Bridging the gaps in security automation

It’s no secret that organisations are struggling to keep up with the demands of the ever-changing threat landscape. The increasing complexity of today’s threats, when coupled with a widening skills shortage means that finding a solution is more pressing than ever. Security strategies must undergo a revolution in order to anticipate new risks and synchronise responses to detected threats.   

Automation and intent-based security are two technologies which could alleviate these issues and help businesses win the war against cybercrime. ‘Intent-based security’ (IBNS) is the process of applying analytics to the information generated by security devices on a network. This then lays the foundation for more advanced automated technology. 

An individual security solution is already capable of delivering immense amounts of independent, unrelated data. This generated data can then be brought together when building out a standardised and interconnected security framework.   

Integration is the key to IBNS and provides businesses with visibility across the entire distributed network, and allows integrated security solutions to automatically adapt to changing network configurations and shifting business needs with a synchronised response to threats.

These solutions are able to dynamically partition network segments, isolate devices which have been infected and remove malware. Security teams can also automatically provision and update new security measures and countermeasures from endpoints in the cloud as new devices, workloads and services are deployed or moved around the network. Integrated and automated security provides a comprehensive threat response which is far more effective and efficient than the efforts of individual security solutions protecting the network.   

Artificial intelligence and machine learning are becoming significant allies in cybersecurity. Machine learning will be bolstered by data-heavy Internet of Things devices and predictive applications to help safeguard the network. However, securing these “things” and that data, which are ripe targets or entry points for attackers, is a challenge in its own right.

Artificial intelligence and machine learning are valuable tools to combat the threat landscape, however, there are still a few hurdles when it comes to implementing the technology.   

Quality of intelligence 

A challenge on the journey to security automation is the quality of intelligence. Cyber threat intelligence is often prone to false positives due to the unpredictable nature of IoT. Threats can change instantly from one second to the next.    

Improving the quality of threat intelligence is the next step to enabling IT teams to pass more control to artificial intelligence. Whilst the security industry cannot pass complete control to machine automation, there needs to be a balance between operational control and critical exercise that can escalate up to humans. This will ensure that AI and machine learning applications for cybersecurity defence are truly effective.   

The persistent cybersecurity skills gap means that products and services must be built with superior automation in order to correlate threat intelligence, which can determine the level of risk as well as automatically orchestrating a coordinated response to threats. By the time the human teams spot and begin to tackle a problem, it’s often too late, which in turn can make the issue worse and multiply the amount of work to be done in recovery. This can be taken care of automatically, using direct intelligence sharing between detection and prevention products, or with assisted mitigation, which involves a combination of people and technology working in unison. Automation also allows security teams to focus on business-critical matters instead of routine cybersecurity management.   

The goal for AI in cybersecurity is for it to be constantly adapting to the expanding attack surface. Currently humans are connecting the dots, distributing data and applying it to systems. In the future, a mature AI system could be capable of making these complex decisions which presently require intelligent correlation through human intelligence.   

However, full automation would be a step too far. Humans and machines must still be part of the same equation. It won’t be long before situation aware malware is able to exploit AI to behave like a human attacker, performing reconnaissance, identifying targets, choosing methods of attack and intelligently avoiding detection.   

Whilst organisations can use AI to enhance their security operations, cybercriminals will also be able to use it to build smarter malware. This is why a joined-up security approach must be at the centre of an organisation’s security strategy. Security solutions for network, endpoint, application, data centre, cloud and access need to be working together as an integrated and collective whole. This, combined with actionable intelligence is needed to hold a strong position on not only automated security, but also automated defence.   

Threats are getting smarter and are increasingly able to operate autonomously. In the coming year, we expect to see malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and make calculated decisions about what to do next. In many ways, malware will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection. 

Cybercriminals are getting better at creating smarter threats which can operate autonomously. In the near future, malware will be designed with adaptive, success-based learning to ensure the efficacy of attacks.   

The next generation of malware will use code which is a forerunner to artificial intelligence, including more complex decision-making trees. This new breed of autonomous malware works much in the same way as branch prediction technology, which is designed to predict which branch of a decision tree a transaction will take. A branch predictor keeps a record of whether or not a branch is taken. When it comes across a conditional jump that it has seen before, it makes a prediction, and over time the software becomes more efficient.   

Autonomous malware is informed by the collation and examination of offensive intelligence, much in the same way as intelligent defensive solutions. This intelligence includes the types of devise being deployed in a network segment, traffic flow, applications in use, transaction details and the time of day that transactions occur. The more time a threat can survive in its host, the better it is able to operate independently, blend into the background, select the most appropriate tools based on its environment and eventually take counter-measures based on the security tools implemented.   

How do we get to where we need to be?   

1. Logging -  Data collection needs to standardised to enable the efficient collection and analysis of data, including features that allow the application of extensions in an easy, self-documenting and self-supporting manner. 

2. Threat-Intelligence – It’s important not to focus solely on the data produced by ourselves, but also data concerning the wider world around us. In order for a system to become self-aware, it must distinguish between itself and others. This is where threat intelligence comes in. This intelligence must be provided in a consistent set-up, allowing it to be connected, managed and acted on.    

3. Open Development - Consistent APIs need to be accepted and expanded into everything, not just the many types of exchanges between data and devices, but also the exchanges between architectures. If a security system is able to firewall, how can it empower, restrict, or enhance its behaviour based on real time events and data?  Abstraction can always be used to bring about this kind of standardisation, in the same way as with DevOps. 

4. Authentication - Open architectures must be able to identify themselves and others, classify and share critical information, and catalogue things appropriately to safeguard them. This is vital for both nomenclature and taxonomy.  For separate technologies to work together, it’s important that they speak the same language. 

Shane Grennan, Regional Sales Director, UK&I, Fortinet 

Image Credit: Jijomathaidesigners / Shutterstock