Posts

Why Singaporean Businesses should Incorporate AI / Machine Learning into their Cybersecurity Operations

Did you know that 96 percent of Singaporean businesses have reportedly suffered a data breach? And cybercrime is not slowing down. With the financial risk from cyberattacks estimated to be US$5.2 trillion between 2019 and 2023, it creates an ongoing challenge for investors, corporations, and consumers around the world. In Singapore, experts detected approximately 4.66 million web threats in 2019. This shocking statistic acts as a reinforcement for the need for innovative ways of enhancing cybersecurity within our region.

Earlier this year, Finance Minister Heng Swee Keat revealed that the Singapore government will be investing S$1 billion to strengthen its cyber and data security systems to safeguard its critical information infrastructures, as well as its citizens’ data. Moving forward as a digital economy and smart nation, and with increasingly adopted technologies like artificial intelligence (AI), Machine Learning (ML), and Internet of Things (IoT), the Singapore government will also provide more funding to local deep-tech startups and small and midsized businesses (SMBs).

While the term AI was first coined in 1956, today is it a field of computer science, focused on how machines can imitate human intelligence. Successful applications of AI include beating humans at Go, diagnosing cancer, and operating autonomous vehicles. Over the last 10 years, the potential of AI to help with cybersecurity problems has evolved from being over hyped into a critical ingredient of enterprise security programs. In their Top Security and Risk Trends for 2020, Gartner projects that “AI, and especially machine learning (ML), will continue to automate and augment human decision making across a broad set of use cases in security and digital business.”

Finding a Needle in a Haystack

While it is common knowledge to security professionals, others may be surprised by the daily volume of security logs generated by enterprises. The number of logs generated by firewalls, authentication servers, endpoints, and a variety of other devices and security tools total multiple millions every day.  Security information and event management (SIEM) tools can use rules to filter and prioritize these logs into alerts but it is the job of security analysts to investigate the most critical alerts. For example, out of 10 million daily logs, hundreds may require expert human investigation.

Security analyst investigations include examining detailed log data, reviewing correlated events and threat intelligence, and looking for suspicious behavior. Analysts must quickly determine if the event has actually compromised the organization’s security, is a potential threat, or is a false positive. This difficult and time consuming work is made even more challenging by the high percentage of alerts that are false positive. This is why it is not uncommon for security analysts to get “alert fatigue” – losing motivation to thoroughly investigate alerts.

Reactive investigations are necessary but insufficient for a robust security defense. Security teams should also proactively hunt for threats that are not triggered by system alerts. Targeted attacks often aim at stealing critical data and use techniques like obtaining user credentials, upgrading access to a privileged user, and moving laterally across the network. These attacks, also known as advanced persistent threats (APTs), can result in an attacker gaining unauthorized access to a system or network and remaining there for an extended period of time without being detected.  The time a hacker goes undetected on your network, or “Dwell Time”, is commonly measured in months. APTs that use multi-stage attacks that occur over longer periods, commonly referred to as low and slow attacks, are hard to detect with rule based analytics alone. The practice of hackers changing or morphing their attack techniques further adds to the challenge of threat hunting.

AI to the Rescue ai-cybersecurity-superhero-in-gallant-pose

Initial approaches to detecting threats used a subset of AI called unsupervised machine learning to detect anomalies. Unfortunately, while AI has been proven to predict significant future events, the range of behaviors of users, applications, and external data is so complicated it is very hard to identify malicious outliers. The result was many AI-powered products that generated too many false positives to be practical.

While unsupervised learning attempts to find patterns among data points without knowing the meaning of the data, supervised learning infers a relationship based on existing data labels. For example, an AI model can learn to recognize pictures of a table after being trained on a large number of images that are identified as tables. However, in the field of cybersecurity, it is very hard to obtain labelled data to train detection models. Additionally, hackers can change or adapt the attack techniques faster than a supervised learning model can be trained.

The solution to these limitations is active supervised learning, which engages human experts to help create and train threat hunting models. Organizations that are using both AI and humans are 20 times stronger against cyberattacks than traditional methods. The resulting AI models combined with expert feedback can quickly learn to distinguish between malicious and normal behavior. AI-powered threat hunting enables security analysts to significantly increase productivity and detect and respond to more real threats that would have otherwise resulted in a damaging breach.

Can AI Defend Against AI?

Just as security teams and technology vendors are adopting AI to detect and contain threats, hackers can also use AI to power their attacks. Hackers are expected to use AI techniques to target organizations, develop new exploits, and detect vulnerabilities. AI is expected to increase the speed of attacks while reducing cost. For example, writing an effective phishing email takes time and creativity, AI can help automate this process.

The good news is developers of security tools are also rapidly adopting AI as part of the product development and enhancements. However, there is still a lot of marketing hype around AI, so we advise you to dig into the details to assess if your vendors are fully leveraging AI/ML technologies before you make the leap.

Conclusions

Organizations can use machine learning to detect suspicious and unusual patterns that are nearly impossible to discover through the human eye. The intelligent detection algorithms can compare the network data packets continuously to discover anomalous traffic, then apply strategies, such as statistical monitoring and anomaly detection, to identify malware variants communicated over a network. Cybersecurity is traditionally a very time-consuming task but with effective use of AI, you can begin to make your cybersecurity teams more efficient.

Cybersecurity in the Next Decade – Proficio’s Projections for the 2020s

2019 was another busy year for cybersecurity professionals. There were more security incidents than in any previous year, and they included some of the largest breaches of all time. According to Forbes magazine more than 4.1 billion records were compromised.

Looking forward to the next decade, we expect cyber defenders to still face many challenges. Fueled by the growth of the Cloud, IoT devices, and mobile, the attack surface will continue to grow exponentially. Cybercriminals have been using Machine learning and will expand on its use in the coming year. Nation States will invest more in cyberwarfare to target government, Critical infrastructure, and organizations.

Proficio has been providing our clients managed security services for nearly a decade. Our understanding of the cybersecurity landscape is informed from being both a user and a provider of cybersecurity technology. The following projections define 10 important changes that we see driving the cybersecurity agenda over the next decade:

  1.  AI Gets Real AI Cybersecurity

At Proficio, we have been both experimenting and deploying Machine learning (ML) for years. We think ML is now transitioning out of the early stages of the Hype Cycle into the early stages of broader adoption as a credible cybersecurity technology necessary for a meaningful part of any cyber defense arsenal and playing a significant role for Incident Response (IR) and Security Operations Center (SOC) teams.

There’s been a lot of talk about the potential for ML to replace Level 1 or 2 Security Analysts. We strongly disagree. We see ML as a tool that augments Security Analysts, helping them to identify relationships between seemingly unrelated events, cutting out false positives, and detecting anomalies. Combined with threat intelligence, ML will enable security teams to detect and respond to security incidents faster, more effectively, and with far fewer people than would otherwise be possible.

  1. Automation to the Rescue

Talk to any CISO and it won’t be long before you hear an anecdote that illustrates the cyber skills gap. Conventional wisdom is the shortage of cyber professionals is now measured in millions, and when you peel back this issue, the gap is more complicated by the range technologies used to ensure a strong cyber defense. In addition to Security Analysts, Incident Responders, and SIEM Engineers, organizations are now in need Data Scientists and ML Experts.

We don’t expect the cyber skills gap to go away in the 2020s, but there is light at the end of the tunnel in the form of SOAR (Security Automation, Orchestration, and Response). Proficio was the first MSSP to create a proprietary SOAR platform and today automation plays a significant role in the services we deliver.

SOAR platforms promise to help SOC and IR teams reduce response times, cut down on manual work, and engineer repeatable, semi-automated processes. By creating standardized, repeatable processes — and automating them where possible — SOAR reduces the burden on security teams. In addition, a SOAR platform integrates with other technologies and provides a single orchestration interface for security teams. Instead of learning to use five or more different tools, security engineers need only become accustomed to a single interface that is integrated into their operational processes.

  1. GDPR Goes Global

Since the General Data Protection Regulation (GDPR) came into effect in May 2018, organizations with EU customers have had to step up their data privacy compliance processes and systems.

Historically, the major compliance frameworks (PCI-DSS, HIPAA, ISO27001, etc.) were akin to audit checklists. So long as you ticked off certain requirements — and you could prove it — your job was done. It didn’t matter if you were actually secure, as long as you followed the rules.

But GDPR changed the game. Now, instead of a checklist, organizations are responsible for collecting, analyzing, and acting upon security data to ensure the ongoing protection of sensitive assets. If an organization is breached, and sufficient action wasn’t taken to prevent it, irrespective of any checklist, large fines will follow.

We believe that in the next decade GDPR like regulations will be adopted by most developed nations, and the afore mentioned industry specific compliance regulations will adopt a similar stance and have already started to do so.

  1.  The Cloud is the Thing

In terms of decades, if the 2000s were about defining the perimeter and improving perimeter security controls and the 2010s we same the introduction of evasive techniques and more sophisticated maleware that evolved over time bringing about the need for next generation technologies, including endpoint, firewalls and software defined perimeter controls within virtualized platforms, the 2020s will significantly expand on the extension of the security controls into the cloud as the adoption of cloud and hybrid architectures become more mainstream.

Data and applications have been moving to the cloud for a while now. Not only are cloud environments more complex to secure than local datacenters, they’re also vulnerable to a wider range of cyberattacks. For these reasons, some organizations have avoided a complete move to the cloud in favor of a hybrid approach.

Over the next decade, security and IT leaders will need to look for ways to secure complex, multi-cloud environments while retaining control over how cloud services are consumed. IT will need to find a way to be an enabler within the organization by defining standards that allow for the adoption of cloud technologies and limit shadow IT.

Cloud Access Security Broker’s will continue expand its use as more organizations consume cloud services in all areas of their business operations. This is a key enabler that protects corporate assets and data, reduces the burden on IT, and allows the business to explore new and improved technologies that better enable them.

We expect the compensating controls within big cloud infrastructure platforms — Azure, AWS, and Google Cloud, among others — to mature. This is an inevitable response to a clear business need, as cloud providers seek to keep customers ‘on brand’.

Security leaders will need to ensure that tools being used to secure traditionally hosted data and services also extend to the cloud. This may take time to fully realize because many security tools currently don’t work well in the cloud. However, now that cloud usage has become the norm, security vendors are scrambling to ensure their tools remain relevant, you will also continue to see cloud focused security vendors becoming more relevant and even prominent amongst the startups.

  1.  Marie Kondo for Security Tools

When organizations began to take cybersecurity more seriously, they went on a security tool buying spree resulting in a proliferation of tools that often did not work together. This was made worst by the abundance of Cybersecurity startups that claimed to be the next best thing and were trying to define a new market, which has created significant confusion in the industry compounded by baseless opinions often using marketing and global reach as an indication of effectiveness of a technology.

There were two big problems with this approach. First, it was expensive. Second, it introduced another problem: The hidden cost of resources to manage these tools, a “Best of Breed” purchasing strategy creates unnecessary complexity in the architecture requiring more trained resources to manage all the technologies in alignment with the vendor recommended best practices. This approach generally results in duplication of functionality across technologies and as a result ineffective implementations and underutilization of the investment.

Cybersecurity industry is slowly maturing, organizations are realizing that they can’t solve all security problems by purchasing extra tools. It’s often quite the opposite. They need to simplify their technological footprint while focusing on the other two components of a functional security program: a strong team and effective, repeatable processes.

Similar to Marie Kondo’s approach to simplifying and organizing household belongings, we expect security leaders to see that their teams are better off maximizing the value of a handful of core tools rather than they are using just 5-10% of the functionality of many disparate technologies, we expect smarter purchasing decisions that factor in cross vendor integration capabilities or through consuming technology as a service from an MSSP focusing their buying decision on a business outcome.

5G Globe

  1.  The Rise of 5G

The 2020s will be the decade of 5G. Any time there is a greater than 10X change, you should expect significant related affects. The promise of 5G is to improve mobile data rates and latency by 50 to 100 times. This technology will enable new applications, restructure cloud architectures, and notably be used in mission critical enterprise applications like factory automation, robotics, transportation, and more.

5G will accelerate virtualization, proliferate distributed edge networks, and enable hackers to attack more devices at faster speeds. Cyber defenders will need to respond with new policies, security virtualization, tighter access controls, and approaches to device authentication. Next generation endpoint security technologies will need to be far more effective on mobile technologies being more effective of locking down the OS of the devices and access to the hardware capabilities and apps. Think crypto jacking on mobile devices as an example of an attack type that would become viable.

  1.  The SOC of the Future

A Security Operations Center or SOC is the nerve center where a team of security experts monitors and responds to cyber threats on behalf of their organization. Proficio operates a global network of SOCs and is leader in innovating how SOCs operate for maximum effectiveness.

Over the next decade we expect the way SOCs function to change in a number of ways;

Historically, security event monitoring and response has been log-centered. If a log entry flagged as suspicious, an alert was created and investigated by a security analyst. This approach is problematic when it comes to unknown threats because, until a threat has been seen and reported, there’s no rule to detect it. Unless an organization has an active threat hunting program in place, such threats can go undetected for some time. Keep in mind that the current industry average for mean time to detection of a breach is 200 + days.

We expect SOCs to adopt frameworks like the MITRE ATT&CK which encourages security teams to think in terms of tactics, techniques, and procedures (TTPs). While a new threat may contain hashes, C&C infrastructure, or URLs that haven’t yet been categorized as malicious, only a tiny proportion of threats use completely new and innovative TTPs.

As a result, a security program that’s setup to identify TTPs (rather than specific indicators) is much more likely to identify attacks and breaches.

For many organizations, a fully-functional 24/7/365 operation is essential to ensure the ongoing security of sensitive data and assets. For all but the largest and most profitable organizations, however, building a security function of this magnitude is simply not financially viable. Currently the minimum viable number of resources for an average organization of about 3000 employees, to implement a 24X7 SO operation, is 27, this gives them the minimum viable for shift coverage, and this assumes a well rounded optimized technology stack for security control enforcement and monitoring. The challenge with this is that your resources would only have an effective average utilization of less than 20%, which is not very conducive to staff retention . Add this to the ever-present challenge of the cybersecurity skills gap, and it’s easier to understand why many organizations will turn to Managed Security Service Providers (MSSPs) to supplement the capabilities of in-house resources.

Women represent about a quarter of the cybersecurity workforce. We expect this percentage to increase considerably over the next decade with the consummate benefit of reducing the shortage of cyber professionals and adding diversity.

  1.  More Intelligent Patching

Vulnerability Management is key to a mature security program. However, VM Scans can generate so many vulnerabilities that IT teams only have the resources to patch a fraction of the hosts and devices identified as requiring updates. Sometimes the quantity of alerts can be so overwhelming that it slows down remediation or results in no action at all.

The solution to this challenge is to prioritize based on the risk of a vulnerability being exploited in the context of the criticality of the asset, industry vertical, and level of known activity in the wild. Vulnerability Management needs to become a process that prioritizes based on risk, includes expert advice on the best approach to remediation, and measures and reports on progress.

We see Risk-based Vulnerability Management becoming standard to most organizations over the next decade.

  1.  Don’t Forget Humans are Fallible

Human error is the second most common cause of a security breach. Human errors range from configuration errors on cloud architectures, servers and security devices to failure to follow organizational policies by administrators and users alike.

Humans are not going to change. So, to compensate for this reality we urge IT leaders to prioritize training, process control, and use technology where possible to automate tasks and detect issues resulting from simple mistakes.

  1. In the End It’s All About Risk

It is inevitable that most organizations will experience a security breach at some time. The operational priority for any organization is to quickly detect and remediate a breach.

In the 2020s, we expect IT leaders will increasingly need to explain the magnitude and types of cyber risk that apply to their organizations and provide their executive teams with strategic options to reduce risk.

Shareholders and customers want to understand what organizations are doing to protect important assets and data.

Up until now, security leaders have been forced to spend a huge amount of time preparing reports for board and stakeholder consumption. Many resorted to Excel and manual databases because alternatives weren’t available.

Over the next decade, security leaders will rely on business intelligence dashboards that show the threats facing their organizations and trends by type of attacks and attack targets. These dashboards will summarize the organization’s security posture, identify gaps, and compare risk with that of industry peers in near realtime as apposed to a monthly point in time based on sometimes limited and stale data. Proficio’s ThreatInsight is an example of such a dashboard

2020s: A Decade to Embrace Change

As we wave goodbye to 2019, we are excited about the changes that the next decade will bring and looking forward to helping our clients protect their data and brand.

From all of us at Proficio, we wish you a safe and successful 2020.

 

Happy New Year 2020

 

Secrets to AI Success in Your SOC

Proficio Partners with PatternEx to Bring Artificial Intelligence-based Threat Detection to Proficio Clients

PATTERNEX’S VIRTUAL ANALYST PLATFORM TO MAXIMIZE THE PRODUCTIVITY OF PROFICIO’S GLOBAL TEAM OF SECURITY ANALYSTS

Proficio, an award-winning managed security services provider (MSSP) delivering managed detection and response (MDR) announced a partnership with PatternEx, the leader in AI enabled cyber threat detection, and their Virtual Analyst Platform. Proficio chose PatternEx because of their Virtual Analyst Platform’s ability to detect advanced attacks and to create custom models that target specific attacks faced by Proficio’s clients.

“We are excited to partner with PatternEx to enhance our managed detection and response services,” said Brad Taylor, CEO, Proficio. “Our mission is to provide the most advanced technology, integrated into a flexible and scalable managed services platform. With PatternEx, we can help our clients reduce risk by detecting new complex threats faster and more efficiently.”

MDR providers benefit from deploying PatternEx in their Security Operations Centers (SOCs) because the software significantly increases advanced threat detection abilities, minimizes false positives and reduces time to detection and remediation times. PatternEx’s Virtual Analyst Platform enables senior security analysts to leverage successful threat hunting tactics into customized AI-based threat models that can be used by all security analysts. Analyst investigation time is significantly reduced through Auto-Correlation which creates an instant attack story with relationships mapped across the cyber kill chain.

“PatternEx is delighted to be partnering with Proficio, a global leader in the managed detection and response services industry,” said Uday Veeramachaneni, CEO, PatternEx. “By empowering their security analysts to create and manage AI-based threat detection models, Proficio is maximizing the productivity of their global team of security experts while delivering the most advanced threat detection capabilities.”

PatternEx Virtual Analyst Platform performs at scale with features such as:

  • 1000+ Security analytics, 100+ pre-packaged models, custom model creation, and easy operationalization of AI models
  • Multi-tenant UI and API based workflows
  • Automatic and massively scalable data lake management and ML data transformation

Learn more about why Proficio chose PatternEx.

About PatternEx

PatternEx’s Virtual Analyst Platform software turns cyber security analysts into super heroes – enabling detection of 10x more threats at 1/5th cost with automated and analyst sourced based AI attack detection models. PatternEx uses analyst in the loop technology to enable analysts to create new models and train them continuously.  PatternEx, based in San Jose, CA, was founded in 2013 by researchers from MIT’s Artificial Intelligence Lab CSAIL.  Learn more at patternex.com or follow us on Twitter @patternex.

About Proficio

Founded in 2010, Proficio is an award-winning managed security services provider (MSSP) delivering 24/7 security monitoring and alerting, managed detection and response (MDR), and cybersecurity services through global security operations centers in San Diego, Barcelona and Singapore. Proficio’s innovative approach to managed cybersecurity services uses proprietary processes, experienced security analysts, and the industry’s most advanced technologies to help organizations defend against advanced threats. Proficio pioneered the concept of SOC-as-a-Service and was the first MSSP to automate threat containment and to provide a security dashboard with threat scoring.

www.proficio.com.

PRESS CONTACTS:

KAPIL RAINA
KAPIL@PATTERNEX.COM

BRITTNEY TIMMINS
BTIMMINS@PROFICIO.COM