Welcome back to day two of cybersecurity leadership summit and the cyber access summit. Hope you've enjoyed it. I wanted to talk about new tools or really new technologies that can be used for defending our networks and our enterprises. But first I thought we might start with a look at what are we facing? So we're facing some old threats, as well as some new threats. Things like denial, a distributed denial of attacks are still out there. If you remember, a couple of years ago, there was the Maray botnet that took over a bunch of like a hundred thousand webcams and used them in a DDoS attack.
So those sorts of things are present for us today, but we also have new things that we have to worry about, like fake news and what can be done about that or election hacking. About 15 years ago, researchers were starting to look at the possibility that electronic voting machines might be hackable.
And it seems like that's a, a reality that we have to deal with these days as well. Cyber crime probably don't have to tell you it's a huge consideration. Some estimates I've seen for the 20, 21 time framer that it will consume about 6 trillion worth of fraud.
There are activist groups and others out there that simply wanna damage organizations, reputations, or brand reputations. There are are cases of intellectual property theft, and that's closely tied to espionage, whether it's state sponsored espionage or corporate espionage, these things are, are happening every day out there. And then many of us have been concerned for the last few years, especially about damage to critical infrastructure. There've been a number of books written. There have been a number of real world attacks that we can study.
And this is something that pretty much every country across the globe is concerned about protecting. So just a quick look for the information is beautiful website visualization. This shows the magnitude of some of the most recent attacks in terms of their significance and, and the sensitivity of the information that was lost. So you can see there are some pretty staggering numbers of amounts of compromised identities.
And then we might think, you know, yesterday we heard that about 114 billion was spent on cybersecurity last year. So aren't our old tools. Good enough.
Or do we really need to look at updating our tool sets and think we'll find the answer is yes, our old security architectures, you know, may have started with a firewall on the perimeter and web proxies. And they, those have gotten increasingly sophisticated over the years. Then we would have things like intrusion detection and anti-virus on all our nodes on our networks. Many organizations attempted to deploy data loss prevention technologies as well and, and met with some success there.
And then as our networks and services grew, we needed a way to sort of consolidate all of the, the log file information and be able to search for what might have been a suspicious event or a sign of attack. So for that, we had developed SIM solutions.
So I call it new tools or new technology, things are evolving.
So, and on the one hand, they're not entirely new, but on the other hand, we're adding a lot of really interesting and useful technology for those that still choose to have perimeter and a lot do, even though we learned about beyond Corp yesterday, NextGen firewalls and, and web application firewalls or API security gateways are an important component of that architecture. We've moved from just a, a reactive intrusion detection to a more proactive threat hunting model. And now we have tools that are specially designed for that, and we don't call it anti-virus anymore.
We call it anti-malware and that's not just a rebranding. There are lots more different kinds of malware out there today that behave very differently and require new methodologies for dealing with them. And I think we learned that the precursor for doing data loss prevention is really data governance.
There, there were problems in many organizations deploying DLP, because it really depends on having all your data marked appropriately in having access control policies that make sense, but users, you can't, and it's, it's legitimate. You can't depend on users to go through and mark all the data that they're responsible for. Plus the classifications may change over time, too. So data governance tools are an important component of our security architectures today as is user behavioral analytics. We heard Martin talk about that yesterday and a bit on the workshop as well.
On Monday, it's really kind of a next level up from SIM technologies that it allows you to look at patterns and determine what's normal and what's abnormal on your network work.
So I wanted to contrast like an older way of looking at things. The Lockheed Martin cyber kill chain. Many of you're probably familiar with that from seven or eight years ago when it was all the rage. When you'd go to conferences and hear about a P T you know, they break it into seven phases, the reconnaissance phase, weaponization delivery exploit, and install.
And at that time security Analyst and researchers were really oriented toward the prevention side of things, you know, so you can see there's more effort that was put into preventing the successful attacks in this paradigm, the install, command and control. And then the actions were subject to both detection and response mainly, but move forward. There's a new minor attack framework that's out there that, that offers a little bit more granularity and from left to right.
We look at initial access execution, persistence privilege, escalation, defensive, Asian credential capture data discovery, lateral movement collection, and then exfiltration.
So again, you can sort of apply the a P T model, which is, which is really relevant. We're just, I was just reading last night about, I guess, silence published a paper about a new threat actor group out there. They're calling white company. That's got a very, very sophisticated a P T.
So these kinds of frameworks I think are useful in, in planning where you do your work, but what's really shifted since the, the advent of the cyber kill chain. And today is there's prevention is still important. It will always be important, but there's a more realistic view that we're gonna spend more of our time looking at detecting and responding to cyber threats rather than just preventing them.
So we believe that artificial intelligence or machine learning techniques can in fact help these tools, but let's, let's look at the buzzwords and try to take some of the hype out of it.
So artificial intelligence, that's the science of making computers do things that we thought only humans should be able to do. But I think where some of the confusion comes in is we think of strong AI or general AI, which, you know, as the more creative type where it really could perhaps someday simulate what people do, but we're not there yet. We're not really even close. So when you hear from tool vendors, especially their marketing teams about we use AI in our products.
What they mean is we have software machine learning techniques generally that are adapted to solve very particular problems. So there are a couple of areas of ongoing research and for cybersecurity in particular, we are gonna look at machine learning algorithms and methods, particularly things like genetic algorithms, deep learning neural networks, but what's out of scope for AI and machine learning are anything that's just based on like predefined or static rules, or just basic pattern matching.
So exactly how can this help us with cybersecurity?
If you think about the NextGen firewalls and the web application, firewalls and API gateways, many of them today come with a capability to analyze the traffic that's going through and then, you know, alert or report on that activity and even be fed information to say shut down and a traffic stream that looks suspicious. Anti-malware machine learning techniques are must for anti-malware these days. In the olden days, we would, cybersecurity companies would get samples from their customers of what they thought were suspicious pieces of software.
And they would, you know, take their time to develop a signature against that. These days, there are millions and millions of malware variants that are being created every year. And it's just not possible to have teams large enough to create signatures.
Plus the speed of the evolution is such that it, it just doesn't make sense to operate anti-malware solutions that don't have machine learning capabilities, threat hunting, again, looking at all across an enterprise, the many, in some case thousands and thousands of nodes and the information that they contain, this is a more proactive approach than intrusion detection.
And it can be augmented with AI or machine learning techniques, data governance, again, looking at how a tool might be able to help auto classify a data object.
So maybe things are like, you know, only for the finance team or things that maybe only for the HR team, there are templates that can be built. You can scan your network and have metadata automatically tagged on your data objects, which then can be used in conjunction with authorization systems and access control policies.
Moreover, there are a few tools today that are beginning to allow analysis of historical access patterns to kind of build up a baseline of what normal access patterns look like. So that when something occurs, that's unusual, you know that that's not, maybe you should question that, but this also can lead to the ability to automatically generate rules. As we'll see in a second then for SIM and UBA, again, once you establish a good baseline, these kinds of machine learning techniques can be used to better detect anomalies from the or deviations from those baseline patterns.
And in the workshop the other day, you know, we were looking at a variety of things, basically here, we'll say in the beginning, you may be hit with an unknown attack and your current tools are better suited for being able to determine things that are subject of current types of attacks, but by including AI or ML methodologies, you can augment your traditional tool sets. The signature based AV now becomes ML enhanced anti malware, same thing for threat hunting.
And there are are tools that are beginning to be developed that can take in things like compliance requirements, regulations do natural language processing, to some extent, to build a basic policy that a human administrator can review and say, okay, that kind of matches what I think is in the regulation and then put that into place. And then also take the analysis of those access patterns and say, these are some of the basic rules that we believe can be put into place that can govern access control.
So wanted to dive just a little bit deeper for a minute or two and talk about some of the ML techniques that are in use in cybersecurity today. This one you might have heard this term before Markov chains, it can commonly be used for things like threat modeling, but what it depends on is the enumeration of all your nodes in your network.
And then the details of all the services that are running on all those nodes and then all the possible connections between all of these nodes and then a listing out of all the known vulnerabilities and the likelihood that those vulnerabilities could be exploited and then compute this once and then iterate over and over and over again. This is kind of how we do threat modeling manually. But these tools, even though Markov chains, the ideas at least a hundred years old almost now we have sufficient computing power to be able to do this effectively in real time.
So for a malware analysis, the technique generally used can be deep learning or some variation of that. Most companies have their own proprietary algorithms, but you take those millions of malware variants that was talking about, feed it into the algorithm, and then you, it outputs. Here's a sampling of the ones that we think are malicious. The problem here is that the algorithms, since they are proprietary, they're a black box.
So we get generally useful information out of them, but we don't know why all of this can hopefully lead us to a better and more modern security posture by allowing us to create better tools and better tools can reduce the amount of time that your staff have to put into the mundane tasks. You know, looking through thousands and thousands of log entries, it can free those people up to work on things that are more likely to actually be threats in your environment and improve your security posture.
But even though there's a lot of hype about, you know, maybe this is a way we can address the skills gap, you can't replace all your, it security workers this might reduce, or, but not eliminate the cybersecurity skills gap.
But I think it's also important to remember that AI tools are not, I mean, they, they definitely help, but they need models and they can themselves be attacked or gained. So by models, I mean like the Conti in categories or table of judgements, you need this opor framework in which all the data can be lined up in, in a way that makes sense for processing.
And then we need to ensure the data quality is sufficient. And then as I was saying about the, the hidden layer in the black box, where all the processing takes place, we need better mechanisms to help explain what's going on inside there so that we get more meaningful data.
So the way in which let's take anti-malware, as an example, anti-malware solutions can be attacked.
Normally, if you are receiving lots of different samples of different kinds of malware and, and it's broad not constrained, you run it through the machine learning algorithms and you get something that can be used for a pretty broad detection scope. But the way to at least try to defeat anti-malware solutions is really constrain the number and type of variants that go through that. So it builds up a baseline. That's very specific to what it's looking for.
So you, therefore you have a limited detection scope. What happens is you get a gamed machine learning tool that then can't really recognize what to do when it gets hit with pattern Y which can lead to possibly a MIS detection. And then lastly, I wanted to talk just for a second about GS or generative adversarial networks. If you can use AI for good, of course, you can use it for bad. In this case, generative adversarial networks are kind of a dialectical method where you take random noise, compare it to real world samples, this discriminate network, then we'll decide, which is better.
And then it back propagates that to the generator. So that every time it makes a new sample, it gets closer and closer to the real world sample.
What they've typically been used for is deep fakes. So pictures or video frame prediction to, to produce deep fake videos. You may have seen some of those online, but this is the Edmond Bellamy portrait that again, produced and sold a couple of weeks ago for about 400,000 euros. So the last word here is these tools there's already in, in development people and in GS have only been in existence since about 2014.
Ian Goodfellow launched this with a paper. Now there are cyber attack tools. One's called pagan for password cracking. You can use this in conjunction with other password cracking tools. It increase the effectiveness 25% or stag geography, which is, you know, the art or the science of including data inside say a JPEG image. So the SSK and tool allows people to more effectively hide data inside images, and then quick takeaway machine learning and AI can help build better tools, but they're not perfect. There's no 100% security.
As we've said over the last couple of days, they can be attacked or gamed and be on the lookout because these kinds of technologies can and probably will be used against us.
Okay. Thank you. Trum for your presentation leads to a question we had in a panel yesterday already. So we have ML, which helps us to better defend ourselves, but it has also the attackers to better attack ourselves. So will the gap we currently experience between we are on the, the loser side, so to speak when it comes to the capabilities, will this anyway close, or will it be just the same situation?
So the attackers at the end benefit more from the technology than we as the defenders.
Well, I think, you know, with password guessing, I mean, multifactor authentication can really help eliminate that.
So, I mean, I think for a while we can have the advantage, but it's always a back and forth between who has the advantage and it's usually more difficult to defend.
Okay. So let's keep current in the tools we use to be as good as we can.
Thank you, tr
Thank you.
So with that, let's directly.
