The 2019 Verizon Data Breach Investigations Report (DBIR) came out not long ago. There are a lot of incremental change in the 78 pages of charts and graphs, which is normal for a report of this kind. The DBIR isn’t rocking anyone’s boat with blockbuster findings; instead, it reveals trends that may or may not be comforting. Overall the report serves as a useful barometer of the state of data protection, as a reminder that things are not good in the world of cybersecurity, and that we who make the tools enterprises rely on to protect their data should strive to do better by them.
Fact is, innovation in cybersecurity has fallen behind innovation by the global hacker community. While global spending on security has, according to Gartner, exceeded $124B, hackers have not been idle. They’ve adopted methods that allow them to overwhelm traditional security tools and take advantage of plain old human frailty. As long as our species remains predisposed to click on interesting emails, rely on easy (or no) passwords, or browse to places we shouldn’t, the hackers will have the edge. Unless, that is, we come up with radically different approaches to security that are clever enough to take into account our collective weaknesses. In the meantime data breaches continue apace, with thousands of incidents reported in 2018 resulting in around 5 billion sensitive records compromised.
It’s a simple matter of mathematics and scale. Hackers have started using offensive AI to generate and deliver unique malware at a rate of four new samples per second. Cheap and abundant compute, as well as a profusion of toolkits in the wild, have actually made it easy to develop highly resilient and evasive “designer threats” that can target a specific enterprise. For example at the 2018 BlackHat IBM Research introduced DeepLocker, a toolkit to deliver highly obfuscated and evasive malware. This class of AI-powered evasive malware conceals its intent until it reaches a specific victim.
While DeepLocker was an academic experiment, today it is possible for anyone to buy a tailor-made virus that is guaranteed to get past the top 10 to 15 major security solutions the first time it is deployed. Such attacks are sometimes augmented by an AI algorithm that can add to the stealthiness of the malware, depending on the environment and attempts made to discover it. AI raises the stakes, with an advantage for the attackers. They need to get it right only once to score while defenders need to defend successfully 24/7/365.
When an attack is successful in getting by perimeter defenses, according to Figure 28 of the DBIR, the typical time to compromise is measured in minutes. From there it only takes a few hours for a hacker to move laterally to their target and exfiltrate valuable data. Compare that to the time it takes for an enterprise to discover it has been breached, which is measured in months and then, once a breach is discovered, the days or weeks it takes to contain the breach. If that doesn’t give you pause, you aren’t paying attention.
The message for the enterprise is simple: in today’s threat environment, speed kills. Any failure to keep pace with the threat is an exacerbating factor, but we’ve settled into a pattern of relying on incremental improvement in existing security tech. It’s not good enough. The scale and speed of today’s attacker onslaught is more than enough to overwhelm traditional approaches to security, and, as security researcher Richard Seiersen states in this LinkedIn post, “A 99 percent success rate equates to a 100 percent failure rate” when you rely on signature- and sandbox-based security.
How do we—indeed, can we—slow down the pace of the threat actors? Maybe that’s the wrong question. Instead we should be thinking in terms of increasing the speed of our ability to detect and prevent threats.
The first step involves recognizing and understanding the source of the biggest external threats and focusing attention there. According to the DBIR, email (94%) and the web (23%) are the primary means of threat delivery (the overlap of those two figures accounts for cases where initial compromise is made via email and the victim is directed to a web page where the payload may be completed). Establishing a smarter, faster perimeter defense becomes the key to prevention.
We believe that, where human intelligence often lets us down, artificial intelligence can close the security gap. And not garden-variety AI, which has been used for years in cybersecurity with less than stellar results, but with deep learning, the most sophisticated subfield of machine learning. The application of deep learning to the challenges presented by hackers has shown excellent results in its ability to detect and prevent threats from getting through the gate no matter how amorphous your perimeter may be. Thus far we’ve demonstrated nearly 100% detection rates against daily threat samples, including zero-day variants, and automatically deliver threat detection verdicts in less than a second, stopping threats cold.
That’s faster than Gladys at the front desk can click a link promising a cute new cat video. In fact, she’ll never even see that email. And neither will Charlie in sales who is eager to please everyone who reaches out to him in hopes of getting closer to his next big deal. Speed kills in security, where humans never seem to learn from our mistakes, but faster saves. And deep learning can act before we have a chance to make the same mistakes (again).