Clarity in the noise — erasing the unknown with AI

Vectra AI

By Chris Fisher, Director of Security Engineering APJ, Vectra
Thursday, 30 March, 2023


Clarity in the noise — erasing the unknown with AI

Security breaches and incidents are occurring with alarming regularity, with the big names reported in the media making up only a fraction of the actual number of breaches taking place. Latitude Financial has confirmed more than 7.9 million Australian and New Zealand licences and 53,000 passport numbers were stolen in its recent attack — a number far greater than the 330,000 originally reported. If we are to keep our people and systems safe, we must adopt a ‘not if, but when’ mindset and take steps to improve clarity of understanding and efficiency in catching and responding to threats.

Today’s world demands that businesses improve cybersecurity measures and gain greater visibility over threats and attack surfaces, else fall prey to sophisticated and targeted attacks. The more visibility an organisation has, the better equipped to detect and respond in a timely, meaningful way. Luckily, with security of increasing importance, there are more tools and solutions available, with the likes of artificial intelligence (AI) arming us with greater ability to understand our attack surface and catch threats fast.

The road to visibility and making unknowns, known

Let’s first consider unknowns. The last couple of years have led to significant changes in how we work, including a massive rise in remote working; notable changes in systems, including a huge rise in cloud adoption; greater financial pressure; and a struggle to find talent. These changes have led to a larger attack surface, more vulnerabilities and exploits, more tools and alerts, and smaller, more overworked teams. Meanwhile, attackers are more evasive and more sophisticated in their infiltration methods.

Analysts at Gartner predict that nearly half of cybersecurity leaders will change jobs by 2025 due to mounting stresses and burnout. Part of the problem, as highlighted by Gartner VP Analyst Paul Furtado, is insider risk and the fact that traditional cybersecurity tools lack the ability to provide visibility over threats not only from outside but within the network.

It is true that oftentimes our attack surface is far larger than we assume. Let’s say I’m leading a security team and I’m responsible for taking care of 4500 employees. I have an asset register that has logged 4500 laptops and 2500 servers, and I have 7000 assets in total on my network. However, it also shows that I have 15,000 active IP addresses on the network.

It’s not an uncommon statistic to only see 50% of assets logged as endpoints, with the additional IP addresses routers, switches, printers, cameras, telephones and other services. These additional IP addresses could be personal devices on a guest network, cloud computing services and container workloads, or even traditional server application services that are running hosts of activities that aren’t being monitored.

Security teams are now tasked with defining vulnerabilities within each of these items and executing controls in those environments. For instance, closed operating systems don’t allow endpoint control measures, but an attacker can still leverage it for an attack. As a result, having a full depth of view is critical, and this is where technology solutions can shine.

Gaining visibility over an attack surface means understanding threat vectors that sit beyond what you as a company own. Consider unauthorised access. An increasingly common term, this refers to the act of gaining access to a computer system, network or application without express permission or authorisation — as the name suggests. As was reported this month, Commonwealth Bank of Australia’s Indonesian unit was recently heavily impacted by an incident involving unauthorised access of a web-based software application used for project management. Similarly, AT&T has recently publicly announced that back in January, an unauthorised person breached a vendor’s system and gained access to the company’s Customer Proprietary Network Information (CPNI).

We can’t take this lightly. Gaining visibility and clarity through expert tooling reduces the burden on security teams and greatly improves an organisation’s ability to understand threats, while also giving the chance to remediate quickly and effectively.

The role of artificial intelligence in visibility and security

According to MarketsandMarkets, the AI in cybersecurity market size is valued at US$22.4 billion in 2023 and is anticipated to be US$60.6 billion by 2028, growing at a CAGR of 21.9% from 2023 to 2028. Meanwhile, IDC finds that cybersecurity has been identified as a top investment area in APAC, with one of the leading categories being AI and machine learning. However, the study found that only 13% of Asia–Pacific respondents stated this was an investment priority, hinting that the region is lagging.

AI is a powerful tool in driving signal clarity and maximising the use of our now more visible attack surface. AI enhances signal clarity by allowing us to zero in on the behavioural aspect of attacks and consider all possible infiltration points. Attackers may be utilising AI or automation to speed up their attacks, but this doesn’t inherently change their behaviour. There are still certain actions they need to take to compromise a network, and these behavioural markers are what we can pick up on. Security teams are alerted to suspicious behaviour, improving efficiency and helping them to sift through the noise of alerts.

We hear from many organisations that they receive far too many false positives from their security tooling and security teams are inundated with information that they don’t know what to do with. Leveraging AI is not about replacing a human being, it’s about making what we do far more efficient and clarified. We can automate mundane tasks to free-up employees, amplify an attack and improve our ability to respond.

When it comes to response, we must know what to do with the attack alerts that come through, otherwise all our clarity is for nothing. First, we determine what the attack is, and second what to do about it. Remediation is a helpful metric because it highlights that our goal is to remove the attacker from the environment but considers that there will be various ways to do this, depending on the systems and environment. There can’t be a blanket rule — we must be flexible — but we can create repeatable procedures that have flexibility built in. Metrics such as meantime to remediation can showcase the value and benefit of AI in terms of real outcomes and returns.

Moving forward, we expect to see CISOs and security leaders invest more in tooling that improves efficiencies and supports security teams in sifting through alerts and uncovering threats in a sprawling and broad attack landscape. The solutions are there, and they’re getting better all the time; it’s just understanding what they are and how they can be integrated for maximum benefit.

Image credit: iStock.com/wildpixel

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd