AI works best when security professionals and AI are complementing each other.

Artificial intelligence has advanced greatly in the past decade. On my phone, I'm reading Apple and Google news that is well-tailored to me, thanks to AI recommendation models. Self-driving cars are already picking up passengers for rides in downtown San Francisco.

The same transformation is happening in the cybersecurity world too. However, questions remain: Will AI replace security professionals? Or will AI still be as useful in the zero-trust era given that access is tightened to the minimum already?

AI was introduced to the center stage of the cybersecurity industry a few years ago, originally to tackle malware detection and anomaly detection use cases. We have come a long way to better understand both the usefulness and the limitations of applying AI to cybersecurity, especially in the zero-trust era.

**AI Is Still Needed**

First, a zero-trust architecture doesn't remove the need for AI. Though zero trust eliminates the attack surface and reduces the chance for the anomaly to happen, zero trust demands AI more.

Today, an enterprise user's security policy is typically that person's department security policy. Whether users are in a big or a small department, they all follow very similar, if not the same, security policy, including access control policy.

In the zero-trust era, we need a personalized, contextual, dynamic, and granular security policy — which is exactly what zero trust is about. Access control, for instance, is no longer based on simple rules but a set of complex policies based on your identity, your device, your posture, your intention, your risks, your content, and a lot of rich data points.

However, generating such complex, granular, and personalized policy _at scale_ can be very time-consuming if relying on human rules and heuristics. Different employees will use different applications and such application usage may need to evolve fast in a short period of time. AI is a critical technology to make such an intelligent and personalized security policy recommendation at scale.

At the same time, it is impossible for AI to capture or comprehend all the nuances and contexts of any complex environment, so AI may make recommendations that are suboptimal from experts' eyes. With ongoing human feedback, we can improve the AI model and its effectiveness.

**Threat Detection**

Second, zero trust gives the enterprise much tighter protection than it has had in the past, but no matter how tightened things are, there is always a weak link somewhere. Therefore, we want AI to assist with evasive and unknown threat detection and prevention.

Some evasive threats are undetected in time by conventional signature-based or sandbox technology. The SolarWinds supply chain attack is a good example. This global attack turned the SolarWinds Orion software into a weapon, subsequently gaining access to several government systems and thousands of private systems around the world. There was no involvement from any malware by the traditional definition, and it was hard to rely on any single layer of the conventional technology to detect such an attack ahead of time.

AI has a good potential to be the technology to do a better job with unknown threat detection because it can "predict" threats that have never been seen before.

Practically, we will want to layer multiple security technologies along with AI. For instance, in the case of malware, the tried-and-true approach of signature matching and sandbox will continue to play a key role. AI will complement greatly, but not displace, the conventional technology.

**Easily Understood**

Third, enterprise customers want to utilize AI in a way that is easily understood and digestible by security professionals. The "explainable AI" may not improve the AI model efficacy on the surface, but it will increase the adoption of AI significantly.

For instance, AI may be able to detect an unknown threat, but SecOps teams may want to see which family the threat belongs to before taking an action. For another example, AI may be able to generate intelligent and relevant security policy recommendations, but SecOps teams may still want to know the context of why certain recommendations are made before accepting them.

**Conclusion**

The cybersecurity industry needs AI to help reduce unknown attacks at scale and come up with granular and contextual security policies at scale to reduce the attack surface. We want the result to be explainable too.

AI-powered security tools and products are an amazing digital assistant to SecOps professionals. And professionals are assisting AI technology to advance, too, as we will need humans to verify many of the outputs and/or provide feedback for the AI model to improve.

AI is useful to scale the enterprise security functions, like more-intelligent policies and more-intelligent threat detection as discussed above. AI works best when security professionals and AI are complementing each other. In the end, AI is an assistant to security professionals and will not be a replacement for human effort for a long time to come.

How AI Is Useful — and Not Useful — for Cybersecurity

BAE Systems' Peder Jungck joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss the importance of collaboration.

Information sharing and collaboration are essential to security practitioners, says Peder Jungck, VP and general manager of BAE Systems Inc.'s Intelligence Solutions business unit. And the power of that shared data is compounded when shared across companies and industry sectors, he adds. Jungck also discusses how sharing and collaboration work in cloud environments, and shares tools, processes, and organizations that can improve collaboration both internally and with partners, suppliers, and customers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Want Better Security? Up Your Collaboration Game

Uptycs' Ganesh Pai joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about cloud security and observability.

Transformation is a key theme at RSAC 2022, and Uptycs founder Ganesh Pai weighs in on how cloud security teams can reduce risk and lock things down more tightly. He also talks about how security observability can drive innovation for organizations, which is important as the proliferation of containerized environments like Kubernetes makes this task more. Pai also speaks to how customers can navigate the differences in security standards and controls among cloud providers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Uptycs: Observability Is Key to Cloud Security

Automox's Paul Zimski joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about automated patch management.

Patching and patch management remain among security pros' biggest pain points; Paul Zimski, VP of product strategy for Automox, believes adding automation to the mix can make a serious dent in the patching equation for most organizations. Zimski also talks about cloud-based patch services as well as what automated vulnerability remediation can do to keep organizations more secure.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Automox Adds Automation to Patching, Vuln Management

At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems — and what that will mean for us.

RSA CONFERENCE 2022 — "Nice to see you all again," Bruce Schneier told the audience at his keynote for the in-person return of RSA Conference, taking off his trademark cap. "It's kinda neat. Kinda a little scary." 

Schneier is a security technologist, researcher, and lecturer at Harvard Kennedy School. He has a long list of publications, including books from as early as 1993 and as recent as 2019's _We Have Root_, with a new one launching in January 2023. But he's best known for his long-running newsletter Crypto-Gram and blog Schneier on Security. And his upcoming book is about hacking.

To Schneier, hacking does not necessarily mean computer systems. "Think about the tax code," he said. "It's not computer code, but it's code. It's a series of algorithms with inputs and outputs."

Because the tax code is a system, it can be hacked, Schneier said. "The tax code has vulnerabilities. We call them tax loopholes. The tax code has exploits. We call them tax avoidance strategies. And there's an entire industry of black-hat hackers — we call them tax accountants and tax attorneys," he added, to audience laughter.

He defined hacking as "a clever, unintended exploitation of a system, which subverts the rules of the system at the expense of some other part of the system." He noted that any system can be hacked, from the tax code to professional hockey, where a player — it's contested just who — started using a curved stick to improve their ability to lift the puck. That player hacked the hockey system.

"Even the best-thought-out sets of rules will be incomplete or inconsistent," Schneier said. "It'll have ambiguity. It'll have things the designers haven't thought of. And as long as there are people who want to subvert the goals of the system, there will be hacks. 

"What I want to talk about here is what happens when AIs start hacking."

**Rise of the Machines**

When AIs start hacking human systems, Schneier said, the impact will be something completely new. 

"It won't just be a difference in degree but a difference in kind, and it'll culminate in AI systems hacking other AI systems and us humans being collateral damage," he said, then paused. "So that's a bit of hyperbole, probably my back-cover copy, but none of that requires any far-future science- fiction technology. I'm not postulating a singularity. I'm not assuming intelligent androids. I'm actually not even assuming evil intent on the part of anyone.

"The hacks I think about don't even require major breakthroughs in AI. They'll improve as AI gets more sophisticated, but we can see shadows of them in operation today. And the hacking will come naturally as AIs become more advanced in learning, understanding, and problem-solving."

He traced the evolution of AI hackers using examples of competitions. Technically it's the human developers who compete in events like DARPA's 2016 Cyber Grand Challenge or China's Robot Hacking Games, but the AIs operate autonomously once set into motion.

"We know how this goes, right?" he asked. "The AIs will improve in capability every year, and we humans stay about the same, and eventually the AIs surpass the humans."

While he acknowledged that bad actors might set up AI systems to hack financial systems for profit or mayhem, Schneier also posited that an AI might hack human systems independently and without intent. 

"\[That\] is more dangerous because we might never know it happened. And this is because of the explainability problem," he said, "which I will now explain."

**Explaining the Explainability Problem**

Schneier set up the discussion of explainability with a literary reference. In Douglas Adams' _Hitchhiker's Guide to the Galaxy_, a race of superintelligent beings called the Magratheans "build the universe's most powerful computer — Deep Thought — to answer the ultimate question to life, the universe, and everything. And the answer is?" he queried. An audience member obliged by answering "42."

The Magratheans were naturally not happy with this opaque answer, and they asked the computer to explain what it meant. "Deep Thought was unable to explain its answer or even tell you what the question was," Schneier said. "That's the explainability problem."

He added: "Modern AIs are essentially black boxes. Data goes in one end, an answer comes out the other. And it can be impossible to understand how the system reached its conclusion even if you're a programmer and look at the code."  

Schneier then discussed Deep Patient, a medical AI meant to analyze patient data and predict diseases. While the system performed well, he said, it doesn't give the doctors any explanation to help them see why it predicted a disease.

Reward hacking refers to an AI achieving a goal in a way its designer didn't intend. The audience enjoyed Schneier's description of an evolution simulator that "instead of building bigger muscles or longer legs, it actually grew taller so it could fall over a finish line faster than anybody could run."

He also used the examples of King Midas and genies to underscore the human problem of poor specification, where the granting of wishes too literally leads to misery. 

"But here's the thing," he said. "There's no way to outsmart the genie. Whatever you wish for, he will always be able to grant it in a way that you wish he hadn't. The genie will always be able to hack your wish."

And because of how the human mind works, "any goal we specify will necessarily be incomplete," he said. "We can't completely specify goals to an AI, and AIs won't be able to completely understand context."

Schneier then used the 2015 Volkswagen emissions scandal to set up an example of an AI hack that we wouldn't be able to detect because of the explainability problem. He said he imagines having an AI system design engine software to be both efficient and able to pass an emissions test. In such a system, the AI might hit on the same solution the Volkswagen engineers did — that is, fudge the emissions data by turning on emission controls only during testing — while not telling humans how it accomplished its goals. Thus the company might celebrate their great new design without even realizing that it's a hack and a fraud.

He expanded that to the real-world example of recommendation algorithms that push extremist content "because that's what people respond to." And that's an example that has real-world effects, radicalizing vulnerable people and causing them to entrench in false beliefs and sometimes even take drastic actions.

Schneier talked about research into how to avoid such negative unintended effects. One solution, value alignment, attempts to teach systems to respect human moral code. "Good luck" specifying human values or allowing an AI to learn them by self-training, he said.

In defending against AI hacking, he said, "what matters is the amount of ambiguity in the system." AIs are not able to work well with ambiguity. But that seems to be a limited solution that AIs could evolve to surmount.

**AI Hacks and the Real World**

Partly because of their lucrative nature and partly because of the structured code, Schneier expects financial systems to be one of the first real-world systems affected by AI hacks. Talking about the tax code, for example, he asked, "How many loopholes will it find that we don't know about?"

Even worse might be the AI message bots that could be infesting your Twitter time line already, pushing messages and interacting realistically. "It will influence what we think is normal, and what we think others think," Schneier warned. "That's a scale change."

But perhaps the most fraught element is the role AI is already playing in people's lives. 

"AIs are making parole decisions \[about\] who receives bank loans, helps screen job candidates \[and\] applicants for college, people who apply for government services," he noted. Because we can't tell why an AI made the decision, it will not seem fair to those denied — and indeed, it might well be unfair and based on unwarranted or underanalyzed parameters like a ZIP code.

And as with so much, he pointed out, it will be the powerful who benefit and the masses who suffer. "It's not that we \[gestures around the room\] are going to discover hacks in the tax codes," Schneier said. "It's going to be the investment bankers."  

He closed on a note of hope, though. While AI can certainly be used to find and exploit software vulnerabilities, he pointed out that they can also be used to find and _fix_ those vulnerabilities. 

"It identifies all the vulnerabilities and then it patches them" before the software gets released, he suggested. "You could imagine \[this AI\] being built into the software development tools. It's part of the compiler.

"We can imagine a world in which software vulnerabilities are a thing of the past," he added. "Kinda weird, but that's what would happen."

Schneier cautioned that during the transition period in which old vulnerable codes — computer or human — were still open and the new ones were still being vetted, black-hat AIs would still have a rich opening. However, he said, "While AI hackers can be employed by the offense and the defense, in the end it favors the defense. We need to be able to quickly and efficiently respond to hacks," though.

Human systems need to have the same agility as software, he said.

"The overarching solution is people," he said. "We're much better off as a society if we decide as people what technology's role in our future should be."

Why AIs Will Become Hackers

ReliaQuest CTO Joe Partlow joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss extended detection response — and acquisition news.

Customers consistently struggle to get from reactivity to a proactive security strategy, but combining extended detection response (XDR) with threat intelligence is a big step in that direction, says ReliaQuest CTO Joe Partlow. And in that same vein, Partlow describes points to the company’s planned acquisition of threat intel vendor Digital Shadows as a central move to reducing risk and improving resilience for customers. The combined entity will create a force multiplier for aiding the detection, investigation, and response to potential breaches, Partlow adds.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ReliaQuest Bolsters Extended Detection With Threat Intelligence

SAN FRANCISCO – Today, in partnership with the Coalition to Reduce Cyber Risk (CR2), 37 companies and organizations have pledged to enhance cyber resiliency and counter evolving cross-border cyber threats such as the growth of ransomware. Signers to this groundbreaking pledge from eight countries have promised to:

·         encourage the development, evolution and implementation of risk-based approaches that rely on consensus-based standards and risk management best practices, such as ISO/IEC 27110 and 27103, or the NIST Cybersecurity Framework;

·         support efforts of our vendors and supply chain contributors to adopt risk-based cybersecurity approaches in order to help small businesses flourish while improving the resiliency of the cyber ecosystem;

·         incorporate ISO/IEC (or other widely accepted international) cybersecurity standards as a foundation of our cybersecurity policies and controls wherever applicable and feasible; and

·         periodically reassess our cybersecurity policies and controls against revisions to ISO/IEC cybersecurity standards and actively participate in industry-driven initiatives to improve those standards.

_“CR2 is committed to driving a globally-aligned approach for managing cyber risk. Thirty-Seven organizations from eight countries have signed the Cyber Risk Management Pledge, demonstrating the breadth of usage of international standards such as ISO/IEC 27110 and 27103, as well as the NIST Cybersecurity Framework and associated sector profiles.”_ said Benjamin Flatgard, President of CR2 and Executive Director of Technology and Cybersecurity Policy and Partnerships at J.P. Morgan Chase.  He added

_“Governments should embed widely used international standards at the core of their national cyber policies to facilitate a seamless approach to shared cyber risk.”_

For more information on the CR2 and the pledge, or if your company or organization is interested in joining the pledge, please visit https://www.crx2.org/

##

**Cyber Risk Management Pledge**

The signatories to this pledge understand that in order to enhance cyber resiliency and counter evolving cross-border cyber threats such as the growth of ransomware, we must enable the seamless implementation of risk-based approaches to cybersecurity around the world. 

Internationally recognized cybersecurity frameworks and standards that are based upon the principles of risk management and relevant across sectors support such implementation by strengthening consistency and continuity among interconnected sectors and throughout global supply chains. 

Increased and ongoing adoption of these frameworks and international standards by companies and governments around the world will mitigate cyber risks and facilitate economic growth. To further advance adoption of international approaches to cybersecurity risk management, we commit to:

·         Encourage the development, evolution and implementation of risk-based approaches based on consensus-based frameworks, standards and risk management best practices, such as ISO/IEC 27110 and 27103, or the NIST Cybersecurity Framework;

·         Support efforts of our vendors and supply chain contributors to adopt risk-based cybersecurity approaches in order to help small businesses flourish while improving the resiliency of the cyber ecosystem;

·         Incorporate ISO/IEC 27110 and 27103, the NIST Cybersecurity Framework, or other widely accepted international cybersecurity standards as a foundation of our cybersecurity policies and controls wherever applicable and feasible; and

·         Periodically reassess our cybersecurity policies and controls against revisions to such cybersecurity standards and actively participate in industry-driven initiatives to improve those standards.

A commitment to internationally recognized cyber risk management approaches and frameworks that are relevant across sectors can bring widespread economic benefits, help governments achieve their policy goals, bolster collective security, and enhance cyber resiliency across the ecosystem. 

AT&T

AWS

Cisco

Citrix

Cybastion Institute of Technology

Cybereason

Exiger

IBM

JP Morgan Chase

Lumen

Mastercard

Microsoft

NetScout

NTT

Palo Alto Networks

Rakuten Symphony

Redhat

Schneider Electric

Tenable 

Trellix

Verizon

Asia Internet Coalition (AIC)

BSA | The Software Alliance

Coalition of Service Industries (CSI)

Coalition to Reduce Cyber Risk (CR2) 

Cyber Risk Institute

CyberPeace Institute

Cybersecurity Coalition

The DCRO Institute

Health-ISAC

Information and Communications Technology Council (ICTC)

Information Technology Industry (ITI)

Telecommunications Industry Association (TIA)

U.S. Chamber of Commerce

United States Council for International Business (USCIB)

US-India Strategic Policy Forum (USISPF)

37 Major Companies and Organizations Pledge to Enhance Cyber Resiliency and Counter Evolving Global Threats

Organizations can no longer rely on traditional responses to ransomware.

Imagine the scene: A devastating ransomware attack has immobilized a large manufacturing company. It's not possible to ship or sell any products, or to contact the company's customers. The whole supply chain has been compromised. To make matters worse, two backup locations are also inaccessible. Unfortunately, this is not a what-if scenario. It happened, despite the best efforts of the company's security and business operations teams. Even though the organization had a Plan A _and_ a Plan B, it wasn't enough to deal with modern-day ransomware.

Too often, a traditional response to a ransomware attack is focused solely on a technical investigation. However, the ripple effects of ransomware go far beyond a system reboot and security housekeeping. As our manufacturing company's predicament highlights, there's often a gap between what needs to be done and shared across the enterprise and current incident response plans. Organizations' leaders must recognize that ransomware is a business risk, not simply a cybersecurity problem, and they should take the right steps in the right order to handle any crisis.

**Ransomware Motivations Evolve**

Although ransomware has been around a long time, threat actor tactics and motivations have recently changed. Following Russia's invasion of Ukraine, threat actors on Dark Web Russian language forums — particularly ones associated with ransomware — are sometimes choosing targets based on political motives rather than just financial gains. The ideological divide has led many underground actors to call for the return of ransomware groups to the mainstream underground and to reinstate the targeting of Western entities, especially in the resources, government, banking, and critical infrastructure sectors.

**New Tactics Open the Door**

We’re also seeing new threat actors introducing fresh ideas and evolving tactics. For example, some attacks are more destructive than disruptive, involving deleting or damaging backups. This destroys Plan B and makes it harder for a compromised target to get back up and running. It can also damage a business's brand and reputation.

Making life easier for threat actors is access to "plug-and-play" tools, such as ransomware-as-a-service products that can be easily purchased on the Dark Web and just as easily deployed. And there is also the growing interest in network access sales — when cybercriminals offer sophisticated and accomplished threat actors a shortcut to a compromised network for a price. For example, in February the Accenture threat intelligence team found that an underground site user, "GodLevel," was advertising access to a subdomain belonging to an identified Ukrainian agricultural exchange. An attacker could potentially use compromised system access to elevate user privileges and make use of associated domains to obtain personally identifiable information (PII) and payment card data, resell exfiltrated data, and deploy malicious software such as ransomware.

When it comes to ransomware tactics, one of the new flavors is extortion, where threat actors initiate a public business disinformation campaign aimed at eroding confidence and public trust in a business.

We're even seen threat actors directly contacting individuals whose data has been stolen from a company when the company refuses to pay a ransom. So, while companies are trying to deal with cyber complexities and get their business back up and running, they may also have to defend themselves against an extended ecosystem of stakeholders.

Disruptive times have resulted in a surge in attacks, and it is possible that Russia's invasion of Ukraine could continue this trend. Recent analysis from the Accenture cyber-incident forensic response team, based on engagements conducted between January and December 2021, shows a year-on-year increase of 107% in ransomware and extortion attacks and 33% in intrusion volume from ransomware and extortion. These growing threats put pressure on a traditional crisis response and accentuate the vital role of coordinated planning and communications.

**Closing the Communications Gap**

When all areas of the enterprise work together — driven from the top — the whole business benefits. Here are some steps to consider to help close the gaps that open the door to ransomware and extortion:

*   **Lead with leaders:** Cybersecurity professionals often run tabletop exercises, but they should evolve such exercises to include executive-level simulations. This enables organizations to test their defenses against a typical ransomware attack directly with business leaders — while simulating the risk and adrenalin of a "real-life" attack scenario.
*   **Avoid the domino effect:** Taking an uncoordinated first step can lead an organization down a path that can hinder its recovery. By creating a playbook and having a clear plan for the whole business, overseen by the C-suite, organizations can avoid the domino effect of "wrong place, wrong time" actions.
*   **Report with rigor:** The devil is in the details. To protect against ransomware, maintain standard cybersecurity patching hygiene practices and incorporate an intelligence-driven approach to vulnerability and attack surface management programs. To be resilient, organizations should better understand internal reporting obligations and act with full transparency, in a thoughtful and factual way.

**Conclusion**

By understanding — and preparing for — the full implications of a ransomware attack on an organization, recovery can be faster and easier. However, business leaders are often ill-prepared, especially when it comes to the essential communications needed to inform and instruct all stakeholders affected by an attack. It's time for business leaders to look with fresh eyes at how they handle ransomware and extortion. And the emphasis should be on prioritizing effective crisis management across the enterprise.

How Poor Communication Opens the Door to Ransomware and Extortion

Seemplicity's Ravid Circus joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk up accelerating time-to-remediation and reducing risk.

Scanning and remediation are hobbled without some robust automation to power them, says Ravid Circus, co-founder and chief product officer of Seemplicity, who's looking to accelerate time-to-remediation and reducing risk. Circus also describes how automated security platforms can be better integrated into the management framework, and offers some general tips for ways security pros can drive down risk.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Security & Productivity: The New Power Couple

Anjuna Security's Ayal Yogev joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss how confidential computing will improve cloud security.

Ayal Yogev, CEO and co-founder of Anjuna Security, describes the emerging model of Confidential Computing, as well as how it leverages enclaves and creates Trusted Execution Environments, which isolates data from unauthorized access. Yogev also discusses how he expects Confidential Computing to improve security for cloud computing, especially with its multi-party service delivery model.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading