A single point of failure? Artificial Intelligence and network detection and response

12 July 2023

Jacques de la Riviere, CEO, Gatewatcher

Jacques de la Riviere, CEO, Gatewatcher

Having leapt into public consciousness with the dawn of the likes of ChatGPT and Google Bard, artificial intelligence (AI) has already begun to play a decisive role in network detection and response (NDR).

Typical benefits of AI have been seen across both detection AND response.

AI in detection

One of the biggest benefits of AI within NDR is its ability to recognise patterns and trends in the network traffic and identify anomalies or suspicious activities. These anomalies could suggest potential threats as they are deviations from ‘normal’ behaviours and can often be a precursor to an attack or an attempted security breach.

This differs from relying on known signatures of attacks, or predefined rules, because the AI investigates and assesses the behaviour of network traffic in multiple ways. It identifies threats based on unusual patterns of behaviour, and trends in protocol construction. It can do this without specific instruction and can develop its own methodologies.

As such the behaviour and content (even including new and unknown traffic) of the network is the source of learning for the system.

Over time this becomes a process of continual evolution: the AI enables the NDR to learn from the analysed network traffic and adapt to changes in the landscape. This helps in the recognition of new threats that could be overlooked by traditional, signature -based methods.

This improvement is not just quantitative – AI can also help enable more precise recognition. By analysing enormous quantities of data and identifying complex interrelationships, AI can create a more refined, nuanced recognition of threats, including those that might be overlooked by conventional, rule-based systems.

AI systems can therefore adapt to changing patterns of attack and new threat vectors. Whilst this is not a completely automated security posture, it does enable systems to keep up with the dynamic nature of cyber threats and provide an early warning against new threats.

But AI is not just confined to detection: it can also have a profound impact on response.

AI in response

Firstly, by differentiating better between normal and abnormal patterns of behaviour in network traffic, AI can reduce the number of false alarms (false positives), which reduces the burden on security teams, whilst increasing the overall efficiency of security operations.

To further ease the demands on these teams, AI enables automated reactions to threat in real time and at scale. This includes measures such as blocking IP addresses, isolating affected devices, the use of security patches or updating firewall rules. Speed of response is critical – when responses are automated, reaction times are shortened, and potential damage is minimised.

AI is not confined to a purely reactive response either – it can proactively search for potential threats in the network before they cause damage. This enables the security team to recognise threats early and to take countermeasures before these threats escalate.

However, whilst AI undoubtedly has a role to play in the evolution of cybersecurity, especially with regards to NDR, there is a danger of relying exclusively on the technology.

The challenges of AI in NDR

Firstly, AI can take a substantial time to ‘get up to speed’ with a threat environment as complex as the networks within an enterprise. AI systems need large volumes of network traffic to be analysed before the engine can define the nuanced, precise responses outlined above. Like any learning, this takes time. However, by using supervised AI, the learning phase is reduced to a minimum.

This reduction in time is important as left unchecked, it offers threat actors a window of opportunity to evade detection and – in some cases – develop behaviours on the network that can function as cover for future attacks. The AI itself becomes as much of a target, especially if it is managed outside of a business.

Secondly, relying solely on AI creates exactly one of the same issues that it was supposed to solve – too many false positives. As an AI learns deviant behaviour, it runs the risk of recognising every new behaviour as a threat.

Consider the image of a hotel door and doorman. Once the AI learns that the door should only be opened by the doorman, it risks returning everyone else opening that door as a threat and triggering a response. But that may not be the case – it could simply be that the AI has not developed enough contextual awareness of who else may open the door and under what circumstances. (Alternatively, it may not recognise that someone else is impersonating the doorman by wearing his uniform).

Lastly, AI is dependent upon the big data that it learns from – which makes accurate, up to date and dynamic cyber threat intelligence a critical component of effective AI. This is a huge requirement, creating a systemic flaw in ‘AI-alone’ cybersecurity solutions.

Evolving AI in NDR

The solution lies in blending AI alongside other technologies to create a comprehensive, rounded approach that mixes the strengths of AI with the benefits of established technologies.

Using existing signature-based rules and additional live, intelligent input from systems such as a comprehensive CTI feed can compensate for the time (and cost) it takes to get an AI up to speed. Factoring in known signatures can also accelerate the time to return – and ‘plug and detect’ becomes feasible once AI is paired with existing cyber threat intelligence that knows what to look for in the immediate short-term.

It is even possible to add further AI to evaluate the conclusions of the combined AI and rules engines to develop a fast, well filtered, accurate definition of the most pressing threat.

These summaries are then submitted for human progression. Even though the AI can read the whole book and knows to classify it a whodunit, and that it was the butler, with the candlestick in the kitchen, it must always feed that data forward to a person to decide what happens next.

This combination of technologies also extends benefits beyond the frontline. By adding in the capability for metadata, the management of forensic data analysis and cybersecurity is made quicker.

Overall, AI can be seen as yet another instance of the technology industry coming to terms with the benefits – and limitations – of what it creates.

The new era of easy-to-use interfaces has undoubtedly opened AI to the masses and that will mean both offensive and defensive uses of the technology, at scale. Smart organisations will see it as another tool in the armoury, but they would be fools to bet it all on just one technology.