At the beginning of October, we attended it-sa
for the second time.
it-sa, which has been taking place in beautiful Nuremberg over the last ten years, has grown from a medium-sized Germany-exclusive trade show to the largest show for IT security in Europe. This year, 750 exhibitors welcomed more than 15,000 participants from all over Europe.
Among visitors’ frequently addressed topics were the classics, like the ongoing search for a perfect SIEM tool or a simple solution for password management
, but above all, we noticed challenges in getting support with vulnerability assessments—and understanding and applying any form of intelligence in different security solutions.
This is in line with the results of the security survey
we conducted in Germany in September. Almost 90% of participants believe they can’t correctly handle cybersecurity tasks. This is partly due to lack of competence, lack of time, or inadequate tools (or a combination of these).
As in All Areas of IT, the Use of AI Is Also a Security Topic
In many cases, AI is just a marketing statement or buzzword, but there are exciting applications—unfortunately, in both defenses and attacks.
Until a few years ago, both traditional antivirus scanners and anti-spam add-ons used signatures to detect malware. However, the detection rates have fallen to 30%, so modern security is mostly driven by the detection of behavior, which is much more successful, with rates of almost 90%.
The behavioral analysis of malware uses technology based on neural networks.
For this, the wheel doesn’t have to be re-invented; many vendors of AI-based security services use predefined frameworks, such as those offered by cloud providers.
These frameworks have been tried and tested for a long time and are in use everywhere—and significant effort went into coding and maintaining them. Additionally, the cloud offers almost endless resources.
But Here Lies the Problem: The Black Hats Can Access the Same Technologies
Hackers use the same methods as, for example, back propagation, and they test their code against different well-established solutions at the same time. The attackers are generally a bit more creative than the vendors, who are, by nature, more reactive. But above all, time is on their side.
More massive hacks require a multitier strategy. There isn’t any direct attempt to access or destroy data; instead, the defensive AI is probed to see how it reacts. This gives an idea about the vendor in use and makes it easier to find a way to manipulate the security solution. These steps can drag on for months, and only after successfully disabling or at least manipulating the AI, the actual attack takes place.
Vendors Use Correlation to Identify Behavior
Well-known providers, such as Cylance or Vectra AI, have been available for several years and offer complete security platforms. As in SolarWinds own Orion Platform
, the apparent advantage is that data is collected and processed from various layers. Observing behavior requires multiple data points, since a single element on its own is usually insignificant. It’s only after combining different information that the IT professional can get an understanding of what is happening.
Another approach to using AI is to monitor the behavior of actual users within the organization. While this sounds a bit like 1984, monitoring tries to detect anomalies in what a user is doing or accessing. The idea is that malware often uses incorrectly assigned permissions or tries to hijack privileged accounts. Our survey lists that 80% of all threats are caused by employees who accidentally disclose information.
Another interesting detail from the survey showed that almost half of all companies surveyed take a hybrid approach to security: They use both external capacity (managed security services provider, or MSSP) as well as their own resources.
The it-sa attendees confirmed the result. In many cases, an MSSP is used to secure endpoints and the network, but the protection of confidential data is in the hands of a trusted employee.
This concept can work very well; however, the employees must have the rights tools at their disposal, which will not only facilitate the security tasks, but often make them possible in the first place.