Why We Need AI and ML to Keep Our Infrastructure Safe

Protecting modern datacenters, users and servers is becoming increasingly difficult. Hackers are attacking critical infrastructure such as hospitals, schools, pipelines, and halting production in major companies on a daily basis.

We read about companies paying exorbitant ransoms to regain access to their data regularly. To keep our assets safe we have to gather and analyze more and more intelligence. AI and ML are the tools we need to make sense of the flood of information we accumulate.

The security conundrum

Let’s start with a brief look at why it’s become so difficult to protect our modern data centres and the strategies attackers use to breach our networks, data and applications.

In the past, servers and data were kept in one central location. If you wanted to access them, there was a clear path your connection would take. You were either in the exact location as the server or outside, such as in a branch office. There was a perimeter protected by a firewall that separated the outside from the inside. The outside was dangerous; the inside was secure. Once someone was inside past the firewall, they were assumed to be friendly, and you ignored them.

It’s still important to protect the borders with suitable security measures. What’s changed drastically, however, is where that perimeter is. Today, there’s no longer a clear boundary between outside and inside. Modern enterprise infrastructures are like sprawling metropolitan areas. 

There are multiple locations where data and services reside. Some are under your immediate control, and others, like SaaS and public clouds, aren’t. 

The same is true for your users. They’re no longer in your buildings and under your control. They work from everywhere,  from home, in a coffee shop, on a train, or in a hotel. There’s probably someone checking their company email or accessing a file that needs to be protected wherever people are.

The devices used to access the data have also changed. The computer under the desk in the office has largely disappeared, and portable and mobile devices have replaced them. The pandemic has accelerated this evolution as large portions of the workforce have moved out of corporate spaces and into the safety of their homes.

What remains is the need to protect this conglomerate of devices, users, services and connections. 

Since there are no clear boundaries, there’s no safe space. Hackers use phishing and social engineering to trick users into installing malware. This means you can’t trust your users either, and you need to monitor and restrict their access.

Modern Cyber Defense Solutions

To protect your infrastructure, you need segmentation and increase the number of monitoring points. You need to build a fine-meshed monitoring network. 

This constant monitoring and accumulation of data have reached the limit of what’s humanly possible to analyze. The mountains of data generated by security systems can no longer be processed by humans, and we must now rely on machine learning and artificial intelligence to protect us.

The current answer to the pervasive threat of data loss is XDR (Extended Detection and Response). XDR is used in addition to traditional firewalls, IDS /IPS (Intrusion Detection and Preventions) and DDoS (Distributed Denial of Service) protection.

XDR isn’t a stand-alone solution. It’s a combination of EDR (Endpoint Detection and Response) – a next-generation antivirus solution – and NDR (Network Detection and Response), which monitors the network.

NDR monitors data transport paths. Remember that every connection is suspicious. It uses IDS /IPS to examine the packets in the connections and compares them to known malware signatures.

However, IDS /IPS cannot detect previously unknown malware (zero-day attacks) because they have no signature.

This is where machine learning comes into play. NDR uses behavioural analysis and profiling to detect anomalies.

To understand anomalies, one must first know what constitutes normal behaviour is. The first step is to establish a baseline of normal behaviour.

The second step is to compare everything that happens to these baselines to determine if anything unusual happens. This is done through unsupervised machine learning.

Security teams, however, are overloaded with constant alerts from systems telling them something unusual has happened. But these alerts aren’t helpful. 

An anomaly isn’t the same as a real threat. Maybe it’s a new employee who just started, and we see a new user accessing the systems. Perhaps it’s the end of the month, and a batch run is generating more data. Or a new app has been introduced, and we see entirely new communication patterns. The point is that most anomalies that are detected are irrelevant. Events triggered by benign abnormalities are called false positives.

NDR uses AI-powered network traffic analysis (NTA) to filter out and detect anomalous activity caused by actual active threats to reduce false positives. This is achieved with a combination of unsupervised and supervised ML models.

Unsupervised ML uses baselines to discover general anomalies. The identified events are then passed to a supervised model. 

These ML models are trained with threat intelligence from millions of previous incidents. They discard harmless anomalies and keep only what’s relevant to security.

But we’re not done yet. Modern intrusions don’t happen on single systems. There’s a chain of events that must be tracked. NDR correlates all the observed anomalies and events to give you a clear picture of how incidents have evolved on your infrastructure. After an attack, you need to be able to trace the path of the attackers, see which systems they attacked,

Protocol anomalies, traffic anomalies, and host anomalies identified with the ML monitoring feature are correlated to help find threats and mitigate incidents.

EDR: secure user endpoints

Endpoints are the places where your users are logged in. An endpoint is a computer, laptop, server, tablet, or mobile device on your network. 

Like the network that connects them and transports data, the endpoints themselves need to be closely monitored.

Everything you just read about NDR also applies to EDR. Like NDR, EDR solutions rely on multiple pillars. Just like traditional antivirus solutions, they use signatures to match data against known threats. But as mentioned earlier, signature matching is no longer enough to identify malware. 

Evasive malware avoids detection by living off the land, allowing system processes to enable ports to reach their target. This makes it challenging to distinguish modern threats from benign software.

To detect evasive malware, profiling with machine learning is required. Process behaviour must be observed, tracked, and analyzed to understand if there are ulterior motives.

Conclusion

The unfortunate truth of our digital world is that everything and everyone must be monitored 24/7. Mountains of data must be accumulated, analyzed and filtered. Humans can no longer keep track of events and data.

Only highly intelligent XDR (EDR & NDR) solutions with artificial intelligence and machine learning can give you the level of protection you need. These systems help you avoid catastrophic events that could potentially cost you millions of dollars.

Even with XDR, there’s a risk that a breach will occur. But combined with network segmentation, they help you limit the damage to a few systems. An encrypted file server is bad, and an entire encrypted data centre is an outage that can be impossible to recover from.

Picture of Ronke Babajide

Ronke Babajide

Ronke was born in Vienna, Austria and grew up in Lagos, Nigeria where her family moved when she was 8. She returned to Europe when she was 19 and studied Chemistry at the University of Vienna where she acquired a PhD in Theoretical Chemistry.
While working on her thesis she worked with Unix systems and the first Linux Systems. She learned a lot about how computers work and about programming. This was just around the time when the Internet became available, and she was fascinated by the possibilities of this new technology. She soon decided that this was the career she wanted to pursue. In the following years, she worked in different roles in the field. In the early days as a Web developer, then as a Unix specialist in a software company, then as a systems engineer at an IBM partner company. By chance she got the opportunity to move into the vendor space where she worked as a Systems Engineer and Channel Systems Engineer at Riverbed, then as a Solution Architect for Radware and currently she is employed as a Senior Solution Engineer for Networking and Security at VMware.

Resources