Rise Of The Machines: AI/ML In Endpoint Protection



On May 9, 1974, an up-and-coming rock musician played a show at the Harvard Square Theater in Cambridge, as an opening act no less. In the audience that night was an influential music critic named Jon Landau, who would later go on to become the musician’s manager. Landau wrote of that night, “I saw rock ‘n’ roll’s future, and its name is Bruce Springsteen.”

To respectfully paraphrase Mr. Landau, I have seen endpoint protection’s future, and its name is machine learning.

In the early days of the internet and anti-virus, many large companies made a lot of money with their solutions.   A user would install their product, download “signatures” at periodic intervals and run a scan on hard drives that would hopefully prevent bad things from happening. That worked fairly well — for a time.

We now live in an entirely different world. Anti-virus is dead. Today, cyber threats come in many forms: zero-days, viruses, malware, bots, ransomware, trojans, key loggers, stealth crypto miners. The list constantly grows. Every day, hundreds of thousands of new variations appear, mutated from previous versions of said malware.   It’s difficult if not impossible to keep up with this pace, even for experienced cybersecurity teams.

Over a long career, I have seen many different vendors approach this difficult problem, with varying degrees of success. In my view, the only way to effectively manage today’s cyber threats is by using products from vendors that utilize AI/ML in their approach. Almost all major vendors have moved or are moving toward this.

Organizations can prepare for the inevitable transformation by the following:

• Perform a “gap analysis” of current technology systems in how they protect your endpoints and data. Be honest in the assessment.

• If you are not already doing this, maintain detailed logs of cyber incidents. This would include successful and unsuccessful attempts.

• Discuss with existing vendors their product roadmap plans for integration of AI/ML and autonomous response.

• Vendors are more than happy to offer proof-of-concept trials of their products. Take advantage of this. Identify the top players in your space by asking peers whom they use.

AI/ML is the only approach that can keep up to match both the speed and severity of today’s threats.  Furthermore, I would argue that in addition to using ML, autonomous response is critical. Virtually all AV vendors are moving to or have already moved to the cloud. This enables them to ingest and analyze data globally, incorporating real-time threat vectors and apply advanced behavioral analysis.

Moving forward, the advanced behavior analysis will become critical as malware evolves. Anomalies will need to be detected at various levels such as the endpoint, server, network or cloud platform without having a “signature” in place. The speed at which this is done is staggering. Humans cannot possibly perform this type of action — only machines can.  AI/ML allows algorithms to be developed that “learn” from what it finds, creating effective barriers to threats.

AI/ML is critical. But there’s another piece of the puzzle that is equally important. Autonomous response. Once an anomaly is detected on an endpoint, a mobile device, a network device or server, what do you do with it? Cybersecurity teams, if any even exist at many organizations, generally operate lean and are working at capacity on a daily basis.  So many logs and alerts are created, it’s becoming virtually impossible for technology teams to keep up with them. People have to sleep. What if a severe threat is triggered at 3 a.m.?  I would argue that for a solution to be effective, the response has to be autonomous. And by autonomous, I don’t mean just having a NOC available to call or text a sequential list of people.

All organizations can take advantage of AI/ML and autonomous response in several ways:

• AI/ML can, over a period of time, learn what “normal” traffic is on a network and, more importantly, identify and act upon patterns of behavior that deviate from these norms. This type of behavioral analysis is critical for next-generation malware.

• I have seen ransomware encrypt a shared network drive in approximately 30 seconds. Alerts were generated and bells were going off, but the damage was already done. An autonomous response can identify and react exponentially faster than humans, mitigating otherwise serious issues. An AR (automated response) could for example, restore deleted or encrypted files to a previous state upon detection of malware.

• All network devices generate voluminous amounts of alerts and logs. AI/ML can sift through these notifications with speed and accuracy. Autonomous response can alert the relevant teams to those that are most critical, and filter out the substantial amounts of “digital noise” that is generated.

• One item often overlooked in creating a company’s cyber defense is insider threats. Over my career, the vast majority of cyber events caused by insiders occur in the middle of the night, for obvious reasons. A device or user account acting in a suspicious manner could immediately be isolated. An autonomous response to these types of threats can mitigate potential problems at the instant of detection and allow staff to investigate in a timely manner.

Properly trained, autonomous response can detect, act and mitigate a threat in seconds, without human intervention. Supervised by humans, but nonetheless autonomous. At initial configuration, policies can be created by a technology team and implemented within the AI/ML framework. Guided by experienced personnel, these policies can become the foundation for autonomous response and alleviate the need for human interaction for many types of threats, freeing up the technology team to focus on other critical tasks.

While AI/ML is no panacea for cyber threats we all face today, the rise of the machines has given us a powerful advantage in the never-ending battle against hackers and cybercriminals.