This is the first in a 5-part series covering the situation, challenges and opportunities to partner with you to understand how best to address the simultaneous sharp increases in attack surfaces brought about by the above and the sharp increases in cyberattacks.
The goal of the series is to give those corporate and university leaders using AI/ML or learning about it an understanding of where it can help provide value against Malware, Advanced Persistent Threats (ATP), Ransomware and other attacks.
Specifically we will cover how AI/ML helps you scale true zero trust security in the face of the IoT/WFH/5G megatrends that have rendered traditional network security ineffective.
Cybersecurity is an arena that has seen early and enthusiastic deployment of AI/ML in its platforms and applications, both for offense and defense cybersecurity. For defense, AI is already being deployed for purposes such as anomaly and malware detection.
Assess Your Organization
That said, more widespread use and more advanced implementations of AI/ML are needed now as we have assembled the following maturity checklist for our customer organizations:
- Many of my organization’s important IT systems have evolved over time to be a sprawling aggregation of multiple systems, thus becoming difficult to manage, and likely less secure.
- My organization has different people of different skill levels from different teams maintaining applications within this aggregation, often at more basic levels than ideal (ie to pass compliance) leaving areas under-maintained and likely less secure.
- For WootCloud customers, the cybersecurity teams are largely resource (read labor) constrained, and need advanced automation, ideally using AI/ML capabilities. My organization falls into this category.
- AI/ML is widely used in my organization for cybersecurity in basic forms, such as spam and malware detection.
- We know malicious actors have attacked our organization’s less secure systems and likely used AI/ML given the speed, sophistication, duration and more.
This simple checklist can be used to calibrate against past internal surveys and measures. You can also use our Device Security Maturity Model.
82% of decision-makers surveyed at public and private organizations in eight countries have reported a shortage of needed cybersecurity skills – McAfee.
IoT/WFH/5G Megatrends and Securing Devices and IoT at Scale
With the explosion of the number and types of connected devices, identifying devices (i.e., device fingerprinting) has become of critical importance to ensure security, and enforce right access control to the network.
Currently device fingerprinting technologies are a combination of active and passive methodologies of looking at network information or the application layer of ethernet traffic.
Why IAM, Fingerprinting, and Vulnerability Management alone are no longer enough
The sheer number of electronic devices that are now connected via multiple communication protocols like WiFi, Zigbee, Bluetooth, BLE and cellular networks, fingerprinting the device needs to be done based on the unique characteristics of the device across multiple dimensions using AI/ML.
These dimensions measured must include multiple layers; from hardware, software, logical, functional and other operational characteristics. This means that information about the devices collected from RF, each physical interface, protocol, traffic flow, and application, are then combined with organizational information from CMDB, other tools like MDM, EDR, vulnerability assessment, firewall, times of operation and location amongst others.
This volume of information from multiple sources needs to be fed to – and learned by – (supervised and/or unsupervised) machine learning algorithms in real time and ongoing, with rule sets applied to reveal patterns embedded in these measurements, especially over time. These algorithms and rule sets generate models and signatures for each device which includes the following information we at WootCloud call HyperContext.
Association of all the physical interfaces of the device and the spectrum of operation of each interface including but not limited to type of device, OS, patches, services and applications on the device, purpose of the device, location, ownership, users and more matters in the equation. One can quickly see how traditional IAM, fingerprinting, and vulnerability management are no longer enough.
Why Synthesizing Context Matters
All the collected data and the intermediate insights are then used to develop a device identity fingerprint, device group fingerprints and device operational fingerprints. These fingerprints accurately recognize the device, group devices of the same kind together, and establish the device’s normal operation and function.
This can then be used to establish an effective or “True” Zero Trust architecture by
- Identifying new devices seen in the organization automatically and in near real time
- Importantly Identifying anomalous behavior in the devices whose fingerprints have been collected
- Offer insights about the risks, threats associated and best practices
- Generate labels based on all the collected information, intermediate insights and final fingerprints and expose these labels to the micro-segmentation and policy layers
How Machine Learning Enables True Zero Trust
Trust but verify is one of the primary principles of security in a traditional enterprise with the mandate for IT organizations to provide safe environments while ensuring ease of use and access to the employees and devices.
However, the confluence of the explosion in connected smart devices, the bad guys adopting AI/ML for nefarious purposes, and WFH is leaving organizations large and small wide open to both insider and outside attacks.
The End of Endpoint Protection
With traditional perimeter-based and endpoint security, enterprises protect the entry into and egress from the network, define and group devices/users into subnets/VLANs using a specific set of usually static rules, use authentication mechanisms centered around users, and install agents to detect and prevent malware.
These methods, though necessary, have proven insufficient to protect against the threats posed by unmanaged devices, credential misuse, IoT devices, wrong configuration, insider mal-intent, and lateral movement of threats once they enter the system.
Thus, Zero-Trust ways of implementing security have been gaining momentum.
Zero Trust is rooted in the principle of “Always verify, never trust”. This is designed to address security, access privileges and control in the network by leveraging micro-segmentation and performing granular access enforcement based on users, devices, data and location properties.
Access control reauthorizing every app and API at every request to interact with critical systems by known devices and known users that are in line with their past known behavior is True Zero Trust.
Only with AI/ML does this become possible at scale.
Advanced AI/ML scales True Zero Trust security to address the IoT/WFH/5G megatrends. True Zero Trust Security with intelligent automation driven by AI/ML is key to driving all phases of Detection, Inspection, and Action against outside attackers and nefarious insiders.
Zero trust means that each user, device, data flow, and location should be monitored/observed continuously, even those which have authenticated correctly – because as we all know, credentials can be stolen.
AI/ML powers this capability at every critical step.
Monitoring and observation must involve device fingerprinting and risk profiling to get an accurate behavioral map, with access to other resources dependent on the outcome of this mapping and observations.
To do this effectively we need:
- Deep Context: WootCloud ML drives the synthesis of massive volumes of data about every device, resource and user in and around the network and what they are doing every moment by every user
- Micro-Segmentation: Ability to dynamically micro segment devices based on the above context and geo location in real time with our ML capabilities
- Dynamic Control: Dynamically control access to these devices and users have, to other resources in the network based on context and real time threat assessment
- Automation: Automation to handle devices at IoT scale via a policy engine driven by a strong understanding of the enterprises business requirements with ML-driven intelligence to learn nuances of users, data, and data flowing over time