There are two types of cyberattacks: Automated opportunistic attempts to penetrate a network and targeted Advanced Persistent Threat (APT) attacks. The former are in the majority and artificial intelligence (AI) can automatically block most of them. But behind an APT there are often people. Defending against such network-level attacks requires both AI and security experts.
Hackers are first identified by traces of their malware on the network. However, these anomalous traffic patterns are easily lost in the mass of information. Left to their own devices, the human IT manager is overwhelmed when it comes to recognizing them.
Recognizing is one thing, though
Artificial intelligence makes an important contribution to defense, detecting anomalies in data traffic in real time based on metadata and then sounding the alarm to trigger defensive reactions. According to Splunk experts, AI and automated cyber defenses can automatically detect 90 percent of Tier 1 security incidents and initiate remediation.
The question remains: what about the remaining XNUMX percent? Since human perpetrators are often behind complex attacks, both human logic and human judgment when analyzing information are essential for future-proof defence.
Added value through human IT security analysts
No cyber defense can do without AI anymore. But the human observers still offer an important plus:
1. AI and human intelligence complement each other
AI optimized with machine learning (ML) and threat intelligence can analyze large amounts of information quickly and without errors. The IT security expert builds on this and interprets the data traffic patterns. At the same time, he directs the defense using tried and tested processes. Due to his knowledge of the company and IT, he is also an important AI coach. Here it accelerates the definition of normal and therefore legitimate data transmissions - among other things by tagging IT security-critical systems. It also takes into account such information that is not visible in network traffic: if, for example, devices are available but not managed centrally, or if a company sets up a new headquarters, which explains inquiries with IP addresses that were unusual up to that point. Or when it implements new technologies, applications and thus systems.
2. Assess information in context
Artificial intelligence is a statistical approach. Since recognizing, defending against and preventing dangers requires connections that go beyond individual data, people and their ability to judge play an important role. Concrete company knowledge helps, for example, when an IT service provider commissioned by a company suddenly acts in a subnet for which he has no order at all. Even if the data traffic pattern appears unremarkable at first, exceeding the competencies may indicate a compromised IT service provider and should be checked.
3. Anticipate the hacker's next moves
Complex Advanced Persistent Threats (APT) are still man-made. Behind phishing attacks on important people in the company are often not spambots, but human social engineering professionals who get onto the web through a targeted email attachment. AI then recognizes that a human attacker is tampering with the network. The individual tactics of the hacker are not reflected in statistical indicators. To anticipate the attacker's next steps, an experienced security analyst can put himself in the hacker's shoes and anticipate his next moves.
4. Assess overall perpetrator motivation
A cyber defense must consider a criminal's motives. Not every attacker wants to steal data, encrypt it and receive a ransom. Hackers have different motives: the hijacking of resources to mine bitcoins, perhaps politically or personally motivated sabotage, or simply the desire to destroy. Thus, a defense must not only secure data or close information leaks. A sustained response requires an understanding of human psychology.
5. Relevant and prioritized security instead of automatic defense mechanisms
An IT security analyst prioritizes risks individually for a company. The choice of defense depends on the context: is it recoverable data that may no longer have any value for the company or the much-cited crown jewels? AI cannot answer the resulting questions about a defense appropriate to the situation given the relevance of data or processes for business success.
In addition, the analyst has an eye for typical industry attacks. If hackers are currently attacking e-tailer X with malware, it cannot be ruled out that they will try competitor Y and Z afterwards. An AI that only keeps an eye on its own network only sees such a risk if it is supported by up-to-date threat intelligence.
6. Lead defenses and avoid collateral damage
🔎 AI and security analysts work together to future-proof defenses against dangerous attacks (Image: ForeNova).
An AI has great strengths in recognizing a danger and can automatically start a defense. However, every defense has side effects and can impair IT or business processes. Defense may be no less complex and consequential than APT. Security analysts are therefore in demand here because they can consider and weigh up the consequences of actions. Human expertise can avoid unjustifiable collateral damage, such as blocking IoT-controlled building access or IT systems in nursing.
When following up an attack, a security analyst then has an important advisory role. Using a mirrored recording of the entire network, he can forensically understand what happened and how future attacks can be prevented.
AI and security experts depend on each other
IT security without AI is a thing of the past. Nevertheless, the security expert will not become superfluous. He remains relevant as a continuous interpreter of alarms, as a supervisor in crisis situations and as an advisor for future-proof IT security. Each "Detection and Response" is ideally supplemented by a "Managed Detection and Response".
More at ForeNova.com
About ForeNova ForeNova is a US cybersecurity specialist who offers medium-sized companies inexpensive and comprehensive Network Detection and Response (NDR) to efficiently mitigate damage from cyber threats and minimize business risks. ForeNova operates the data center for European customers in Frankfurt a. M. and designs all solutions GDPR-compliant. The European headquarters are in Amsterdam.