Q&A: The role of automation and artificial intelligence in cyber security

With the ever increasing complexity and volume of cyber attacks, companies are increasingly turning to automated solutions and artificial intelligence in the quest for more effective protection.

But how effective is an automated approach and will it become the norm in future? We spoke to Eran Barak, CEO of incident response specialist Hexadite to find out.

Are we nearing the end of traditional approaches to security?

Without a doubt. Until very recently, companies have been spending their security time, resources, and dollars on products that gather information that is then handed to a person to act upon. However, with an increased volume of threats like ransomware, malware, and phishing, automatically collecting data and expecting people to keep up no longer works.

We've seen recent stats showing that 37 per cent of cyber security professionals are seeing 10,000 or more alerts per month, and that number is only going to rise exponentially. Couple that with the alarming lack of skilled cybersecurity professionals, and you see that the entire approach has to change.

Does failing to adopt automation risk security teams being overwhelmed by the volume of attacks?

It does, and with our customers we've seen that when you can't keep up with the volume of attacks, you're forced to prioritise. You have to make a judgment call on whether to spend your time trying to remove malware on a file share or a Trojan on the CEO's laptop. Since both could be a risk, you're forced to make subjective decisions knowing that you’re ignoring something that could potentially be catastrophic.

We started Hexadite after my co-founders and I spent years training cyber analysts and building security operations centers around the world. In training incident response teams around how to respond to cyber threats, we realised that a high percentage of what they do is repeatable and could be codified in a system.

Now we're seeing that cyber analysts are spending 75-80 per cent of their time dealing with the kinds of commodity malware that can easily be handled by an intelligent security orchestration and automation system. What takes them days can take our system one to two minutes.

Are attackers becoming more sophisticated in their approach?

Yes, but in two very different ways. Some attackers are becoming more sophisticated in their methods of attacks while others are taking advantage of automation to increase the volume.

Some cyber attackers are going for large numbers. They aren't necessarily more sophisticated, they're just more productive. Like spammers before them, it costs almost nothing to send incrementally more emails, compromise more websites, and target more companies. In many cases, it's the increase in volume that is more harmful than the sophistication of attacks.

On the other hand, you have specialists. Attackers that aren't playing the volume game are able to instead target specific companies using sophisticated techniques. They'll find out the names and even the writing style of the CEO and CFO, they'll purchase a similar domain name to the target company (example.com vs. examp1e.com), and they'll send very convincing emails to employees.

Can automation help combat internal threats too?

Yes, no doubt about that. Today there is a lack of skills and expertise, making it much more difficult to cope with the volume of alerts. We've seen large organisations with more than 30,000 employees that have only two to five cyber analysts who monitors that entire network. This is similar to coming to a gunfight with a knife. Only automation can bridge this gap and enable those teams to keep up with the volume of cyber attacks.

We hear a lot about machine learning, big data, and artificial intelligence relating to cyber security. How do you see these trends evolving?

You're right. There are a lot of buzzwords out there, and we prefer keeping it simple. Our approach is to think about what a human cyber analyst would do and codify those investigations, decisions, and actions into a system that is repeatable and fast at any scale.

That said, artificial intelligence makes a lot of sense when you compare it to human cognition. A cyber analyst learns from threat feeds, verifies known malicious entities from other sources, and increases his or her knowledge with more and more experience.

Like a cyber analyst, our product gets an alert from any security detection system and starts an investigation. It gathers more context from other systems on the network, compares the threat against known threat feeds, uses its own inspection algorithms, and makes a decision. Finally, it takes action based on the result of the investigation.

Rather than creating a big data or machine learning product, our platform is modelled after the way people investigate, decide, and act…. Just a lot faster and at scale.

Are you seeing any kind of trend in the types of customers that are adopting products like Hexadite?

There are some trends we're seeing from our customers. The first is that the majority of them are constrained by cyber security resources and do not have a huge team to manually investigate alerts. They aren't able to devote a team of developers to write their own code to automate incident response.

In addition, as mentioned already, most of our customers are seeing an exponential increase in alert volume. They have invested time and budget on detection systems that are producing hundreds or thousands of alerts daily, and aren’t able to follow up.

We've seen customers with nearly 100 different security products at a given time. Being able to manage that many products at once and gather actionable intelligence is very hard.

Our customers come from all industries, but they have one thing in common: all of them have committed to cyber security and have made significant investment in technologies that detect cyber threats.

Image Credit: Mopic / Shutterstock