Eric De Grasse
Chief Technology Officer
The Project Counsel Group
9 November 2017 (Lisbon, Portugal) – The “remorseless” growth of cyber crime is leading to 4,000 ransom attacks a day and gangs’ technological capability now threatens critical parts of the financial sector, the head of Europol said this past week. Online criminals have become so sophisticated that gangs have created “conglomerations” with company structures that specialize in different criminal activities to carry out the attacks, Rob Wainwright, who leads the EU law enforcement agency, said:
“What really concerns me is the sophistication of the capability, which is becoming good enough to really threaten parts of our critical infrastructure, certainly in the financial, banking sector.
And while not all those 4,000 ransom attacks – which demand money to restore access to files that have been frozen or encrypted – are on banks, the financial services sector is seen as the key target because of the potential profits for the criminals. Even bank payment systems and ATM cash machines fall prey”.
Wainwright was speaking at the Web Summit technology conference here in Lisbon.
Originally called the “Dublin Web Summit” where it originated, this technology conference has been held annually since 2009. This year there were 60,000+ attendees from over 160 countries. The topic of the conference is centered on internet technology and attendees range from Fortune 500 companies to smaller tech companies. It is unique in that it brings together a mix of CEOs and founders of tech start ups, together with a range of people from across the global technology industry, as well as related industries.
And it is quite an eclectic group. Just some of the speakers: Margrethe Vestager (European Commissioner, DG COMP) ; Al Gore; Steve Huffman (CEO, Reddit); António Guterres (Secretary-General of the United Nations); François Hollande (former President of France); Mark Hurd (CEO of Oracle); Gillian Tans (President & CEO, Booking.com); Garry Kasparov (Chess Grandmaster) ; Professor Einstein Robot (yes, a robot).
The launch of ransomware attacks such as Wannacry, which struck firms around the world in May and June, has changed the dynamic of such attacks, by propagating them more widely through companies’ computer systems, Wainwright said. He went on to say that the rapidly spreading extortion campaigns underscored concerns that businesses have failed to secure their networks from increasingly aggressive hackers, who have shown they are capable of shutting down critical infrastructure and crippling corporate and government networks:
“The real threat comes from a sort of exponential, remorseless increase in the scale and significance of cyber criminal capability. Every year there now seems to be a doubling, or tripling, of one kind of threat or another, in terms of scale”.
He said the challenge of fighting cyber criminals is that they can be based “in their bedrooms”, making it difficult to find them. A majority of cyber criminals “we are working against are Russian speaking, not just Russian”, he said. He noted that last year, police authorities in several countries smashed 20 criminal groups that had created a “service-based economy” for the rest of the criminal market, such as providing ways to launder money or sell drugs online. Such criminals gangs operate on the so-called dark web, which can only be accessed with special software. It is used by criminals doing everything from selling drugs to guns, but also attacking payments systems and other parts of the financial system:
“There is this sort of cyber criminal underworld that’s a lot bigger and smarter and adept than most people think. And, against it, we still have generally low cyber security standards.”
As always at these events, there is a tremendous amount to cover so I will focus on just one area that received a lot of coverage: artificial intelligence/machine learning (ML) as an example of an emerging technology that can be leveraged to improve cyber resiliency.
First, a proviso. Many companies that produce cybersecurity tools tend to hide their limitations behind complexity. That is why intricate concepts like AI, ML and advanced neural network systems make the perfect smokescreen for a cybersecurity product’s shortcomings. And unfortunately, the cybersecurity developer community tends to explain the complex algorithms and math functions it utilizes in its AI and ML functions with the names of the advanced algorithms themselves rather than explaining the basic logic behind the algorithms, the use cases they were designed to solve, and the data run them through.
But many companies have taken up the challenge and are learning and investing in machine learning for automated threat intelligence. Because the valid vendors in this space have shown that the technology properly employed will allow companies to turn near-time awareness of cyber threats into real-time detection. And given the exponential, remorseless increase in the scale and significance of cyber criminal capability I noted at the beginning of this post, companies must do something. Fast. As Amélie Oudéa-Castera of Axa Private Equity noted “if you’re forced to wait for an analyst or Chief Information Security Officer to manually assess the threat, you’re toast. You’re done”.
One presenter said “don’t let vendors hide behind their algorithms’ complexity. Ask the right questions to assess ML performance and filter out those vendors giving artificial intelligence and machine learning a bad name”. He suggested basic questions security officers can ask (MUST ask) to determine whether a cybersecurity product that leverages AI and ML can be truly effective for their businesses? Here’s his list:
- What is the volume of data sets the algorithm was trained against? (acquiring large amounts of data sets, which are required, is usually difficult)
- What industries was the data taken from? Different industries (banking, retail, insurance, manufacturing, etc.) experience different types of security events that can impact the effectiveness of ML classifiers to determine an event’s intent. Make sure the data sets used are associated with your industry, or at least with a similar one.
- Who are the security domain experts who provided feedback for the algorithm’s training process? If the vendor doesn’t employ the right domain experts to optimize ML algorithms, the ML will remain a theoretical exercise.
- How frequently does the algorithm need to be retrained to maintain its effectiveness? How is the system updated with retrained classifiers?
- Lastly, how many data scientists does the company employ? If a company relies heavily on ML, then it should include at least two or three data scientists with rich experience and background.
If the vendor is able to answer these questions in a satisfactory manner, it’s probably safe to move forward with them. It’s best to also keep in mind that commercial security solutions should never depend on ML alone. They should include heuristic rules that filter out the many non-relevant results that ML algorithms can and do generate.
He also made a critical point. Another crucial aspect of ML for cyber intrusion detection is the importance of the data sets for training and testing the systems. ML and DM methods cannot work without representative data, and it is difficult and time consuming to obtain such data sets.
As a number of presenters noted, using ML for cyber intrusion detection might be critical because attackers now focus on vulnerable endpoints as the preferred point of entry for malware, as endpoints are not confined to the data center, with its layers of security under the watchful eye of security teams. With the increased use of public and hybrid clouds, the network becomes even more diverse and complex, not to mention the coming mass-propagation of the Internet of Things sensors and control devices. Humans simply can’t keep up today, even the best of them. Tomorrow will be even more challenging.
This is where machine learning will be key. Machine learning provides the fastest way to identify new attacks and push that information to endpoint security platforms. Machines are excellent at repetitive tasks, such as making calculations across broad swaths of data, crunching big data sets and drawing statistical inferences based on that data, all at rapid speed. With the help of machine learning, security teams may have greater insight into who the attackers are (basic attribution), what methods they’re using, and how successful those methods are. But as Cedrik Neike of Siemens noted:
“Despite this, it’s imperative to remember that machines lack the ability to put data into context like humans can, or understand the implications of events. Context is of critical importance in cyber operations and not something as well suited to machines”.
Machine learning is a long way from perfect, but it’s making significant gains and worth the effort. Of course, the results derived are always subject to the variables humans submit for calculation and any unknowns that we didn’t calculate in the equation. The models are only as good as the human-provided inputs; as we know, machines don’t think for themselves. A hybrid of human and machine will be the answer, and as technology evolves, the workload will shift.
NOTE: one of the more vexing cyber-security threats today is the use of very large, coordinated groups of hosts for brute-force attacks, intrusions, and generating unsolicited emails. These large groups of hosts are assembled by turning vulnerable hosts into so-called zombies, after which they can be controlled from afar. A collection of zombies, usually called bots, when controlled by a single command and control infrastructure, form what is called a botnet. Botnets obfuscate the attacking host by providing a level of indirection and separating the assembly of the botnet and its use for attack by an arbitrary amount of time. Their sheer power, however, is what has fueled their proliferation; botnets often involve thousands of hosts that can be collectively commanded to launch highly effective coordinated cyber-attacks. There was a very technical presentation on using machine learning techniques to identify the command and control traffic of botnets but that will need to wait for another post.
AI Deals Tracker
CB Insights had an interesting presentation called “AI Deals Tracker” whereby they identified over 80 private companies in cybersecurity that are using AI and categorized them into the nine main areas in which they operate. Two unicorn companies valued at over $1B were included: the automated endpoint protection company Tanium and the predictive intelligence company Cylance. The category breakdown was rather interesting:
Anti Fraud & Identity Management: This is the most populated category within the cybersecurity AI market. Startups in this category mainly help secure online transactions by identifying fraudsters. For example, the company FeedZai utilizes machine learning algorithms to proactively detect fraud in financial transactions. Similarly, companies like Socure can detect fraudulent users on websites and in mobile applications also using machine-learning algorithms.
Mobile Security: Included in this category are startups such as Appthority, which provides a cloud-based platform that automatically identifies and grades risky behavior in mobile apps including known and unknown malware, new malware used in targeted attacks, corporate data ex-filtration, and intellectual property exposure. Similarly, Skycure’s predictive technology leverages massive crowd knowledge to proactively identify threats to secure mobile devices.
Predictive Intelligence: Companies such as the unicorn company Cylance aim to couple sophisticated math and machine learning with a unique understanding of a hacker’s mentality, and by doing so offer technology and services that are predictive and preventive against advanced cyber threats. Likewise, the company SentinelOne uses predictive execution modeling to detect and protect network devices against targeted, previously unknown threats in real time.
Behavioral Analytics / Anomaly Detection: Startups in this category include Darktrace which uses advanced mathematics and machine learning to detect anomalous behavior in organizations’ systems and networks in order detect cyber-attacks. Unlike software that puts locks on doors, Darktrace’s approach allows enterprises to protect their information and intellectual property from state sponsored, criminal groups or malicious employees who are already inside the network as well as from external attacks. Companies such as BehavioSec offer a behavioral biometric systems that creates digital fingerprints from an end-user’s behavior through monitored keystrokes, mouse behavior, and anomaly detection to ensure security of IT organizations, e-commerce, and more.
Automated Security: Startups in this category include unicorn company Tanium, which couples an application of AI known as natural language processing with endpoint protection on a massive scale. Tanium empowers security and IT operations teams to ask questions about the state of every endpoint across the enterprise in plain English, automatically retrieve data on their current and historical state, and execute change as necessary within seconds. Other companies include Demisto which offers systems that are designed to automate security tasks across 100+ security products and weave human analyst activities and workflows together.
Cyber-Risk Management: Companies in this category range from cyber-insurance oriented companies to those that are security policy and compliance focused. For example, Cyence empowers the insurance industry to understand the impact of cyber risk in the context of dollars and probabilities. Other companies include Cybersaint, which offers solutions for streamlining the cyber-risk compliance process. Slightly different, but still within the business of managing cyber risk is the company Wiretap, which helps secure enterprise social networks, as well as collaboration tools, by securing against intellectual property and confidential data leaks, insider threats, HR policy violations, compliance issues, and external sharing risks.
App Security: Companies in this category are focused on securing specific enterprise applications rather than entire networks. This includes both web-based and dev-ops oriented applications, and more. This category includes companies such as Authbase, which provides frameworks to help developers secure applications by finding, fixing, and monitoring web, mobile, and networks against current and future vulnerabilities; the company Cryptosense, whose software employs a unique mix of formal analysis and machine learning to find security flaws in cryptographic systems; and Cyber 20/20, which monitors network traffic for suspicious activity within applications and automatically submits them to a machine learning platform, where they are analyzed and shown to be malicious or not.
IoT Security: These startups include SparkCognition, which develops AI-powered asset-protection software for the safety, security, and reliability of the IoT. Bastille Networks utilizes machine learning algorithms to secure the IoT on corporate campuses by identifying airborne threats such as hidden recording devices or transmitters in a conference room, and allow for a preemptive response to data theft. CUJO is a smart firewall that protects a user’s connected home from criminal hackers by using a combination of cloud services, machine learning, and mobile apps to manage the network.
Deception Security: illusive networks provides solutions that combat Advanced Persistent Threats by proactively deceiving and disrupting in progress attacks. CyberFog (dba CyberSwarm) offers a deception tool that detects and fights cyber attacks by creating a neural network of thousands of fake computers, devices, and services that act like a fog and work under the supervision of machine learning algorithms.
