Posts

Data Privacy Market Still Has Room for All Entrants

by Victoria Hudgins, writer, Law.com, July 18, 2019

The rapid growth and complexity of data privacy laws makes the idea of one dominant privacy compliance company unlikely, ensuring lawyers’ seat at the table.

In the midst of growing data regulation laws and compliance needs, some privacy compliance technology companies are attracting a slew of investments. Take for example, data privacy compliance company OneTrust raising $200 million and TrustArc announcing it secured $70 million last week.

But while it may be tempting to say a select few companies have cornered the data privacy market, competitors and observers say the variety and complexity of data privacy regulations makes no platform the single go-to company in the market. Likewise, lawyers’ legal expertise still makes them a valuable asset for understanding regulations.  

Dave Deasy, vice president of marketing at TrustArc, said the combination of stiff fines grabbing companies’ attention and many regulations’ reporting requirements is driving venture capital investment into data privacy compliance tech.

As European regulators begin to levy penalties for high-profile data breaches under the General Data Protection Regulation (GDPR), companies are also concerned about other growing data regulations and the patchwork of U.S. data privacy laws. In turn, companies need a host of services to meet their data privacy requirements.

“There are a lot of moving pieces. I suspect [data privacy compliance] companies will concentrate on a particular area,” said Paul Hill, senior consultant for SystemExperts Corp., a cybersecurity consulting services company. “There’s legal advice, inventory of data and tracking where data goes and then there’s the wide variety of technical controls.”

TrustArc’s Deasy noted he’s seen more small startups sprouting up with specialized functions geared toward single aspects of a data privacy regulation, from solely offering to manage data request services to only providing data discovery. Meanwhile, law firms are now leveraging compliance technology to counsel their clients, he added.

While firms are using platforms from tech companies, they are also creating data privacy compliance tools of their own for clients, said Tsutomu Johnson, Parsons Behle & Latimer of counsel and CEO of the firm’s legal tech lab.

Indeed, various law firms have created privacy compliance tools to provide clients with access to their legal expertise, at perhaps the determinant of the billable hour, to fit clients’ 24-7 needs. That foray into legal tech is law firms’ stepping stone into automating more legal services, Johnson said.

“What I think law firms will do is pivot and leverage the technology they’ve made in privacy to meet a demand … to figure out a way to contain legal costs and the only way you can do that is by automating,” he said.

Likewise, lawyers still maintain the traditional role of drafting contracts in compliance with varying regulations.

“The gap law firms can still fill is creating language that is in compliance with the text of the law,” Johnson said.

Considering the Use of a CPaaS Provider? Look at the Inherent Risks

The rise of the communications platform as a service (CPaaS) model has many enterprises migrating from on-premises communications to cloud platforms and APIs. CPaaS and APIs offer benefits including improved productivity and third-party app integrations, but before proceeding to adopt CPaaS companies should consider the inherent risks.

Remember that the underlying technologies tend to be insecure. Even if an encrypted communications channel is used between the application that initiates the communications with the CPaaS provider, the data is not necessarily secure along the entire path.

CPaaS providers give developers and companies the ability to integrate or embed communications channels such as SMS, MMS, and voice into their applications. SMS and MMS do not define security mechanisms. Ultimately any SMS or MMS message is delivered to the remote endpoint over an unencrypted communications channel. Hence, integration with these services may not be appropriate in all circumstances, because their use may violate regulatory or contractual requirements for some types of sensitive data. In addition a sophisticated attacker may be able to modify the contents during the transmission or replay it at a later time. 

MMS also entails additional underlying risks. If a user of the integrated application receives an MMS message, the message could contain malware. So the endpoints running the CPaaS integrated applications and devices must be running anti-malware software where possible. 

VoIP and SIP services supported by CPaaS providers also have some inherent security risks. These include being subject to Denial of Service (DoS) attacks, message tampering, impersonation of servers, and registration hijacking of the authentication. 

Organizations should also remember that APIs typically add complexity and increase the attack surface area. Attackers might be able to exploit data sent into an API, including URL, query parameters, HTTP headers, and/or post content. Or an attacker might seek to exploit flaws in authentication, authorization, and session tracking. Adding multiple CPaaS providers will increase the complexity and potentially provider attackers with additional opportunities. 

Organizations should also be aware that employees might utilize CPaaS features to exfiltrate data. For example, MMS could be used to send a file containing sensitive or confidential data.

There are a variety of compensating controls that can be used. For example, a Cloud Access Security Broker (CASB) could be used to help prevent the exfiltration of sensitive or confidential information. It could also be used to help block and quarantine malware being received or sent. 

Some Web Application Firewalls (WAFs) can be used to help secure the use of a CPaaS. A WAF may be able to mitigate the risks of server impersonation, some DoS attacks, or even provide some parameter validation. For example, a WAF can be used to block very large messages, heavily nested data structures, or overly complex data structures. 

All of the communications with the CPaaS provider via the APIs should be encrypted using TLS. This can be enforced by properly configured firewall rules. 

Intrusion Detection Systems / Intrusion Protection Systems (IDS/IPS) devices should also be deployed on the network to detect and or prevent some of the potential attacks. 

Given the security issues in some of the underlying protocols, session management should not solely rely on authentication. If practical for the environment, access should be limited to specific IP address ranges, and where practical perform device authentication as well as user authentication.

Cybercrime: Impact on Manufacturers

With the rise in value of intellectual property, cybercriminals are now aiming their activity on the manufacturing sector. Manufacturers in the past haven’t practiced the strictest of cybersecurity measures, making themselves quite vulnerable today. The exception to this are industries, such as chemical and pharmaceutical manufacturing, which are subject to federal regulations regarding cybersecurity.

Within the general manufacturing sector many companies are increasingly worried about intellectual property theft regarding product design and manufacturing costs. In particular they are concerned about this type of information being used by overseas competitors.

SystemExperts recommends that manufacturing companies create a cyber security program that aligns with ISO 27002, aka Information technology – Security techniques – Code of practice for information security controls, or the NIST Cyber Security Framework (CSF). Implementing either of these frameworks will help defend companies from a broad range of threats including the narrow issues of ransomware and intellectual property theft.

In the short term, manufacturing companies should prepare for cyberattacks. First priorities to prepare for such attacks include:

  • Identify all business critical files
  • Ensure all business critical files are backed up
  • Ensure that backup files are isolated and can only be accessed by an account dedicated to backup and restoration operations
  • Ensure that backups can be restored
  • Ensure all devices used for reading email have current, active, anti-virus software installed and running
  • Ensure that all email gateways are performing real-time inspection and detection to completely dissemble email attachments and downloads to remove potential malware threats
  • Restrict user accounts, these should not have local administrator rights nor administrative rights to file shares or servers
  • Educate users about the proper use of email, phishing attacks, and ransomware

For additional information visit the NoMoreRansom.org site and read the materials available on it. Companies that are a victim of ransomware should visit the site and determine if the files can be recovered without paying the ransom.

How important is AWS certification for career success?

Many companies specify the need for a certification in job postings simply to weed out unqualified candidates as quickly as possible. The reality is that for most companies, real world experience and demonstrated success will count more than a certification.

For a long term career path with few limitations a much better choice is to obtain a B.S. in Computer Science, or an advanced degree, from a school with a renowned reputation. These degrees demonstrate that a candidate can absorb abstract ideas, apply them to new situations, and have the discipline to succeed.

However, certifications in limited subjects have their uses when evaluating candidates that haven’t had the opportunity to be admitted and graduate from schools offering computer science programs.

Amazon currently offers ten different certifications. The graphic from Amazon’s certification page (https://aws.amazon.com/certification/) provides the names of the certifications, how they are categorized, and the recommended experience associated with each of the certifications.

Note that to obtain some of these certifications, Amazon requires individuals to have already obtained a prerequisite certification. For example, to obtain a Professional Solutions Architect certification, the Associate Solutions Architect certification is a prerequisite. For any of the specialty certificates, both a Foundational Cloud Practitioner and one of the Associate certifications are needed as a prerequisite.

In my opinion, most technical people interested in obtaining an Amazon certificate should start with the Associate Solution Architect. This demonstrates more advanced knowledge than the Foundational Cloud Practitioner and serves as a good prerequisite for later advancement or specialization.

To prepare for taking a certification exam there are many options. Amazon itself offers seven on-demand Exam Readiness courses available at no cost. This is a great choice for people that have the self-discipline to learn without an instructor at their own pace.

For people that need a more structured learning environment there are a variety of online courses from various training vendors including Udemy, Cloud Academy, Lynda.com, and many others. In addition, many community colleges and adult education programs around the country offer traditional classroom courses to prepare to take the AWS certification exams.

How Companies Can Protect Themselves from Ransomware

I was recently asked about ransomware and how companies can defend themselves. The most common vectors of infection for ransomware are via email, such as attachments and malicious links in the email,  and exploit kits, which are usually executed when a victim visits a compromised websites.

Some organizations assert that approximately 60 percent of ransomware infections result from email vectors. To address this, we encourage our clients to fully implement the recommendations of a well-established security framework such as:

  • ISO 27002, Information technology – Security techniques – Code of practice for information security controls
  • The Center for Internet Security’s (CIS) Top 20 Critical Security Controls
  • NIST’s Cyber Security Framework (CSF)

A subset of the controls defined in the above that are directly relevant to defending against ransomware infections are:

  • Server side anti-virus software on incoming email gateways
  • Endpoint anti-virus software on all user’s desktops, laptops, tablets, and smartphones
  • Email and web browsing should only be read from non-privileged accounts
  • Keep up to date with security patches on servers and endpoints
  • Implement DMARC, SPF, and DKIM to reduce the likelihood of receiving ransomware

Security awareness training: Train users to be cautious about the use of email and the Internet:

  • Don’t open any unexpected attachments, even those apparently from people you know
  • Don’t click on any links in email received from unknown third parties
  • Examine the sender’s email address to see if the email really originates from the person you think sent the email

Note, in addition to traditional signature based anti-virus software, consider deploying next generation (aka signatureless) anti-virus / anti-malware tools. Techniques in these tools include sandbox detection, data mining, behavioral detection, artificial intelligence, machine learning, and cloud-based file detonation.

Organizations should also assume that they will still occasionally get infected with ransomware. There are critical steps to take to reduce the impact:

  • Perform frequent backups of all critical systems
  • Perform table top exercises to help determine:
    • What needs to get backed up
    • How frequently backups should be performed (recovery point objectives)
  • Test your ability to recover from backups, this ensures employees know the procedure and validates that backups are being performed correctly
    • Know what your practical recovery time objective (RTO) can be
  • Segregate backup storage, if one of your system administrator’s accounts is infected you don’t want the ransomware spreading to the backups. (Remember,  email and web browsing should only be read from non-privileged accounts)

If your organization is infected by ransomware and restoration from backups does not resolve all of the problems, then try to determine if the decryption keys are freely available from a third-party.  See:

AI in Cybersecurity: How it can be tricked

Using AI to provide cybersecurity solutions has received a lot of press in the past two years. The reality is that most “AI cybersecurity” products use Machine Learning (ML) techniques, which is just one subset of a broader range of techniques associated with deep AI.

ML techniques are being used in several cybersecurity domains including:

  • spam filtering
  • intrusion detection and prevention
  • botnet detection
  • reputation rating
  • fraud detection

To a much lesser extent some services are using ML to provide incident forecasting to help answer questions like: Is there observable behavior on the Internet which can be used to measure the likelihood that a particular organization is going to be attacked and the nature of the attack?

ML uses mathematical and statistical functions to extract information from data, and with that information ML tries to guess the unknown. ML uses various algorithms such as Naive Bayes, Random Forest, Decision Tree, and Deep Learning to analyze the data.

In order to increase the success of ML, lots of training data is generally used. Vendors of ML Cybersecurity products typically constantly gather data from their customers as well as using data generated by researchers.

Typically a form of supervised ML is used, in which a data set with metadata about what are valid behaviors versus what are malicious behaviors are used to teach a ML tool to make accurate predictions about related new data. For example, if the data set included 10 million email messages, including their full internet headers, along with metadata indicating which emails are harmless and which are malicious, the resulting tool may be able to determine if a newly encountered email message is harmless or malicious.

There are at least three ways in which cybercriminals might defeat ML cybersecurity:

  1.       Pollute the data set to cause ML tool to have a low rate of success or accuracy
  2.       Identify bias within the data used for training and design the attack to exploit the bias
  3.       Identify bias within the algorithm used to analyze the data and design an attack to exploit the bias

To provide a simple example, data might indicate that email purporting to be from a Nigerian prince, using incorrect English grammar, is spam. As result the attackers might decide to make the email appear to be from an established insurance company, using phrasing that has appeared in legitimate email from the real insurance company. This might be a way to exploit the training data bias. In theory, larger data sets from a wide variety of sources should lower the bias, but this is not always true.

Some products use a variety of algorithms and training data sets to provide a higher level of confidence that a single bias or single set of compromised data won’t compromise the overall integrity of the product.

DNS: Don’t ignore the risk to your company

by Sam Greengard, writer, Security Roundtable, February 19, 2019

It’s 5:30pm and you’re still at work going through the last batch of emails. You’re feeling a bit overwhelmed after a long day—you want to get home to dinner—when you see an e-mail from a co-worker that looks important. It has your name in it, the graphics look authentic and the wording sounds legit. You click a link to view a document but immediately notice something is amiss. Instead of going to mnocorp.com, you’ve arrived at mmocorp.com. And just like that, you have encountered a DNS exploit.

You’ve been tricked into clicking a link to a site that is now downloading malware onto your computer and into the company’s network. This could result in anything from a data breach to ransomware that spreads across your entire organization. “It’s a tactic that is incredibly easy to fall prey to and the results can be devastating,” says Rick Howard, chief security officer at Palo Alto Networks. 

The term DNS stands for Domain Name System. It’s the underlying address framework that directs traffic across the Internet and delivers users to websites. It transforms obscure codes and symbols—the actual numerical IP address—into an address with a name. 

However, savvy hackers and attackers exploit vulnerabilities in the DNS framework to shut down systems, inject malware and perform other exploits. These methods continue to advance and affect mobile systems as well as conventional web browsers.

DNS attacks can be tricky  

DNS attacks come in a few variations. A common method—a link in an e-mail that has been set up as a phishing or spear-phishing attack—relies on a slightly misspelled name or other visual deception to steer a user to a website that inserts malware into a computer. 

Other DNS exploits rely on human error. “An attacker will often create websites that have very similar DNS names to a legitimate site and then rely on people making a typo when entering a URL into the browser,” says Paul Hill, a senior consultant at SystemExperts, an independent security consulting firm. Some refer to this method as “typosquatting.”

Cyberthieves also trick DNS registrars into changing records to redirect traffic to an IP address they control. Although many of these domains become known quickly—and are either shut down or blacklisted—some manage to get through. “This may result in users accessing a ‘trusted site’ that is under control of an untrusted party,” Hill points out. 

In addition, Howard says that activists and hacktivists launch attacks on sites and attempt to take them down by flooding them with illegitimate traffic. Nation states might also enter the picture. This type of DNS amplification attack strengthens the force of a distributed denial of service (DDoS) attack.  

Addressing DNS security risk

Regardless of the specific approach in DNS attacks, organizations can take basic steps to protect their assets. First, it’s critical to use a DNS cybersecurity solution that addresses known offenders and blacklists them. This is a highly effective way to block phishing and spear-phishing attacks. 

Hill says that organizations can also benefit by creating secure connections. Traditional DNS queries and responses travel over unencrypted connections. This makes it easier to eavesdrop and spoof. By encrypting traffic through a method called Transport Layer Security (TLS) and using certificates, it’s possible to diminish the odds that an attack will succeed.

Other methods can also aid in the battle against DNS attacks. One popular approach is to train employees to spot illicit sites by hovering their mouse over a URL and inspecting it. Some companies also use simulated phishing attacks to raise awareness. These exercises help people spot fake messages. In some cases, Howard says, they can reduce clicks on bad links by an order of magnitude. “But you still can’t prevent some people from clicking on bad links, which is why you need a multi-layered approach and the right DNS software,” he explains.

Additional steps include security tools that quarantine messages based on specific words or phrases, a greater use of encryption and endpoint security, and rethinking procedures—including authorizations. While these may not stop a DNS attack from taking place or a network from becoming infected by malware, it can aid in thwarting additional phishing and spear-phishing, and prevent specific transactions from taking place. Howard adds: “Blocking domain names that are known to be bad is the best protection of all. Hackers can’t break into a system when they are blocked.” 

When reputation is on the line

DNS attacks pose a serious threat to reputational risk. The European Union’s General Data Protection Regulation (GDPR) introduced stringent breach reporting requirements for organizations doing business in the European Union. Australia, as well as states such as California, are introducing new privacy regulations and reporting requirements. This adds potential visibility and regulatory scrutiny to a DNS attack. It exposes a company to investigations and penalties. 

What’s more, businesses are increasingly required to take into account state-of-the-art technology and use this as a standard when determining risk. This means they can be held accountable for failing to upgrade their defenses to meet the regulation. 

Then there are also responsibilities to shareholders. DNS attacks that lead to major damage can cost a company millions of dollars and put senior executives directly in the firing line. They may be held responsible for damages. The cost of fixing the problem is often compounded by lost sales and eroded trust for an e-commerce platform, if the site is down for any period of time. A 2017 study conducted by Ponemon Institute found that the average data breach now costs a company $3.9 million.

There are no quick fixes. Typosquatting and other techniques that exploit misspellings, typos and variations on actual top-level domains will continue to pose a threat. Although the problem would vanish overnight if every company registered domain names with an encrypted certificate, this isn’t going to happen. Consequently, it’s critical for your organization to include DNS attacks in its overall risk management strategy.

DNS attacks represent both a practical risk and a reputational risk. Executives can take aim at the problem through a coordinated approach that involves security tools, training and a governance framework that promotes trust. When executives address all three components, it’s possible to build a more coordinated and holistic defense.

Here are a few examples of how DNS attacks are engineered (fake URLs are frequently embedded in links that do not automatically display the actual address):

Misspellings

Google.com -> Goggle.com

Microsoft.com -> Microosoft.com

Apple.com  -> Aqqle.com

Domain confusion

www.bankoftheworld.com/newproduct  -> www.newproduct/bankoftheworld

www.airline/newflight.com  -> www.airlines/newflight.com

Country code and top-level domain abuse

www.rusticwinery.com  -> www.rusticwinery.co

www.securityaces.com  -> www.securityaces.cm

With AI, promises still outpace reality

by Esther Shein, senior reporter, SCMagazine, January 3, 2019

AI’s value on the endpoint still a work in progress, but it’s improving

AI is great for solving yesterday’s endpoint attacks, but the jury is still out on solving tomorrow’s.

Today it is almost impossible to talk about cybersecurity without someone turning the discussion to artificial intelligence (AI). Sometimes it is appropriate, sometimes not. The trouble is, AI has become the go-to acronym for everything from threat intelligence to data protection to picking your next password. The problem is, when so many security pros bandy about AI as the end all, be all of security, the waters get muddy and the truth becomes harder to see.

Ask Tufts Medical Center CISO Taylor Lehmann about his use of AI platforms to protect cloud-based systems and he will tell you he is both ahead of the curve and behind it compared to other hospitals.

“It’s sort of unavoidable right now — anyone looking to improve their security posture, which is everyone — is inundated with products and services selling AI solutions,’’ Lehmann notes. “You can’t buy anything today without AI embedded.” But, he adds, “Responsible security officials don’t buy products but form a strategy” first. For Lehmann, that means striking a balance between the need to keep costs low while implementing security and threat protection offerings “that don’t require us to hire a bunch of people to run.”

Tufts Medical Center, part of a seven-hospital consortium in eastern Massachusetts, has a solid security infrastructure and Lehmann’s team has visibility into what is running on the network, he says. Right now, Tufts is “investing heavily in building an insights-out capability for security. Where we’re behind is in getting a better hold on third parties we share information with.”

The challenge, Lehmann says, has been identifying insights from within the data: Where is it going, to whom, the volume and the role of vendors in the care delivery process as it moves off the network. With an increasing amount of data being moved to the cloud and third-party providers, can AI help secure endpoints? Although the medical system is only in the early stages of using AI in the cloud, so far, he says, the answer is yes.

“We see the value in investing in AI, and we think there’s more opportunities for us to increase our use of AI that will make our lives easier and reduce the costs of the medical system and improve the security of our medical system,” he says. When your endpoints extend beyond the network and into the cloud, however, the obligation for securing data and applications becomes a shared responsibility, Lehmann stresses.

“When you put data in the cloud you’re sharing responsibility with someone else to protect it,” he says. “Where it’s our role, we’re using network-based and endpoint-based AI to do that. It’s important that our vendors do the same.”

AI on the endpoints today

Many others are also banking on AI to secure endpoints. The cloud endpoint protection market size was $910 million in 2017, and is projected to exceed $1.8 billion by 2023, at a compound annual growth rate of 12.4 percent, according to Markets and Markets Research. “The growing need for effective protection against cyberattacks on endpoints is expected to drive the market,” the firm notes.

Antivirus and malware detection technologies remain a moving target and the volume of new malware and attack techniques continues to grow. Couple that with the increasing volume of data being moved to endpoints like the cloud, and “and it’s clear that scaling these products to deal with such speed and volume requires a heavy investment in AI-like capabilities,” notes the Gartner report Lift the Veil on AI’s Never-Ending Promises of a Better Tomorrow for Endpoint Protection.

Nearly every day there are eye-catching headlines about how AI will transform everything from data management and backups to customer service and marketing, not to mention every single vertical industry. Heck, it even promises to change the economy — and deliver a better cup of coffee.

But in the rush to use AI components for endpoint protection, it is important to look beyond the hype, security experts insist.

Almost all endpoint protection platforms today use some data analysis techniques (such as machine learning, neural networks, deep learning, Naive Bayes Classifiers or natural language processing), the Gartner report states. They are easy to use and “require little to no understanding of or interaction with their AI components … However, it is critical that SRM (security and risk management) leaders avoid dwelling on specific AI marketing terms and remember that results are what counts.”

The Forrester report Mobile Vision 2020 is projecting that many organizations will be using AI and cognitive computing to generate business and security insights from unified endpoint data by 2020.

Forty-six percent of respondents to a 2017 survey said they anticipate the amount of endpoint data they collect will increase between 1 percent and 49 percent over the next three years, while 50 percent are bracing themselves for growth of 50 percent or more, according to the Forrester study.

“Organizations can gain significant intelligence from endpoint data, particularly for threat detection and remediation purposes,” the report says.

Security experts and enterprises that have started utilizing AI systems to protect data and apps in the cloud say that the technology certainly has merit but is not yet the panacea for defending endpoints.

“I think the hype is very, very dangerous and … I’m really worried, and don’t believe the hype will live up to everything it promises, but [AI is] very good for certain things,” observes Johan Gerber, executive vice president of the Security and Decision Products for Enterprise Security Solutions team at Mastercard. Gerber is based in St. Louis.

The credit card company acquired an AI software platform in 2017 to help it expand its ability to detect and prevent fraud and monitor the network, to enhance the security of customer information, Gerber says.

Since then, “we’ve been able to increase our fraud detection by 50 percent and decrease our false positives by 40 percent, so the application of advanced AI has really helped us in this use case.”

Gerber says he is “very excited about the potential of AI, and we’re using it every day and, in my world, it’s living up to promise and doing a tremendous amount for us.”

Mastercard is building models using a combination of neural networks and decision trees, as well as some AI open libraries. But Gerber says the “hybrid approach” is best when it comes to securing endpoints.

“I don’t believe in silver bullets; you need to have a multilayered approach … and we have an interesting mix of true machine learning supervised and unsupervised learning to help us know when it’s an attack we’ve seen before and an attack we haven’t seen before,’’ he says. “You need to look at the specific problem you’re going to solve and figure out whether AI will get there. The notion it will solve everything is dangerous .”

For AI and machine learning to be effective at securing endpoints, you have to have the right data and the right model, he says. “Machine learning learns from previously known patterns so [there is a] risk of it not being able to find anything it hasn’t seen yet. You teach the model and then say, ‘Figure it out using algorithms.’ I will not trust AI around securing data in the cloud; I will rely on a layered approach.”

That sentiment is shared by Zachary Chase Lipton, an assistant professor of business technologies at Carnegie Mellon University, who says a lot of people discuss AI without knowing what they are actually talking about. “The term is being used like an intellectual wild card,’’ he says.

People get excited about using machine learning algorithms to recognize suspicious traffic patterns that are predictive of previous security incidents, Chase Lipton says. The model has potential, he adds. But the catch with using pattern recognition is that “you make a giant assumption.”

When people make what Chase Lipton calls an “inductive assumption;” utilizing different types of data to say, “This is unkosher traffic on your network,” there is a chance they might not have all the information they need, or even the right information, he notes.

While machine learning might predict a pattern in one instance accurately, “that machine learning model could break” in another, he continues.

“With security, you’re dealing defensively with an adversary who’s actively trying to circumvent the system,’’ he says, when you rely on machine learning to do pattern recognition to try and protect a system. “People writing malware have a strong incentive to change what they’re doing and screw with things to fool the machine learning system.”

In that case, you can no longer say a system is 99 percent accurate; it is 99 percent accurate on what was in the past; it is not guaranteed to be correct in the future, he says.

Taking that into account, Chase Lipton thinks there will be “incremental usefulness” of AI systems to secure endpoints. “But what people have to watch out for is a machine learning system can potentially be gamed.

“Obviously, it’s very exciting technology and the capabilities are pretty amazing; the fact that we can [do] high-quality translations between languages and recognize images and generate believable audio and video using generative models,’’ are great use cases of machine learning, he says. “But the problem is, people use general excitement about AI and machine learning to make untethered kinds of [statements] like ‘It’s going to solve security. You don’t have to worry when you use our product.’ That kind of stuff is hooey. But there’s danger of people buying into that because of general excitement about AI,” he says.

AI is being used today to prevent spam and spear phishing attacks and many people are hoping that use of these platforms will mature rapidly, says Paul Hill, a security consultant with at SystemExperts Corp. of Sudbury, Mass. Echoing Chase Lipton, he says “this approach is just as likely to make the attackers step up their game. I worry that the result will be that attackers will develop tools that will make spam that is stylistically identical to the author that they are attempting to impersonate.”

In all cybersecurity AI tools, the learning algorithms need to be more transparent, Hill believes. To fully gain a customer’s trust, “it should be possible for independent third parties to examine the learning model and data. Furthermore, a lot more work needs to be done to understand how an adversary might affect the learning model.”

By manipulating the learning model and/or data used to teach it, it may possible to subvert the AI tools, he says. “Before AI cybersecurity tools enjoy widespread adoption these issues and how they will impact various customer deployments need to be better understood.”

 AI in action

Tufts Medical Center is moving an increasing amount of data into the cloud. One of its electronic medical records systems is almost entirely cloud-based and IT is planning to move other clinical systems off premises, says Lehmann.

As the center expands its investigation of using AI to protect endpoints, officials are looking at whether their third-party vendors have appropriate protections in place in their data centers to leverage modern security technologies, he says. Their service level agreements will incorporate language indicating a “high expectation for their security program and mandating they implement certain controls like behavior and deterministic software solutions that protect data well.”

The medical center is also utilizing machine learning to monitor network traffic flowing off premises and protect its connection to the cloud, he says.

“For example,” he continues, “we often see certain spikes in traffic that could indicate an anomaly and … where the promise of AI is, is when we can turn AI on to correct a behavior. We’re getting to this point; not there yet.”

The goal is when there’s a “high fidelity hit on something we think looks bad, telling the AI [platform] to turn it off,” Lehmann says, explaining the medical center is looking at doing this to learn more about what could be threatening.

“Our next step will be to use that same AI to take action about a knowing threatening thing we’ve discovered,” he says. “That’s the nirvana; that’s where the value of AI exponentially increases. Now I don’t have to send a team to investigate that anomalous thing. The system knows what to do immediately if that occurs.”

The bleeding edge

The goal for Lehmann is to be able to walk into any surgical unit at the medical center and know a doctor has “relative assurance” that the equipment, services and procedures will be safe.

“That’s ultimately what we’re trying to do with any spend,” he says. As AI and machine learning technologies mature, he believes IT will be better able to secure endpoints in ways they were previously unable to do — or could only do if they “deployed a team of 50 people to figure it out.”

But when it comes to patient safety, Lehmann is leerier about using AI to secure data being exchanged between their internal systems and systems in the cloud. Although AI holds real value, “Can we say, ‘Is that wireless infusion pump operating normally and delivering drugs in the right frequency and what is has been programmed to deliver?’” Lehmann’s not sure. It becomes a lot trickier for a hospital if an infusion pump gets compromised and starts sending too high a dosage of medicine, he observes.

“These are patients’ lives we’re dealing with and I’m not sure we’re at the point where we can trust AI for [patient care,]” he opines.

For years, people have been recommending that organizations understand their baseline level of network activity in order to deploy a security information and event management system [SIEM] and create useful alerts, notes Hill. “However, many organizations don’t have the resources to really understand what their correct baseline traffic should be. AI should help solve this problem.”

Machine learning has already made available technologies we did not have even five years ago, Chase Lipton notes. “But the kinds of promises being made and way [the technology is] being thrown out vaguely like, ‘We can solve security with AI,’ is a little bit unhinged.”

There are a lot of small victories “probably happening every day,’’ he says. It is easy to train a machine learning system based on data from last year and have it work, “but the problem is, how do you keep it working accurately and develop best practices for auditing it? Those are huge challenges.”

That, for Chase Lipton, would make AI systems more palatable. “I’m sure progress will be slow and steady, but I don’t think it’s an overnight silver bullet that AI will solve in security.”

As endpoint protection evolves, it will need to use data from across multiple endpoints to AI recognize and react to threats, the Gartner report states. To cull all this data, endpoint detection and response (EDR) offerings are starting to emerge. These systems record all the technical and operational data of an organization’s endpoints as well as event, application state and network information.

This gives security response management teams a large pool of data that they can use to search for known indicators of compromise (IoC) or indicators of attack, Gartner says. Already, machine learning is a data analytics technique being used successfully “in areas where lifting signals from noise and removing false positives are problems,” the report says. “A well-trained [machine learning] algorithm can help identify IoCs in large, complex datasets that humans might miss.”

Along these same lines, the Gartner report says user and entity behavior analytics (UEBA) techniques can identify behaviors that applications display that are anomalous to standard baselines.

Yet, the technology is not there yet. “Unfortunately, AI is only beginning to make progress in [endpoint detection response.] However, it seems to be following the same pattern we have seen other technologies (such as SIEM management and network analytics) follow,’’ the report states.

“The technology comes on the market quickly but generates amounts of data that quickly overwhelm human users and contain false positives that limit its attractiveness. AI and advanced analytics are applied, and the tools become easier to use and yield more valuable insights,” the Gartner report says.

The bleeding edge will likely be the day when security administrators can quickly query their environments and take coordinated action across their endpoint environment in a unified manner, maintains Forrester, saying, “Furthermore, new analysis capabilities will present opportunities for endpoint security and management teams to pull deeper and more meaningful business insights from their increasing amounts of endpoint data while lowering operational friction and TCO (total cost of ownership).”

Protecting from Phishing and Spear-Phishing

SystemExperts Corporation is aware that many companies are seeing spear-phishing attempts where the emails purport to be from internal employees. We have also heard reports that compromised email accounts have been used to send spear-phishing emails to third-parties and the owner of the compromised accounts do not see the emails being sent on their behalf, nor the responses to those emails. As a result we make the following types of recommendations:

  • Create inbound filters that block email that contains a valid internal username, but the address has a domain name that does not match the internal domain name. How to achieve this depends on the particular company’s infrastructure and SystemExperts has been able to provide detailed instructions specific to the infrastructure of our clients.
  • Create an alert to notify staff members responsible for email security, the alert should be triggered on the creation of any new mail processing rules that forward an employee’s email to an external email address or new rules that automatically delete an employee’s email messages based on regular expression in the subject line or message body.  The rules should then be reviewed by those responsible for security so that they may determine if the email account has been compromised.

In addition we also recommend the more traditional controls:

  • Security awareness training that educates users about spear-phishing and what to look for – this includes recognizing, avoiding and reporting suspicious emails.
  • Enable SPF, DKIM, and DMARC to check that an email was indeed sent and authorized by the owner of that domain.
  • Install, maintain and update current anti-virus controls on all endpoints and the email servers, preferably, different anti-virus software on the endpoints versus the servers.

Three Cyber Security Tips for Small Businesses

There are three critical security controls that all small businesses should implement if they are just starting to address security. These are:

  1. Keep your systems up to date by applying all security updates
  2. Make sure you have daily backups of all critical data and be sure to test the ability to restore from the backups
  3. Users should not be local administrators on their computers, if that is not achievable, require the use of multi-factor-authentication for all systems and applications

For small companies that have already addressed the above controls take a look at Australia’s Essential Eight Maturity Model.