In-Depth

Can AI Protect IT?

Microsoft has touted how artificial intelligence (AI) and machine learning are solving many problems. Now Redmond and IT security providers are applying AI in cyberthreat detection.

• By Jeffrey Schwartz
• 12/04/2017

Artificial intelligence (AI) and machine learning have existed in computer science for decades, but in 2017 they were the hottest things in IT. Touted to address everything from helping diagnose and cure major diseases to translating live Skype sessions on the fly and enabling smart chatbots, applying AI and machine learning's highest calling may come in the effort to protect PCs, devices and critical infrastructure. Adding deep learning, automation and predictive analytics has become a key imperative by virtually every provider of software this year amid an exponential rise in cyberattacks.

If there's one place AI and the use of predictive analytics need to have a profound impact quickly, it's thwarting the massive wave of data breaches that increase exponentially each year, where 2017 was off the charts. Many leading threat analytics tools already have AI, aiming to predict oncoming threats in advance, discovering breaches that occur and react­ing to ransomware and other malware attacks. The notion of applying intelligence to cybersecurity is also nothing new, but this year every major provider of endpoint detection and response (EDR) and endpoint protection platforms (EPP) has introduced new offerings that emphasize the ability to predict or provide automated response to threats and attacks using advanced AI and machine learning capabilities.

Among those that have unveiled new threat-detection capabilities that use AI and machine learning, Cisco Systems Inc., Carbon Black Inc., Cylance Inc., CrowdStrike, FireEye Inc., IBM Corp., Kaspersky Lab, McAfee LLC, Sophos Ltd., Symantec Corp., Palo Alto Networks Inc. and Trend Micro Inc. are a few that have introduced or added machine learning capabilities or extended them.

The focus on bringing more AI and machine learning technology into all layers of the IT security stack couldn't come at a better time. The sheer volume and scope of attacks have exceeded the capacity of any number of IT security professionals, who are already in short supply. As every year winds down, it seems the list and severity of major security breaches will be difficult to top and 2017 was no exception. Ransomware attacks alone will have cost companies an estimated $5 billion this year, up from $1 billion in 2016, according to Cybersecurity Ventures, a research firm focused on IT security.

Sophisticated ransomware and malware exploits such as WanaCry, Petya, NonPetya, Nyetya, Goldeneye and others had various consequences to victims this year. Many breaches shut down their victims for days and in some cases longer, while others had to pay a huge price to make their customers whole -- or at the very least saw their brand reputations take a huge hit. Among them were Arby's, Deloitte, DocuSign, Hyatt, FedEx, Merck, Sonic, Verizon and Whole Foods, though there were many others. Add smaller organizations to the count and rarely did a day go by where someone wasn't a victim.

If the 1 billion Yahoo customer identities breached over a period of several years and disclosed last year wasn't staggering enough, this year the company revised that to all 3 billion identities. But that was a mere footnote, overshadowed by the Equifax breach, in which financial information of up to 143 Americans was exposed and amid reports of strong evidence that the Russians tried to influence the U.S. election last year.

Fighting Fire with Fire
Preventing foreigners from attempting to influence future elections has become a high national priority and now C-level execs and their boards are coming to terms with the reality that it's necessary to fight fire with fire. Many organizations are outmatched by the fact that their attackers are using advanced techniques to attack them, often based on their own use of AI and machine learning. Consequently, IT and security operations teams don't have the capacity to discover and mitigate the onslaught of attacks, meaning they must also use AI and machine learning to defend and protect their organizations' critical information.

Arguably one of the most alarming breaches to date, the Equifax breach is the result of the credit reporting provider's failure to patch a security flaw that Cisco publicized on March 8 when the company warned of a critical security flaw in Apache Struts, the open source, Java-based framework widely used on interactive Web sites. Despite reports that the flaw was "being actively exploited," Equifax's July 29 discovery that customer records were potentially stolen traces back to the fact that the flaw wasn't patched. It's not clear why the patch wasn't fixed, and while Equifax's handling of the matter extends beyond that initial failure, the fact is many organizations avoid patching because they're concerned that doing so will cause a failure, or even a systemwide outage.

That thinking needs to change, said David Konetski, VP and a technical fellow with Dell Technologies' Office of the CTO. Speaking during a mid-October panel discussion hosted by the National Cybersecurity Association (NCSA) in New York on the topic of AI and machine learning, Konetski said organizations will find that in order to keep pace with the threat and attack vectors, they'll have no choice but to automate.

"The security exposure of not automating is now starting to outweigh the paranoia of doing something wrong, pushing a button, taking down 170,000 endpoints," Konetski said. "You'd much rather have to deal with a catastrophic issue like that than have to deal with a breach. I think over the next couple of years, you are going to see a large switch to automation, which will increase the security posture of all of the customers. It's going to be a little painful, because IT departments move slow by nature."

The decisions made -- or lack thereof -- by Equifax notwithstanding, it raises the question: If the company's security operations team had applied threat- and breach-detection systems properly using AI, would it have discovered the breach, pinpointed the Struts issue and used predictive analytics to determine what impact the patch might have on the operation of the system?

Generally speaking, the existence of an isolated Apache Struts server in a large, global organization can be difficult to find from an asset management perspective, said Richard Baich, CISO of Wells Fargo Bank, who was also on the NCSA panel discussing the role of AI applied in cybersecurity, a topic of which he's a proponent.

"Organizations need to help vendors to be able to do that, to drive that innovation," Baich said. "I think the real call to action is how do you prioritize from the probability of an occurrence to understand the threats, so that it enables you to be more proactive. We are utilizing and looking at AI and machine learning to enhance our interactions and drive innovation on the internal side of the house as it relates to defining information security and moving it honestly from a proactive to a preemptive stance. Utilizing the functionality of AI or machine-related correlations could speed things using Big Data."

Microsoft's AI Push
AI and machine learning are key emphases of the new Microsoft 365 subscription offerings, which bundle Windows, Office 365 and Microsoft's Enterprise Mobility + Security (EMS) service. Overall, AI and machine learning have become key pillars in Microsoft's focus on making users and groups more productive and on enabling digital transformation. Microsoft CEO Satya Nadella started talking it up about two years ago and it has become the focal point since then. The company's progress in bringing AI into its data platforms was at the heart of Nadella's keynote at the recent Ignite conference.

"When you create such a rich data asset, what you truly enable is AI-first workloads, because with data, your ability to reason over data becomes possible, and when you have that, you can create a completely new capability that you couldn't before," Nadella said in his keynote. "Once you have this very rich data substrate, you can go one step further. You can start building AI-first business-process applications."

AI has become the root of many of the company's initiatives and Microsoft has already released services such as Azure Machine Learning and APIs for its Bot Framework, conversational computing and Microsoft Graph. Microsoft is infusing elements of machine learning and AI into other products, too, including SQL Server, Office 365 and Windows. And when referring to Azure, the company calls the business it's "Intelligent Cloud," when reporting on it to Wall Street. Nadella outlined the core of that intelligence in Azure last year, when revealing that the company has installed field-programmable gate arrays (FPGAs) and GPUs and has deployed advances in software-­defined networking and storage into Azure. Speaking in October at the Sibos financial industry conference in Toronto, Nadella said in regard to AI: "We have ambitious goals there."

Those ambitious goals include applying AI to its various security platforms, which include the company's Digital Crimes Unit, its own security operations center and its rapidly growing portfolio of security software and services. It even now plays into Microsoft's secure-by-design software development lifecycle process.

Machine Learning in Windows Defender ATP
When it comes to delivering security software, Microsoft has offered various security tools over the years, such as Forefront Security and Security Essentials, among others, none of which were considered superior to most third-party alternatives, but regarded as better than nothing. Security Essentials was a malware-scanning tool that was offered as an addon for Windows. It was replaced by Windows Defender with the release of Windows 8, but most deemed it as lightweight compared with third-party tools.

When Microsoft launched Windows 10 in July 2015, it came with an improved version of Windows Defender and offered a new behavioral analysis capability to detect malware during scans. But with last year's Windows 10 Anniversary Update release, Microsoft introduced Windows Defender Advanced Threat Protection (ATP). The new offering was designed to gather telemetry from behavioral sensors built into the Windows 10 Anniversary Update and future releases. Using Microsoft's cloud-based security analytics and threat intelligence data, anonymized data gathered from other Windows devices, more than 2.5 trillion indexed URLs and reputation lookups, Windows Defender ATP taps into Microsoft's new intelligent security graph.

The service provides response recommendations based on its security operations, which include a cloud-based detonation service to run files and URLs in isolated virtual machines for deep inspection. The initial release lacked endpoint remediation tools and wasn't able to detect all attack types. In April, with Microsoft's release of the Windows 10 Creators Update, the company improved Windows Defender ATP by adding sensors to detect in-memory and kernel attacks.

Heike Ritter, a Microsoft senior product manager, speaking about Windows Defender ATP in a session at the recent Ignite conference, said that the ability to detect in-memory and kernel attacks is an important capability. "At Microsoft, we have experts in cybersecurity that are tracking nation states and attacker groups and all kind of other attackers out there in the wild in trying to understand what they are doing and especially what they are doing next," Ritter said. "A unique aspect here is, we built the operating systems, so we know each other in our team. They can just go next door and say, 'Hey, kernel team, what kind of visibility do I need to get to actually spot these kind of attacks?' And then they discuss, and they brainstorm, and then they give us the visibility that exposes them and our sensor will then look at those kind of behaviors in memory or in kernel."