Use AI to Make Account Takeover a Frustrating Experience... For the Attacker

Yeah. First of all, the Martin mentioning the workers' council triggers me.

Yeah, because it's true. Yeah. If you actually use the behavior analytics, it's always like, ah, Workers' council sometimes get nervous. It triggers me out of different reason because I am the workers' council for RSA in Germany. Right. So not every worker's council is like against technology. I just like to mention that. Right. Use AA to make account take or frustrating experience for the attacker.

Well, first of all, frustration. Yeah.

I'm, I try to be a nice guy. Try to, you know, be nice to everybody. But like if somebody attacks me, like the least I want is to be that guy or girl to be frustrated, right? So why do we want actually attack us to be frustrated? We want them because you know, they're probably more noisy or maybe they give up because of frustration, but Yeah, maybe not like, let's be honest, like that's probably not happening. But they may need longer. It gives us more time to detect. They might be, need to take more risk and be more noise. It makes it easier to detect. Yeah.

So frustration for us actually of the attacker is a good thing. At the same time, we shouldn't be frustrated, but that's a different subject, right? Account takeover is, you know what it is quickly is, is like you compromise an account and then you do stuff with it, right? You go deeper into the network to reach out applications and you know, do whatever you need to do as an attacker. So at both points, AI can help to make things harder for the attacker and easier for the defender.

Last year gave a keynote here around game theory in IT security and one of the, the takeaways was that whatever you can do to increase the visibility into your application networks and whatever, the better and the lease or the, the reduction of move costs of costs to you as the defender, the better. Yeah. This place right into this. Yeah. AI can help you to do that. Right? Martin already said like, you know, you will be breached. And that's true, right? You have to assume that you will be breached. If you are not breached yet, you will be breached. Yeah.

So let's accept that and that means every layer that we talk about can be breached. So the bigger picture and like with Martin's presentation, it's simplified. Yeah.

So yes, it's not complete, but you know, bear with me. So we got some MFA or access, whatever you want to call it. There's also something that actually authenticates the user. Yeah. So MFA to secure access some identity governance. True and surely is privilege.

Yes, it does more than that. But let's just focus on the least privilege here. You got some applications. Yeah. And then you get some seam. Yeah. To actually monitor the usage. Yes. Oversimplified. But let's bear with me for a second. What do I have? All those things in common. Mountains of data, right? See every layer here, every component creates data or relies on data. And the thing is, who's actually good at looking at mountains of data? Yeah. Humans are not, right? If you just look at lock files, it's unlikely that you actually find something.

You may by chance like find something really obvious. Yeah. But if you actually have to look at megabytes and megabytes and gigabytes, that's not gonna happen. Yeah. Artificial intelligence actually is kind of, yeah, I'll get to that. So if we look at the data Yeah. And what AI can do, let's have a look at, you know, on those different layers what AI can do for us. So authentication, the MFA layer, whatever you wanna call it. Yeah.

So the data that actually shows up there is like, you know, who likes to access, in which context, what device do they have, you know, time of day, location, like network location, physical location, like all different kinds of things actually show up there. It's not common like for years, decades to have some static rules around limiting who has access and who has access to what, you know, how can you open the front door, so to speak, during authentication, but that actually is not working if you have this, you know, broad context. Yeah.

Writing static rules for that is, I wouldn't say like impossible. Yeah. But it's really like for a specific, very specific use case. But for the larger population, for diverse use cases, it's next to impossible. Right. When you have the aesthetic rules, you cannot get into that fine brain context and for each individual. So think about it, you can have a rule that says if you're inside the network or outside the network, right? So common like you can only access an application if you're inside the corporate network.

Yeah, that's fine. Do you actually know what your corporate network is? Yeah. If I have a list of multinational organization of all IP addresses, it may be completed, might not be. But what about, you know, do you actually, with all your home office workers now, how do you deal with them? Yeah. Do you know all their locations, IP addresses and whatnot? Yeah. Highly unlikely. And then the things, the context itself and the behavior like this for example. Yeah. So is it normal for that person to log in at eight o'clock at night from two different devices and do that? Yeah.

Good luck coding that into a static rule. Yeah. That's not possible. AI can do but can do exactly that. Look at that on an individual basis and see if it makes sense for that user. Yeah. It's user behavior analytics part of that. Now that's part of the story and yes, as Martin said, workers council some gets nervous about that but like talk to them, they actually will understand. Trust me. Next thing is the i g layer and there's tons of data there as well. Yeah.

So who, who has access to what Yeah. This is what the IGA layer will or should have, I should say. Yeah. In two privileged done segregation of duties, all this Yeah. Is based on the data that is visible to this IGA authorization layer. You quickly reach millions of records at this component. Even for like a medium sized company, right. With all the different applications, all the different users, all the combinations. Yeah. It could be hundreds of thousand millions of entitlements. Yeah.

Mountains of data really reviewing all that and making sense of it as a human unlikely to be super successful. Right. Example is always like, you know, access reviews, recertifications, it's the approval. Yeah. Just get rid of that message.

Yeah, yeah. Everything is fine. Yeah. AI can help you to identify the outliers, the things that are actually interesting. It filters out all the stuff that's like, yeah, I know. Yeah. You approved it last year. It's every, you know this user all is fine. Yeah. Nothing to worry about but I have those 10 users that you really should care about. Right. That you get, you minimize this apply all or get rid of the ma get rid of the problem. Yeah. I want you want to get rid of that dialogue problem. Yeah. You can focus on the ones that actually are relevant.

No, this is just a screeny by the way. We, we looked at some data we collected in, in a governance, in a government solution and just looked for outliers. Yeah. So these are group memberships I believe or road memberships cannot quite remember. Yeah. And use the eye to, well visualize is one thing, but also detect the outliers because there are some non-obvious in there. It's like you go, oh really? Yeah. I didn't realize. Yeah. And bubble them to the surface. Right? So it actually finds stuff that is hard to spot and that you probably wouldn't spot even if you look for it. Yeah.

Cause it's non-obvious. And then application user data. That's what Martin also mentioned. Yeah. So it's call it seam xdr doesn't really matter. It's a constant stream of highly interesting realtime data. And this is how the applications get actually used. Because just because you have opened the door, you have the entitlements doesn't mean you use the entitlements correctly. Attackers will do that. They will open the door. Yeah. They will breach the first layer. They will use the entitlements they have. Yeah. So to so to speak breach the authorization layer and then do illegal stuff. Yeah.

But you might be able to, as said might yeah. Detect that with AI by looking at this stream of usage data of log files. As a human you have will path next to no chance to detect that. Yeah. And I can do that because it's really good at crunching the amount of data. Now you cannot the opinions like ah, you know, just throw in AI at it and that's fine. Right. It will solve the problem. Yeah. Magic pixie dust. I have a problem with that. Yeah. What type of AI you're looking at. Yeah. So this is moving beyond the clickback ti clickbait title of my presentation. Right.

You should be using AI in all those layers. The question is which type of AI and how would you trust it? Consider two areas. One is the type of data that is being looked at and deterministic versus non-deterministic ai. Let's have a look at that type of data. It's the data we worry about. Structured unstructured. Yeah. Unstructured data, pictures, documents. Right. You can ask an I where's the cat? Right? And we'll ask you, there's a cat on this picture. Yeah. But then there's structured data, blog files, entitlements and all this.

So what we are actually looking at in those three layers are largely structured data. Right. There might be here and there are some unstructured data, but largely the points where we talked about are largely structured data. Yeah. So almost exclusively structured. And then we can look at machine learning versus deep learning. Machine learning is a good choice for structured data. Yeah. It's really good at that. Now deep learning are neural networks. Yeah. All this fancy stuff. I put them into buckets.

Deep learning and machine learning as, so machine learning is really good at processing structured data, deep learning, really good at processing unstructured data. You can actually use machine learning and unstructured data and deep learning on structured data as well. That's not my point here. My point is the sweet spot, very technology is that, yeah. Unstructured data, deep learning, structured data, machine learning. Machine learning is mostly deterministic in what the heck does that mean?

If you have a machine learning model, you give it some input, it comes to a conclusion and you can actually look under the hood and determine how it got from A to B. You could even do the reverse like you know, reverse and, and and do that. And sometimes, so it is some magic but it's not unreasonable. Yeah. I think many of us in the room Yeah. Would be able to understand that.

You know, if you get into a room with somebody explain like a, an engine based on machine learning, it's like, yeah, I'll get it. Yeah. It might be painful because it's math, but you know, you'll get there. Deep learning on the other hand is mostly non-deterministic. Right? You have input, you have output, you open it and there will be dragons and unicorns. Yeah. It's really, really hard and something and often impossibly determine like how did it get there? Yeah. When you ask jet GBTs like, you know, how do you come to that conclusion? Because my model tell me the data, everything I learned.

Yeah. But you cannot actually find out how to actually get to this one. How do you get to the conclusion that something is good or bad, for example. And so my point is for security purposes, knowing why a decision has been made is good. There's a bit of a question mark there.

I'm, I'm actually like, yeah, there are some circumstances where maybe we should have a little bit voodoo here and there. Right? But think about it. There are regulations out there. Yeah. If you make a decision security decision, it has real implications. And if something goes wrong, either one direction, either it says everything is good or something is bad, like it's a false positive or a false negative, you probably should know how it got to that one because then you can fix it instead of relying on some magic. So machine learning clearly wins this like yes, maybe right?

Structured data, machine learning, that seems to be a good fit. But deep learning can, doesn't have to, but can actually find answers you didn't really look for, I said can come up with stuff says, and you go, oh that's interesting. Right? My machine learning model didn't find that. So the outcome of a deep learning might actually be a good thing. So you actually what the need to check is that something that's really true? And if it is, you can use that to improve your machine learning model. So it's not just because, hey, you know, I get rid of it and that's fine.

So machine learning is one thing. We can do that. What I think is launching next step is some deep learning assisted machine learning. Yeah. That we let a deep learning algorithm look over the data and it actually gives some suggestions from improvement. Now there might also, you know, be evolution of ML assisted deal and then deal only. And I'm not quite sure that actually will be the case, right. Because relying on DL will depend on if we trust it, that it does a better job as as machine learning. And the other thing is it takes more resources, carbon footprint and all that is higher.

It costs more money at deep learning. And we as an industry have to take care of that and need to take that in consideration. We don't want another cryptocurrency train wreck. Right. So we have to be careful where we actually use deep learning. And then finally it's not just about, you know, AI and all that. All those things have to work together. Often when we find out, you know, somebody has been breached, like in a post-mortem, we'll see that the data was there, it was even detected at one place, but the systems weren't talking to each other. Right.

And ignore ai Right now that's already something that needs to be solved still in our field. And with ai it comes be even more important that all the different components like talk to each other. Yeah. And if something detects it, communicates it to the other layer so they can act accordingly. Thank you. Thank you. Ingo was really interesting content.