Cybersecurity has so far been focussing on preventive measures. Once an attacker managed to get past these measures, the company network lays defenceless in front of them. Today, thanks to AI-supported network monitoring, such attacks can now be stopped, before it is too late.
The protection of IT systems, be it against cyber attackers from outside or malicious insiders, is more relevant than ever due to digitalization and the challenges posed by the Corona crisis. In the past, cybersecurity was mainly based on prevention and shielding measures. Firewalls, anti-virus systems, encryption or access management are designed to protect company data, infrastructure and employees' accounts from attacks.
However, in many cases, the common strategy of cyber security by shielding the company with preventive measures is not sufficient. Today, the media reports almost daily on successful attacks and data thefts. According to a study by IBM, cyber attacks are only detected after 207 days on average. So when a company realizes that its protection concept has failed, it is often already too late.
The consequences can be devastating: Business interruption, defective products, financial damage and loss of reputation, as well as legal issues (such as data protection). Companies of all sizes are affected by cyber attacks. Even digital giants such as Facebook are victims, despite their enormous preventive efforts.
The question is not whether a company is hacked, but when. The key to preventing loss is therefore to detect threats, attacks and data leaks immediately and to initiate countermeasures before damage occurs. This can be achieved by continuously monitoring the network to detect and alert on unusual or suspicious events immediately. Monitoring the network to detect performance problems has long been standard practice. But security monitoring has been virtually impossible until now: corporate networks produce a huge amount of log data. Analyzing this data for suspicious activities was not only extremely time-consuming, but also ineffective - until now.
The use of artificial intelligence (AI) in network monitoring solves this problem. AI can analyze the existing log data, learn which processes in the network are normal and thus quickly raise the alarm in case of deviations. The corresponding AI models can either be trained in advance using sample data or the models can continuously learn the regular behavior of the network.
The name for this new security technology is "Network Detection and Response" (NDR). NDR opens up a new field in cybersecurity and functions like an alarm system that strikes as soon as the burglar has entered the house - and not after 200 days, when the data thief has long since left. Cyber criminals need a certain amount of time to find their way around the network after a break-in and locate the valuable data. The shorter the time between attack and discovery, the smaller the risk of damage to the company.
The use of AI in cybersecurity does not end with the monitoring of the network. The technology can also support security teams in the often time-consuming investigation and combating of incidents. It does this, on the one hand, by automatically evaluating and prioritizing triggered alarms, which minimizes false alarms and allows the security teams to focus on the relevant incidents. On the other hand, NDR helps the teams to investigate and combat threats. By intuitively visualizing complex corporate networks and delivering alarms directly with contextual information, security teams can act in a more targeted manner. This way, NDR provides the old cybersecurity world of prevention with a new world of real-time response that is both powerful and effective.
Original publication see Computerworld from 13.11.2020
The author: David Gugelmann is Founder and CEO of Exeon.