Q1. How is machine learning and AI helping advance cybersecurity? What are some of the biggest use cases for these technologies in the cybersecurity context?
Security teams at enterprises still drown in too many warnings. In November, Enterprise Management Associates (EMA) found that 64% of alerts go uninvestigated, and only 23% of respondents investigate all of their most critical alerts.
Machine learning – a building block for AI – lets augmented analytics help security staff decide what to investigate, detect low-and-slow attacks that defences have missed, and gain enough time to explore the serious problems. ML can discern indicators of attacks from collections of loosely related data faster and more reliably than an overworked (and often under-experienced) analyst. In security operations, ML helps combat a genuine, compelling, and intractable problem – the shortage of security analysts.
ML models evolve over time based on what they observe, or how they are trained. Used on authoritative data sets, ML helps prioritise those indicators that are materially interesting and automate aspects of investigation that slow and complicate the security operations center (SOC).
AI adds on to this idea by letting the machine either suggest or take action based on its models and observations. The challenge here is that while this sounds marvelous in theory, it's far more utopian in practice. For years, security teams have avoided even basic automated responses for fear of disrupting business. The 2-man rule, privileged access, playbooks, and surprise audits – these practices offset the risk of errors through haste, ignorance, or poor judgement.
Yet, cybersecurity leaders have seen the value of automation in DevOps and other areas and are now embracing automation for cybersecurity. This same laggard model will be used for AI in cybersecurity – just not yet. Right now, AI in security is still mostly artificial and not that intelligent. With that in mind, we will let other markets and operational teams find the bugs and breakdowns before we put our businesses, reputations, and careers at risk. In the meantime, although not all ML delivers equally, the approach has plenty of scope for positive impact without AI's downsides.
Q2. How are trends like cloud adoption and data center consolidation impacting cybersecurity requirements? What changes are these trends requiring companies to make?
Consolidating your data centre is an easy way to increase security power. Having one data centre with updated systems, instead of multiple, spread out locations with outdated legacy systems, ensures fewer points of exit and entry and an easier time detecting threats.
If your data centre consolidation involves moving data to the cloud, you may have security concerns. There is a common misconception that the cloud is less secure than a physical data center, and it's easy to see why—if you aren't hosting your own data in a physical space, you may feel less in control, and less secure. However, control does not equal security.
Your data centre is the gateway to your cloud data, and your cloud security is only as good as your data centre security.
The network is in a great position to be an enabler for digital transformation efforts and initiatives. In order to take advantage of the scale and elasticity of the cloud without disrupting business operations, user experience, or enterprise security, cloud-focused IT Operations and Security Operations teams need two things: more visibility and trustworthy automation to help them turn insight into action.
Q3. Why is it important for ExtraHop to be at Black Hat Asia 2019? What's your main messaging at the event?
Enterprise security. For some people, those words conjure up images of red-shirted crew members about to be zapped by creatures beefing with the United Federation of Planets. For others, enterprise security means finding ways to protect ever-expanding attack surfaces of their corporate networks and revenue-generating applications.
If you're attending Black Hat, you're probably at least in the latter group and interested in discovering how network traffic analysis (NTA) solutions, a fast-growing category of network detection and response stack up against traditional security solutions.
Network traffic analysis platforms inspect real-time wire data from all network communications, including encrypted communications, from layer two through layer seven. NTA products use a far richer data source than just NetFlow, which is a useful, but now mostly legacy data source for network security.
By analysing every transaction and reconstructing every conversation on the network through full-stream reassembly, NTA products can provide more conclusive insights into security events, and forensic-level evidence that SecOps teams can use to understand and report the exact scope of incidents.
Fueled by rich wire data, NTA products use advanced machine learning to identify anomalous behaviours and security incidents, trigger automated investigations, fire alerts, and in some cases trigger automated responses through integrations with firewalls, SOAR products, and other in-line response solutions.