According to John Tolbert, lead analyst at KuppingerCole, an international independent research organization said that as investing billions of dollars on Cybersecurity products in the year 2017, cyber attacks remain to be successful that means Cybersecurity tools need to be updated. Tolbert told attendees of the KuppingerCole Cyber Security Leadership Summit in Berlin that security tools have tended to be focused on prevention, but now they need to take a more practical view and ensure they are focusing more time and tools on detection and response.
Tolbert said that defense sectors relied on Lockheed Martin’s Cyber kill chain were mainly aimed at preventing reconnaissance, weaponizing, delivery and exploitation, but with detection and response, only required at the malware installation, callback and execution phases of the kill chain. While this is still a valid approach, he said that the Mitre framework was more modified and more realistic, with prevention mentioned only in connection with the initial access and execution phases, comprising privilege escalation, credential theft, lateral movement, and exfiltration. These frameworks are useful in helping organizations to plan where they need to do work, and while prevention always will be important, there has been a shift in emphasis to detection and response. His organization believes AI and Machine Learning can help in making this shift, Tolbert said.
When security vendors use the term AI, they do not mean AI in the sense of a computer having the capability to think in the same way as a human being. They usually consider that their product uses a Machine Learning algorithm to solve particular problems.
Other areas where ML comes into play, is with firewalls, web application firewalls and application programming interface (API) gateways where Machine Learning can be used to analyze traffic patterns; threat hunting, where ML can enhance capabilities to deal with huge volumes of data across thousands of nodes; authorization and access control policies, where ML can aid with the analysis of access patterns and analyze regulations to auto-generate rules and policies; data governance for auto-classification of data objects; and with Security Information and Event Management (Siem) and user behavior analytics, where ML can be used for efficient baselining and anomaly detection.