About Lee & Thompson
Established in 1983, Lee & Thompson is a well-respected law practice in London which specialises in the media, technology and creative industries and represents some of the worlds most talented and high-profile celebrity names within this sector.
As a leader within their field, they pride themselves on a first-class service, adaptive approach and unique industry expertise.
The security of client data has always been an absolute priority for Lee & Thompson. In his role as Head of IT, Rob Hilton is responsible for implementing and managing the firm’s technology infrastructure, with a focus on maintaining secure, resilient and scalable access for his end-users from any location, at any time.
“Cyber Security challenges are always developing and 2020 saw unprecedented changes in work practices with the COVID pandemic. Add to that the rapid growth of IoT devices, plus the risk of complex attacks like the one against SolarWinds – and the need for a more robust approach to security becomes quite obvious,” explains Mike Batters, Technology Director at Legal IT Consultancy, NETprotocol.
Due to the increased complexities of supporting a dynamic workforce, who today could be accessing the law firm’s company and client data from any location, on any type of device; Rob Hilton had been in search of a SOC solution for some time which is capable of monitoring activity 24/7, across their entire network and IT infrastructure, from anywhere in the world.
Ultimately Lee & Thompson needed to have complete confidence that any potential security threat could be detected and stopped in real-time; whilst immediately notifying their IT team of the risk.
“We must be able to guarantee our clients that we have full visibility of how data is being used and accessed – and from a compliance perspective, be able to provide a full trail of evidence to demonstrate we have complete control at all times,” Rob explains.
“Having reviewed the market over a period of time, we were recommended Darktrace Cyber AI security platform by our long-term partners and specialist legal technology consultancy, NETprotocol,” Rob confirms.
Lee & Thompson had already seen and heard good things about Darktrace’s Cyber AI technology and so initiated a free 30-day trial to decide if the solution met their needs.
“The appliance took just a couple of days to arrive and set up was simple and straightforward. Using a unique ‘Immune System’ approach driven by AI technology, Darktrace immediately started scanning activity across our entire network, reviewing who was accessing what data and instantly flagging any potential concerns to me,” Rob continues.
It was clear within just a matter of days that Darktrace was already building up an accurate picture of what was ‘normal’ at Lee & Thompson – sending automated notifications to Rob through the Darktrace iOS app whenever it identified something as a possible concern.
“What I really liked about the technology is that it was not just looking for malicious behaviour or unknown credentials from outside of our business, but Darktrace’s AI technology can also identify when a potential insider threat is developing, notifying me of unusual or unauthorised activity also from employees within the business. There really are no blind spots with this technology!”
Prior to deploying Darktrace Cyber AI technology, Rob was depending on his already stretched team to not just keep a close eye on security parameters, but also investigate and resolve many of these manually once identified. With Darktrace, he is now able to monitor activity across his entire network through a single user interface, easily downloading reports for management to review, and most importantly, track how Darktrace has resolved the issue before the risk brings any harm.
“Lee & Thompson has always invested heavily in it’s cyber security infrastructure, however with advanced and real-time threats being so unpredictable in the present day, and with most of our staff now working remotely, Darktrace has highlighted to us how prominent the security risk is for law firms,” Rob affirms.
DarkTrace has eliminated any blind spots Lee & Thompson may have had, giving them complete visibility of their entire infrastructure, connected devices and cloud services.
Mike Batters goes on to highlight two major benefits of Lee & Thompsons deployment of Darktrace:
“Darktrace’s AI Analyst works around the clock 24/7 alerting & reacting to anomalies & potential threats as they are developing. Not only does it deliver a far superior level of security than was previously possible, it also enables Lee & Thompson’s IT team to focus their time on further developing IT to better support their business.”
Rob Hilton summarises the project and concludes:
I had always thought that Darktrace would have been out of reach financially for a boutique law firm the size of Lee & Thompson, however when we found the product was actually “in budget”, this was the icing on the cake! Thanks to their 30 day ‘proof of value’ trial, we knew what we were buying and could justify the cost without a problem.”
TO FIND OUT MORE ABOUT HOW TO REMOVE ALL SECURITY BLINDSPOTS – CLICK BELOW
Following the global data breach against software company SolarWinds which took place in March 2020, there are lessons to be learnt from these findings which can protect your law firm from experiencing a similar level of threat. In particular, investigations have highlighted the failure of signature-based tools in being able to detect advanced cyber threats.
Despite the rising number of APTs (Advanced Persistent Threats) and the sophisticated post-exploitation activity which now take place daily and are almost impossible to predict – signature based security tools – which rely solely on past data to predict future threats – are still widely used across the sector.
The Impact of the SolarWinds Attack
News of the SolarWinds attack broke around two months ago, reporting that malware had been installed during software updates, affecting nearly all levels of American government, as well as hundreds of private businesses, equating to around 18,000 of the firm’s customers – with the damage so large that it is yet to be quantified.
As investigations continue, it’s looking like the damage caused by this attack will be difficult to either detect or undo and subsequently is causing data-rich organisations to realign their approach to cyber security. The reality of the SolarWinds incident confirms that attackers are now outwitting traditional security measures and are using new and advanced forms of threat which require an updated level of protection.
As law firms large and small are becoming increasingly reliant on cloud-based services, with staff working from dispersed locations and accessing data through a range of often unknown devices, this predicament creates the perfect hunting ground for sophisticated and stealthy cyber-attacks.
How To Keep One Step Ahead of the Attackers
The most shocking elements of the SolarWinds attack is the amount of time it went unnoticed and put simply, it’s pervasiveness. Whilst the traditional approach to protecting your systems has been to secure the perimeter of the network – stopping anything malicious getting in – once a hacker infiltrates that perimeter there’s often very little to detect subsequent anomalous behaviour or to stop it. This is where there is an opportunity for any security-conscious organisation to improve.
Having recently partnered with leading Cyber AI specialists Darktrace, we have seen some interesting evidence showing how their self-learning security platform has detected the types of behaviours related to the SolarWinds breach. In his recent blog, Max Heinemeyer, Director of Threat Hunting at Darktrace provides examples of anomalous activity – equal to that which successfully infiltrated American government systems in the SolarWinds attack – but which Darktrace’s Enterprise Immune System detected for it’s clients.
Whilst signature-based tools look at historical data to predict the next threat – Darktrace’s Cyber AI works in real-time, tracking activity patterns across all devices present on your network – rather than using already-known malicious signatures. Any unusual activity present which does not fit with the normal ‘pattern of life’ within that enterprise, is therefore detected and locked until further investigation has been carried out.
Offering visibility of your entire network through a single interface, Darktrace’s AI technology automatically clusters devices into peer groups allowing it to detect cases of an individual device behaving unusually as it happens. This self-learning approach acts as an immune system would, sourcing any infection that a signature-based solution is unable to detect. WATCH HOW IT WORKS >>
Why Is The Post-Exploitation Stage So Harmful?
The post-exploitation stage of the attack is much more unpredictable and stealthy – as this is driven by the attacker’s bespoke intentions for the victim it is targeting. At this stage there’s therefore no pre-defined threat that can be distinguished – making signature-based tools and threat intelligence become almost worthless.
Max goes on to highlight in his blog some examples of anomalous and threatening behaviour taking place on a customer’s network including post-infection activities which the attacker would have used to evade a signature-based tool – had Darktrace’s AI technology not been in place. Darktrace’s Cyber AI Analyst went on to alert the client’s security team to these abnormal changes within the network and provided clear evidence of what was taking place so relevant action could be taken.
How To Stop An Attacker Evading Your Security Measures
By understanding where credentials are used and which devices talk to each other, Cyber AI has an unprecedented and dynamic understanding of business systems. This empowers it to alert security teams to enterprise changes that could indicate cyber risk in real time.
As the evidence in Max’s recent blog demonstrates – attackers have developed a range of techniques to evade traditional security tools which otherwise would have gone undetected including, setting hostnames to match a legitimate hostname on a victim’s environment, allowing the attacker to blend in without suspicion; using C2 servers in geo-political proximity to those of their victim’s, thus circumventing geo-political trust lists; moving laterally using multiple credentials which were different to those used for remote access; or applying a temporary file replacement or task modification technique to execute their payload.
Figure 1 below illustrates how Darktrace triggers this anomalous activity before any damage is caused, alerting security teams to any concerning behaviour taking place:
Figure 1: Example breach event log showing anomalous (new) logins from a single device, with multiple user credentials
These alerts demonstrate how AI learns ‘normal’ for the unique digital environment surrounding it, and then alerts operators to deviations, including those that are directly relevant to the SUNBURST compromise. It further provides insights into how the attacker exploited those networks that did not have the appropriate visibility and detection capabilities.
On top of these alerts, Cyber AI Analyst will also be automatically correlating these detections over time to identify patterns, generating comprehensive and intuitive incident summaries and significantly reducing triage time.
As law firms look to support an intensely dynamic workforce and therefore need to upscale visibility to ensure their systems and client data are safe in real-time, we invite you to watch how this can be achieved below:
Is your business operating from dispersed locations with employees working from numerous / remote environments, accessing IT systems and data through a multitude of cloud-based applications, which reside outside the protection of a defined corporate network?
In today’s increasingly digital business world, even the most private documentation is now regularly revised online, transferred over email, and stored in the cloud. This shift creates an urgent need for cyber defences that can safeguard these files across complex and hybrid infrastructures. Many firms do not employ large security teams, and few have adequately prepared themselves for the stealthy behavior and machine speed of modern cyber-attacks.
Whilst this new way of working is the future, it also compromises your security, reducing visibility and rendering the security of your network perimeter obsolete. What you need is intelligent, unified defences which protect your corporate systems and client data, no matter where your staff are working from, or what device they are accessing applications with. To find out how you can detect the full range of cyber threats across your entire workforce
WATCH THE SHORT VIDEO BELOW:
As law firms look to support an intensely dynamic workforce and therefore need to upscale visibility to ensure their systems and client data are safe in real-time, we invite you to watch how this can be achieved below:
Having worked in legal technology for over 20 years, we know that many law firms rely on Mimecast email security to detect and defend against malicious links targeting employees. We therefore read with interest a blog written by Dan Fein, Director at Darktrace – who explains the process that an e-mail gateway undertakes to rewrite these harmful links – and confirms why this sense of protection is infact a misconception and won’t provide the required security that your business needs to remain compliant and safe.
Link rewriting is a common technique that involves encoding URLs sent via email into a link that redirects the user to the gateway’s own servers. These servers contain some unique codes which then track the user and perform later checks to determine whether the link was malicious. In fact, an email gateway’s reliance on this technique is actually an indicator of one of their fundamental flaws: their reliance on rules and signatures of previously recognised threats, and their consequent inability to stop threats on the first encounter.
The reason these tools pre-emptively rewrite links is so they can make a determination later on: with the link now pointing to their own servers, they can leverage their updated assessment of that link and block a malicious site, once more information has become available (and often once ‘patient zero’ has become infected; and the damage is already done).
How Can You Measure Success?
Dan Fein goes on to discuss how you can measure success and highlights that whilst a product like Mimecast will rewrite near enough 100% of links entering your systems – even if the links are directing you to safe and trusted URLs including your ‘own’ website – this process doesn’t necessarily indicate that your data is secure.
Furthermore, whilst nearly all links are re-written, issues then arise when training your staff to identify a phishing email – as this task becomes almost impossible given nearly every link they receive reads ‘mimecast.com’. With this approach, one link can’t be distinguished as harmful from another, whilst employees also gain a ‘sense of security’ that Mimecast is there and protecting them from opening something that could be rogue or infectious – when infact Mimecast doesn’t itself have the answers at this stage.
What’s The Solution?
Whilst watching Darktrace’s Antigena Email run alongside Mimecast – Dan reveals that over the course of three days the customer received 155,008 emails containing rewritten links by Mimecast (see Figure 1). Of those emails with rewritten links, 1,478 were anomalous and were blocked by Darktrace’s AI before they reached the recipient and caused any harm. The remaining 153,530 links had been unncecessarily rewritten.
Figure 1: Over 155,000 inbound emails contained rewritten Mimecast links
What is most worrying is that once clicked – those anomalous links that needed stopping in their tracks – would sit for potentially weeks before any meaningful action was taken by Mimecast, due to the limitations of identifying real-time and first-encounter threats.
Dan goes on to explain the restrictions of legacy email protection tools in more detail and provides substantial evidence of why the metrics tools such as Mimecast use to identify malicious behaviour, won’t keep your systems and client data safe. To read Dan’s full blog and other related content, please click here >>
In summary and having seen the technologies in action ourselves, we can conclude that rewriting links cannot viably prevent malicious content from infecting your systems. In contrast Darktrace’s Antigena Email solution allows you to review your organisations entire digital estate – not just links that are accessed from emails, but network activity as a whole – and will lock/resolve any level of threat that it identifies as untrusted or malicious.
Protect Your Dynamic Workforce Today! In Real-Time…
While Mimecast rewrites everything in order to leave the door open and make assessments later on, Darktrace is able to take action when it needs to – before an email poses a threat to the inbox. The technology is uniquely able to do this due to its high success rates for malicious emails seen on first encounter and its sophisticated approach to detection that uses AI to catch a threat – regardless of whether or not that threat has been seen before.
With the scale and sophistication of email attacks growing, the need for a proactive and modern approach to email security is paramount as workforces become increasingly dispersed. Find out more below…
WATCH How It Works
Find out how Darktrace Cyber AI will help build resilience and prepare for the #newnormal of a dispersed workforce
Protect The Dynamic Workforce
View this webinar to learn how to adapt your security to meet the changing working patterns of your staff - 100% visibility anytime, anywhere...
Schools and Colleges are working to prepare their organisations to thrive in a changing world where the IT challenges of digital transformation have intensified as the pandemic goes on.
There are many ways in which you can use your network to support these changing needs, keeping students and staff safe when onsite, whilst ensuring they can access all required resources securely when working and learning remotely. This latest webinar hears how other IT Leaders in Education have achieved this including how to:
- Limit the infectious transmission rate during times in school
- Carry out proximity tracing to track who has been in contact
- Monitor capacity – identifying areas where people are congregating
- Watch how people are moving around the school
- Ensure all remote users have secure access to all the necessary resources
- Make the home office look as much like the work office as possible for staff
WATCH THE WEBINAR TODAY:
Extreme Networks is ready to finish 2020 with a bang having been named as the “overall winner” of the Networking category in CRN’s prestigious “2020 Products of the Year” Awards.
Businesses and schools around the world are looking for new ways to streamline every aspect of the network, from deployment to maintenance – to be able to focus on what’s really important to them instead of dealing with menial and time consuming operational tasks.
These needs can be met by using Extreme’s fourth generation Cloud Services architecture, capable of supporting millions of infrastructure devices and hundreds of millions of clients per Regional Data Center. Imagine an all-in-one platform for wired and wireless management, business insights, location tracking, wireless security, seamless IoT onboarding and guest access, and guest access through a single user interface.
CRN editors looked at the best new products and major updates of 2020, and then turned to solution providers to choose the winners based on technology, revenue and profit opportunities, and customer demand. ExtremeCloud IQ was selected as the winner in the ‘Networking’ category for its enhanced insight, visibility and control, as well as new automation capabilities for IT administrators.
Here’s what CRN had to say:
“The enterprise network management app provides full visibility into every user and device in a network, as well as unified policy management across devices and sites. ExtremeCloud IQ also uses machine learning and AI to deliver actionable insight derived from the 3 PB of data that’s ingested by the company’s cloud instances each day. In addition, the new Co-Pilot feature provides automation capabilities that dramatically reduces the amount of context-gathering needed by IT administrators for handling support calls.”
ExtremeCloud IQ was selected over solutions from Cisco, CommScope, HPE, and Juniper Networks. If you want to learn more about ExtremeCloud IQ, please click below:
Or to find out more, please click below:
It appears COVID-19 is not leaving our communities anytime soon, so the need to create a sustainable network for post pandemic operations is going to be an essential priority for 2021. As your organisation adjusts in your new ways of learning, working, and operating from dispersed locations and sites, you will be relying on enhanced network management, dexterity, control, and data insights.
Regardless of the industry you are in, an exceptionally fast, flexible, and secure connection is critical – although this is a reality that can only be achieved in today’s world with next-generation cloud-driven networking capabilities.
Below we have summarised how cloud networking will enable your organisation to acheive your IT goals in 2021 – enabling you to significantly improve network performance and access ground-breaking data to better manage the needs of your users, wherever they are based and whatever information they need.
Facilitating Agile Work Environments
As your employees, students, or customers work or study from multiple locations or sites, the challenge of keeping them connected grows more difficult. Cloud-management allows you to support highly dispersed remote and progressive environments, all managed from a central location. This allows for ‘any time’, ‘anywhere’ access to keep everyone productive, whilst enabling them to continue to work towards future objectives and targets.
IoT and Robotics Automations
The constant addition of IoT and robotics devices can lead to headaches about security and control for many organisations. Extreme’s IoT solution makes it easy to apply a secure connection to a network of authorised devices, quickly identifying and isolating compromised devices. Secure onboarding and visibility steps help automate your service, reduce risk, and minimise staff and/or student exposure.
Contact Tracing Enablement
ExtremeCloud IQ assists organisations to comply with new and wavering government regulations to reduce the spread of COVID-19 through contact tracing. Delivering real–time reporting of users enables organisations to analyse what’s happening inside their facilities to quickly identify hotspots, or isolate individuals or buildings if needed. Extreme’s data insights, in combination with apps by Apple and Google, provide even more tracking data to keep your workforce and/or students safe.
Utilising data insights and analytics from IoT Wi-Fi and Bluetooth sensor can manage your organisation’s social distancing rules. Extreme and ecosystems partners are helping organisations to track attendance and positioning, whilst implement real–time locating. Extreme helps enable applications by identifying facility zones with excessive congregation levels, as well as trigger foot-traffic based flags noting that deep-cleaning steps should be taken to aid facility safety.
As ‘cabin fever’ intensifies and we all look for ways to return to life before the pandemic, it is important we keep in mind the health and safety of your employees, students, and customers. ExtremeCloud IQ will help enable us to return to a #newnormal with added safety features, sooner rather than later.
To upgrade your network for FREE – or find out more, please click below:
Have you ever considered that your next Wi-Fi upgrade is what’s going to power your digitalised classroom or workplace for years to come?
Whether you’re an education provider or a legal enterprise, digital transformation has been brought forward and to a degree taken over due to the current pandemic – we’ve been forced to ensure our teaching practices and workforce are more agile, able to respond to the unpredictable constraints of both this and any future crisis.
Why Is Wi-Fi 6 So Different?
When we think of digital transformation, we think of cloud, mobility, IoT or even smart classrooms…. and the one thing all these have in common is that they are all “network-centric” in nature – that is to say, ALL driven by reliable, accessible Wi-Fi.
Wi-Fi has only been with us 21 years – but how it has advanced over these two short decades both in terms of reliability, security, and performance. So what makes Wi-Fi 6 so different to it’s predecessors? Well, its all in the technology – Wi-Fi 6 is the first wireless technology designed for the ‘all wireless’ work environment.
802.1111ax/Wi-Fi 6 has the ability to support multi-user communication, enabling more than one client to talk at a time. It’s no longer a matter of it just being faster – Wi-Fi 6 advances and improves the Wi-Fi service. So as Wi-Fi becomes so critical to your future operations, the way in which Wi-Fi is managed becomes equally important. Whether troubleshooting a network, or learning from the data provided, or being proactive vs reactive, technologies like AI, machine learning and deep learning will be key considerations when looking at management solutions.
Below – we have an on-demand session delivered by the Director of Wireless Solutions at Extreme Networks, who speaks about why your next upgrade is so important and how to ensure you make the right choice. If you haven’t watched this already, we’d highly encourage you to check out the video below where you can hear the details of what’s happening in Wi-Fi today and what the key considerations are when deploying wireless technologies:
In a recent blog from Darktrace’s Dan Fein – a Director at the world’s leading provider of cyber security AI – they report of a recent email attack that was not detected to be malicious by email security solution, Mimecast, but which was later identified to be a wide-scale email compromise, highlighting the challenges that businesses face as they adopt new ways of working.
As we know, Mimecast is widely used across the legal sector, however as these well-researched and convincing impersonation attacks rise, so do the number of successful account takeovers which are becoming increasingly sophisticated and difficult to prevent.
This report of a logistics firm who had Mimecast operating in its Microsoft 365 environment demonstrates how traditional email tools – which create rules for what ‘bad’ emails look like based on past campaigns – are missing these novel and sophisticated hoax emails in the current threat landscape.
The firm in question was trialling Darktrace’s Antigena Email in passive mode, meaning it wasn’t configured to actively interfere, but simply observe the email dashboard allowing them to see what actions the said technology would have taken – and the consequences of relying purely on gateways to stop advanced threats.
In this instance, through compromising just one employee’s email account, the attacker accessed several sensitive files, gathering details of employees and credit card transactions, and then began communicating with others in the organisation, sending out over two hundred further emails to take hold of more employee accounts. This activity was picked up in real time by Darktrace’s Microsoft 365 SaaS module.
HOW THE ATTACK BEGAN
The company was under sustained attack from a cyber-criminal who had already performed account hijacks on a number of their trusted partners. Abusing their trusted relationships, the attacker sent out several tailored emails from these partners’ accounts to the Logistics company. All used the same convention in the subject – RFP for [compromised company’s name] – and all appeared to be credential harvesting.
Figure 1: A sample of the malicious emails from the hijacked accounts; the red icon indicating that Antigena Email would have held these emails back
Each of these emails contained a malicious payload, which was a file storage (SharePoint) link, hidden behind the below text. It’s likely the attacker did this to bypass mail link analysis. Mimecast did rewrite the link for analysis, but it failed to identify it as malicious.
Figure 2: Darktrace surfaces the text behind which the link was hidden
When clicked on, the link took the victim to a fake Microsoft login page for credential harvesting. This was an accurate replica of a genuine login page and sent email and password combinations directly to the attacker for further account compromise.
Figure 3: The fake Microsoft login page
A number of employees read the email, including the CEO; however only one person – a general manager – appeared to get their email account hijacked by the attacker.
HOW THE EMAIL BREACH WAS DETECTED
About three hours after opening the malicious email, an anomalous SaaS login was detected on the account by Darktrace’s Antigena Email from an IP address not seen across the business before.
Open source analysis of the IP address showed that it was a high fraud risk ISP, which runs anonymising VPNs and servers – this may have been how the attacker overcame geofencing rules. Shortly afterwards, Darktrace detected an anonymous sharing link being created for a password file.
Figure 4: Darktrace’s SaaS Module revealing the anomalous creation of a link
Darktrace revealed that this file was subsequently accessed by the anomalous IP address. Deeper analysis showed that the attacker repeated this methodology, making previously protected resources publicly available, before immediately accessing them publicly via the same IP address. Darktrace AI observed the attacker accessing potentially sensitive information, including a file that appeared to hold information about credit card transactions, as well as a document containing passwords.
The following day, after the attacker had exhausted all sensitive information they could elicit from the compromised email account, they then used that account to send out further malicious emails to trusted business associates using the same methodology as before – sending fake and targeted RFPs in an attempt to compromise credentials. Darktrace’s SaaS module identified this anomalous behavior, graphically revealing that the attacker sent out over 1,600 tailored emails over the course of 25 minutes.
Figure 5: A graphical representation of the burst of emails sent over a 25 minute period
WHY AI IS NECESSARY TO FIGHT MODERN EMAIL THREATS
For the logistics company in question, this incident served as a wake-up call. The Managed Security Service Provider (MSSP) running their cloud security was completely unaware of the account takeover, which was detected by Darktrace’s SaaS Module. The organisation realised that today’s email security challenge requires best in class technologies that can not only prevent phishing emails from reaching the inbox, but detect account takeovers and malicious outbound emails sent – should they get through and compromise an account.
This incident caused the organisation to deploy Antigena Email in active mode, allowing the technology to stop the most subtle and targeted threats that attempt to enter through the inbox based on its nuanced and contextual understanding of the normal ‘pattern of life’ for every user and device.
The reality is, hundreds of emails like this trick not only humans, but traditional security tools every day. It’s clear that when it comes to the growing email security challenge, the status quo is no longer good enough. With the modern workforce more dispersed and agile than ever, there is a growing need to protect remote users across SaaS collaboration platforms, whilst neutralising email attacks before they reach the inbox.
Thanks to Darktrace analyst Liam Dermody for his insights on the above threat find.
TO WATCH HOW DARKTRACE WORKS OR START A FREE 30 DAY TRIAL, PLEASE CLICK BELOW:
We at NETprotocol work with AI every day and regularly hear these claims that it could – in the near future – outsmart us humans. Really? Is this a realistic claim to suggest that AI technology could out perform a human being? Afterall, AI wouldn’t actually exist if a human hadn’t created it to begin with.
That said, in certain fields of technology, the power of AI is simply groundbreaking. And cyber security is proving to be one of those. As Max Heinemeyer, Director of Threat Hunting at Darktrace pointed out in a recent blog, the odds are stacked against those working to defend their business or organisation from a cyber attack. Whilst savvy hackers only need to be successful at compromising one weak link to begin infiltration, those seeking to protect their data need to get it all right, all of the time.
And so this is where AI has come in to its own. With an expanding task list, cyber security experts are expected to monitor and identify threats coming from both inside and outside an organisation, often from multiple locations worldwide, identifying abnormalities before they cause any damage and reporting on these to Board members to justify their cause. Without knowing what the next threat is going to look like, it is impossible to keep ahead of the perpetrators whilst upholding day to day security standards.
Is there any doubt therefore that when it comes to cyber security, AI will and can do the job better and smarter than a team of expert humans could do? Digital networks handle terabytes of data every day – the scale is unthinkable for humans, who have limitations on how much information they can process at a time, and need regular breaks. But it’s more than just a scaling issue – the AI gets to better outcomes, uncovering damaging cyber attacks that the human can’t find.
Today, cyber AI technology is detecting the most sophisticated attacks out there including those from the sophisticated Chinese cyber espionage group known as APT41 and even the alleged Russian ransomware gang EvilCorp. As AI has advanced, it is now capable of pinpointing abnormal activity and behaviours which human teams are unable to detect amid the noise of normal digital activity – the first step in outsmarting humans.
The second step is more fundamental still – the AI now interrogates its own findings. In other words, instead of human beings looking at the outputs of the AI and applying their human understanding, AI is now taking care of this too. Known as an AI Analyst, this technology applies contextual understanding to launch a full-blown investigation into what has happened on the network. The result of the investigation is a much faster response to resolve the threat, plus a machine-generated, human-readable report about the incident.
The time savings are huge, and vital for overwhelmed human security teams. Where a human security analyst would take 3 hours on average to interrogate just one suspicious event – the AI does this in seconds. And the report can be generated in whatever language is required, enabling not just an instant response, but a global one too.
Cyber AI technology is now carrying out 1.4million investigations every week, elevating human teams to focus on tactical and strategic tasks like shaping long-term strategy and policies.
By 2021, the role of the ‘human’ security analyst will be changed for good. It will be normal for internal security investigations to be performed by AI. 2021 will also be the year where businesses fully embrace autonomous response – the application of AI that fights back against cyber-threats automatically, without a human being involved.
As we see this increased use of AI to defend our data, we are also seeing cyber attackers harnessing it’s power and using AI to identify a weakness in your security. This trend will only accelerate the growth of Cyber AI technology and eventually will cause Autonomous Response to be quite literally the means for survival – only AI can fight back against AI.
A recent survey highlighted this revealing 88% of security leaders say supercharged AI attacks are inevitable with over half of them anticipating the industry will see these attacks in the next 12 months.
Organisations will effectively delegate the first-line response to an emerging cyber-threat to machine algorithms, allowing the AI to react at computer-speed to fast-moving attacks. We are already used to the idea of AI recommending what to watch on Netflix based on our personal preferences – and there’s no difference in security, AI will be recommending what action to take in response to a cyber-attack.
In many cases, the action will be taken instantaneously to prevent the breach or damage – time is rarely on your side when dealing with computer-driven attacks. It is inevitabe that all of this will be normal protocol – AI will be expected to have your back at all times – when the team is busy, or they are resting at home, at the weekend, or simply when they can’t get there quickly enough.
So how does this affect the human role? The human role changes from the central character of threat detection and response, to a supporting role. But it also enables the human to step onto a bigger stage altogether and focus on shaping policy and longer term strategy.
AI has been advanced, perhaps to the greatest extent, in its ability to handle cyber-attacks. In cyber defence, AI has proven that it can outperform human capabilities in detecting, understanding and stopping cyber-threats. This step forward is necessary and should be welcomed – not feared.