Those bemoaning the amount of spam in their email account’s inbox (offers of suspiciously cheap Rolexes, notifications of windfalls, requests to help transfer funds from African states) may not be aware that spam exists for one reason: it works.

In a similar way, because the profits from successful cybercrime are very healthy, specific individuals and organizations will always spend time and effort learning clever exploits and methods, because, on occasion, those methods work.

Cybercrime is therefore here to stay, and because both end-users and cyber specialists are becoming better educated as to attackers’ methods, the threat landscape will not only shift constantly but also become more complex, as methods used by bad actors will become more – although this is not intended as a compliment – intelligent.

The (old) best ways to counter cyberattack

In general, companies of all sizes have deployed a combination of three cybersecurity measures. The first is a suite of pre-programmed (albeit occasionally updated) databases of known threats: their signatures, techniques, and modus operandi. Network activity is compared in real-time against this database of entries, and if there’s a high perecentage of correlation, a virtual red flag gets raised.

As companies become more security conscious, the threshold at which the red flags appear can be lowered, and increasing numbers of respondents employed too – something that happens naturally as the business grows in size and scope of operations.

Faster cybersecurity incident response

A typical response to cyber threats is to throw money at the problem. Hiring more first-line responders may be expensive, but it does give businesses a better chance of detecting and ameliorating any incident. Unfortunately, as the numbers of attack vectors increases (malware in BYOD devices, or in-memory malignancies for example), even the best-equipped SOCs are usually not enough to prevent every costly incident from taking place.

Throwing money at the problem is epitomized by the emerging trend of insurance companies increasingly minded to pay-off the ransoms demanded by hackers, behavior that will arguably raise the fees demanded, and the number of attacks.

Against the few, the many

Methods of cybercrime evolving means more tools needed to attempt to mitigate threats. Endpoint protection solutions now need to cover off IoT and IIoT devices, PCs, servers and BYOD devices of every flavor. Detection systems have to be able to sense malicious east-west traffic, and so on. In short, managing many tools and methods to try and keep up with even known threats (and guess new zero-days) needs orchestrating and conglomerating.

Orchestration platforms attempt to aggregate all the different weapons in the SOC’s arsenal, presenting simplified pictures of amalgamated activity, right across the topology, from public cloud, to phishing attempts on named individuals, to staff abusing their access privileges or sharing passwords with colleagues.

As meta-solutions, these platforms usually require a series of compromises, whereby granular detail is subsumed into a bigger picture. Human operators (even many human operators) are better able to make decisions quickly when not combing through multiple alerts or red flags, while being distracted from the combing through the minutiae of firewall logs.

AI for cyberdefense

Self-learning algorithms have multiple advantages in specific circumstances over human operators. Computers are tireless, work 24/7, and don’t require rest breaks, constant streams of coffee, or vacations. So why isn’t AI more common in cyberdefense settings, instead of or even replacing human security staff?

The answers lie in how many providers have thought to deploy machine-learning solutions in defensive mechanisms. AI teaches itself, for sure, but from what it learns, what type of learning it uses, and what uses that learning is put to, are crucial considerations.

To give that statement some more detail: showing AI routines attack patterns of the past does not specifically make the machine mind capable of predicting the next zero day dreamed up by attackers – there are simply too many variables.

Furthermore, there are as many types of machine learning (metaheurism, fuzzy systems, Bayesian decision trees, cognitive modeling) as there are names for AI (deep learning, machine learning, cognitive intelligence, and so on). In short, a complex picture.

Real-life use of AI in cyber security

Founded in 2013, Darktrace, the world’s leading cyber AI company, was created when members of the UK intelligence services approached leading mathematicians from the University of Cambridge with a problem: the existing approach to cyber security was failing. By using historical data to predict the threats of tomorrow, legacy technologies weren’t catching zero-day malware and insider threats alike. A new approach to cyber security was needed — the resulting solution from Darktrace was a platform that has since turned the traditional approach to cyber defense on its head.

Based on the principles of the human immune system, Darktrace’s Cyber AI Platform is capable of self-learning the normal pattern of life for every user, device, and container across the digital business. From this rich understanding of what is normal’ for the enterprise, it can identify even the subtlest deviations from normal behavior that are indicative of a threat. Rather than using rules or signatures to pre-define what threats to look for, Darktrace’s AI utilizes multiple unsupervised, supervised, and deep learning techniques in a Bayesian framework to identify a range of threats to the business, from never-before-seen attacks, to machine-speed ransomware, to insider threat.

Going a step further, Darktrace is also the creator of the first Autonomous Response technology. Like a digital antibody, this AI can generate an intelligent and proportionate response to contain a threat within seconds – fighting back on behalf of the human without disrupting business operations.

Because it understands the normal patterns of behavior for the entire digital business, Darktrace’s AI is uniquely able to apply business context to understand each anomaly, and correctly identify whether it indicates an ongoing threat. For example, the AI might identify a laptop opening a high-port connection to a recently registered domain. Could this be a sign of an emerging threat? It depends: for IT staff, setting up an SSH tunnel out of the network or running an Nmap scan is normal. But should the same activity stem from a visiting marketing intern’s workstation, Darktrace’s AI would sound the alarm.

It’s a fascinating approach to the problem, and one that’s been proven across more than 3,000 customers worldwide to dramatically reduce alert fatigue, identify cyber-attacks more quickly and accurately, and – thanks to Autonomous Response – address potential threats before they escalate into a crisis.

To learn about how Darktrace’s technology works, read more about the company’s Cyber AI Platform, click here.

*Some of the companies featured are commercial partners of Tech Wire Asia