The rise of behavioral analytics, machine learning, artificial intelligence, or whatever the latest nomenclature is currently being promoted by vendors, has taken the security community by storm and showing no signs of stopping. It's almost impossible not to see these phrases mentioned on new preventative solutions going to market and rightfully so. With an industry accustomed to relying on static signatures, known bad hashes and singular alerting, this technology is a welcome relief for defenders and we've seen the market capitalize on our desire for it.
The progression of the security industry towards technologies that welcome behavior analysis over static alerting is a step forward in the evolution of detection and defense. These solutions aren't perfect by any means, but the progressive mindset in closing the detection gap is a step forward. Implementing AI into these solutions was based off necessity, not as an added feature. The gap between attackers and defenders widened to a point where it became unsustainable to continue on our current trajectory; hence the open adoption of machine learning. Something had to fill this void and AI steeped in to create an alternative method to perform security with better results and less overheard. This is the definition of technology, creating efficiency in an area with a tool that allows repeatable results. You know you're progressing when you're solving a problem with a different solution and better results.
Machine learning is teaching the security industry that behavior and big data are better equipped to detect attackers then using traditional security tools. By knowing what's considered malicious in and environment a system is able to detect threats without having to rely on signatures, this is also commonly called supervised learning. This, in itself, is great and a step up from most security tools, but the real progress comes in play when solutions start using unsupervised learning, or the ability for a system to teach itself, what's normal in your environment or within data. When alerting and monitoring can be tailored off past behavior it helps detect attacks that aren't using malicious tools or would have otherwise slipped through your detection. This type of visibility into your systems helps defenders notify attacks quicker in the kill chain and reduces risk in your environment.
Attackers jumped in their progression of exploitation and it's due to his increase that behavioral technology is becoming a staple within the security community. Minor changes in behavior are all that's needed to alert on a particular issue, not signatures, rules or singular alerts. Whether this technology is being adopted in malware detection, network anatomies or user baselining, the industry has moved on and those not performing some type of behavior analytics within their alerting will soon be caught having to play catch up. With that being said, these tools are not a silver bullet and using them in place of proper security basics is a mistake. They're best used as an additional layer of protection within your security posture, not as a band-aid to threats you're looking to compensate. These AI tools allow for predictive alerting and detection which assists defenders in making up for lost ground. I personally look forward to seeing how this technology will be used in the future and the advances in security it will usher.
Matthew Pascucci is a security architect, privacy advocate and security blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cybersecurity for the past decade. He is the founder of https://www.frontlinesentinel.com/ and can be contacted via his blog or Twitter @matthewpascucci.