KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
To open this up. There's a AI is, you know, dancing, both parts here, both on the, the side of the defenders and on the attacker side as well. So to bring us all up to speed and get us on the same page here, I'm gonna open with a quick comment on the state of ransomware here, bring AI into the picture, add some context and then end with some recommendations. So as you're, hopefully all aware, ransomware is a threat, which is continuing to increase and there have been several great presentations already during CSLs.
So hopefully this is just adding a little bit of detail to what you're already familiar with. Now we can look at this from two different perspectives. So looking at the number of ransomware attacks, which are out there, and these have seen consistent increases, as well as the amount of ransom that is being demanded per attack. Now we've been able to see these trends from a few recent reports that have been published over the last year.
Now, although the trends are very clear, the numbers, we always have to take with a grain of salt. Since we are dealing with ransomware disclosure of how that is affected in organization, that's not something that everyone is always willing to do.
So again, take the numbers with a grain of salt, but the trends are clear. For example, in the first six months of 2021, we saw nearly 1500 ransomware attacks, and this was already a 14% increase over the last six months of 2020.
Now, unfortunately, no region is being ignored here. 2021 saw attacks being mainly targeted in north America, but Europe and other regions of the world also received their fair share.
Now, shifting over to the amount, which is demanded as a lump sum, we've seen that this has increased from 2018 to 2019. It increased approximately 33%, which gave us a total of 10.1 billion in paid ransoms in 2019. It's a booming market. And then considering individual ransoms, this also increased approximately threefold between 2019 to 2020. That leaves us with, again, a, an estimate of a 300, 312,000 for an average ransomware demand in 2020. So that sets the stage here.
We can understand ransomware is an increasing threat, and if our organizations have not already faced this firsthand, it's becoming more likely that we will have to deal with this in the future. So what are our options? And this is where AI enters the stage. Now most of you have probably heard AI being toed as the end, end all be all solution for any problem you could think of that is absolutely a an over exaggeration, but there are concrete advantages to bringing AI and particularly machine learning into a problem like defending against ransomware.
Now let's take it to step back for a moment and look at a general attack process. And we'll break this down into roughly two categories of attack patterns. So first to give a brief overview in phase one, we have the creation of an attack. So this is the mastermind in their layer. It has not yet touched the organization yet, but phase two is this period of an undetected attack where this is already affecting our organization, but we don't know it yet. This could be a period of seconds or months.
Now, phase three is once we've detected it and are analyzing it moving into phase four, addressing it, phase five, continual improvement. Now, as I said, we can break this into two very large overarching categories. We have known attack pattern. So everything from phase three on either, this is an attack pattern that we ourselves have seen firsthand, or that this is something that another organization has experienced, that we are able to learn from.
And here we have plenty of options in, in more traditional security technologies that are targeted, of course, to each different type of attack pattern or defense in general. But of course we have these unknown attack patterns as well. And this is where ransomware becomes more and more of a threat because we have little knowledge or at least much less knowledge of what particularly to look for before it is detected at the moment we're being led primarily by anomaly detection, which is doing its job, but how do we improve this?
And this is where the opportunity for AI and machine learning comes in for more cognitive security to be targeting those patterns that we don't necessarily know we need to be looking for. So to give an example of how this could be implemented, I have simply one example of a supervised learning model, which is aiming to reduce unknown events. So to begin with, we have this pyramid of events, everything which is passing through the organization. So this largest portion, the base here are known and regular events, which require no reaction, perhaps an automated reaction.
They don't need to be escalated to the incident management system, but we also have known incidents. Now, of course, we don't want these, but at least we know how to deal with them. Perhaps they can be even handled with an automated reaction.
Now, as you've probably guessed, we're going to be focusing on the red here, these unknown events, which do require further analysis by our security Analyst, taking up resource resources, and this is what we need to be minimizing. And so the opportunity then for a supervised learning model comes in where we have a classification model. That means there's going to be a certain input. In this example, these are behavioral features of a process which have then been quantified so that the model is able to ingest this.
And it delivers an output, which is a binary decision, a yes, no, or a safe or malicious response with a degree of confidence. So of course there are data sources here, which can feed into this, this needs to be prepared. And of course, training data, which is labeled also needs to be prepared, but this should hopefully give you a very rough, at least a picture of how AI machine learning can come in to help reduce these unknown events, which can then impact our ransomware preparedness.
But of course, we need to ask a few more questions before we jump headlong into this has AI over promised itself in delivering cybersecurity. We consider some of the recent attacks which occurred over the past year. For example, the solar winds attack, these were known attack patterns, perhaps it wasn't necessarily seen out in the wild, but it was known and researched. So why were these not detected?
And we should be asking the question if there's AI and machine learning already in operation, in, in some products, why was it not able to deliver the right insight at the right time to deliver such a tax or perhaps is it delivering too much insight? And there's too much noise, which then hides the most useful insights to prevent an attack. So that leads in, there are a few barriers that AI in and for cybersecurity does have to overcome.
Now, for my opinion, these are addressable. We just need to get moving on it. Data sets first off, there's a need for a huge amount of data and really maintaining the highest of quality datasets, which are very targeted to the issue. That is that the model is addressing is an absolute must. And for example, one of the weaknesses here is that there are no publicly available data sets on how people hack. And so the models have nothing to learn from if we're really working towards building models that can proactively act against ransomware.
This is something which we have to be able to document and quantify and get into an ingestible form for a model. Now, I hinted at this false positive risk on the previous slide, where if you can imagine this pyramid again of events where on the bottom, we've got these normal events on top malicious threats and in the middle, this is where we're trying to reduce these unknown events.
If we have a model, which you could think of it being too sensitive, it'll actually increase those unknown risks or those unknown events because it's pulling things that don't need additional attention and saying, Ooh, ah, Hmm, take a look at this, then eating up more of your security Analyst time. So that's the false positive risk here. And of course, standards, we need to be establishing more best practices around machine learning. In the context of cybersecurity, we have a few which are either already published or on the way, but these are still at a general level.
We need to be focusing this more towards AI in and for cybersecurity security. So we're going down this slippery slope of from optimism to pessimism, but we'll turn this around. Eventually we have to acknowledge that AI and machine learning is a tool for both sides here. Now we can talk more at length about how AI machine learning can be used for the defenders. I actually recommend go, listen to Donny, went presentation. He presented yesterday on this and goes into more detail here. It's very informative. I can only recommend it. So let's focus over on the attacker's side.
So I'm gonna say something which you already know, but we can't forget it. An attacker only needs one successful point of entry defenders have to defend everything. Along with this. There is a natural synergy between AI and malware. Now both are aiming to imitate biological behavior and that they're working towards adaptation being able to propagate itself and evolve to fit or survive in its environment. So that sets this up for some very unsettling improvements in malware and ransomware as well.
So things like if better Asian techniques, autonomous malware using AI against other AI systems moving into swarm intelligence. And that gives us a question, are we doomed? I would say from my standpoint, I'm a cautious optimist, and I'm gonna say no, because if we strip away all of this very unsettling language, things like autonomous malware, what we have are anomalies things, which are just not quite right, that we can get better at detecting. And so anomalies are going to remain relevant in this era of AI attacks as well. So that leads me to a few recommendations.
So I've broken this up into two categories. So first let's focus on the AI investments, how you and your organization can orient yourself to better manage AI for your ransomware defense first is to close the skills gap, or at least give it a try.
You know, if we're in an arms race, it's best to have people who know what they're doing. So at least identify those people who are willing to learn and form themselves and self support them, enable them to do that. We also have to acknowledge that we're not going to be able to close the skills gap entirely. And so utilize services work with partners, work with vendors so that you do get the right security coverage for your organization.
Now, I feel it's very important to be investing into security for AI, as well as governance. These two are gonna go hand in hand, but the more we depend on AI machine learning for our defense, the more we have to be certain that those systems are secure in and of themselves, again, is not even went mentioned in his presentation. We need to assume that these models are going to be operating in malicious and adverse environments.
And finally, I would recommend to be cautiously optimistic and know, and recognize that there is a lot that AI machine learning can do for the defense of your organization, but acknowledge that it may not be mature yet to carry the full burden. And don't be overconfident because there's this whole second column of recommendations that we have for you. And that is having a really strong ransomware prevention program at your organization. And this is broken down into four steps.
If you want more information, check out the recording of the ransomware workshop that goes into far more detail, but be prepared that involves knowing your digital assets and designing as well as practicing your different plans. Instead, response management for one, protecting the core elements of your organization, being ready to respond if or when your organization experiences a ransomware attack. And finally to recover by focusing not only on the it segment, but as well, and primarily on the business and keeping it running at a limited and eventually at full capacity. Again.
So with that, I thank you so much for your time. I welcome any questions you have and it's over to you, Warren.
