchildren.