Faced with an onslaught of malware-less attacks that are increasingly hard to identify and stop, CISOs are contending with a threatscape where bad actors innovate faster than security and IT teams can keep up. However, artificial intelligence (AI) and machine learning (ML) are proving effective in strengthening cybersecurity by scaling data analysis volume while increasing response speeds and securing digital transformation projects under construction.
“AI is incredibly, incredibly effective in processing large amounts of data and classifying this data to determine what is good and what’s bad. At Microsoft, we process 24 trillion signals every single day, and that’s across identities and endpoints and devices and collaboration tools, and much more. And without AI, we simply could not tackle this,” Vasu Jakkal, corporate vice president for Microsoft security, compliance, identity, and privacy, told her keynotes’ audience at the RSA Conference earlier this year.
AI helps close skills gaps, growing the market
2022 is a breakout year for AI and ML in cybersecurity. Both technologies enable cybersecurity and IT teams to improve the insights, productivity and economies of scale they can achieve with smaller teams. 93% of IT executives are already using or considering implementing AI and ML to strengthen their cybersecurity tech stacks. Of those, 64% of IT executives have implemented AI for security in at least one of their security life cycle processes, and 29% are evaluating vendors.
CISOs tell VentureBeat that one of the primary factors driving adoption is the need to get more revenue-related projects done with fewer people. In addition, AI and ML-based apps and platforms are helping solve the cybersecurity skills shortages that put organizations at a higher risk of breaches. According to the (ISC)² Cybersecurity Workforce Study, “3.4 million more cybersecurity workers are needed to secure assets effectively.”
CISOs also need the real-time data insights that AI- and ML-based systems provide to fine-tune predictive models, gain a holistic view of their networks and continue implementing their zero-trust security framework and strategy. As a result, enterprise spending on AI- and ML-based cybersecurity solutions are projected to attain a 24% compound annual growth rate (CAGR) through 2027 and reach a market value of $46 billion.
AI’s leading use cases in cybersecurity
It’s common to find enterprises not tracking up to 40% of their endpoints, making it more challenging because many IT teams aren’t sure how many endpoints their internal processes are creating in a given year. Over a third, or 35%, of enterprises using AI today to strengthen their tech stacks say that endpoint discovery and asset management is their leading use case. Enterprises plan to increase their use of endpoint discovery and asset management by 15% in three years, eventually installed in nearly half of all enterprises.
It’s understandable why endpoint recovery and asset management are highly prioritized due to how loosely managed their digital certificates are. For example, Keyfactor found that 40% of enterprises use spreadsheets to track digital certificates manually, and 57% do not have an accurate inventory of SSH keys.
Additional use cases revolve around cybersecurity investments related to zero-trust initiatives, including vulnerability and patch management, access management and identity access management (IAM). For example, 34% of enterprises are using AI-based vulnerability and patch management systems today, which is expected to jump to over 40% in three years.
Who CISOs trust to get it right
Over 11,700 companies in Crunchbase are affiliated with cybersecurity, with over 1,200 mentioning AI and ML as core tech stacks and products and service strategies. As a result, there’s an abundance of cybersecurity vendors to consider, and over a thousand can use AL, ML or both to solve security problems.
CISOs look to AI and ML cybersecurity vendors who can most help consolidate their tech stacks first. They’re also looking for AI and ML applications, systems and platforms that deliver measurable business value while being feasible to implement, given their organizations’ limited resources. CISOs are getting quick wins using this approach.
The most common use cases are AI- and ML-based cybersecurity implementations of transaction-fraud detection, file-based malware detection, process behavior analysis, and web domain and reputation assessment. CISOs want AI and Ml systems that can identify false positives and differentiate between attackers and admins. That’s because they meet the requirement of securing threat vectors while delivering operational efficiency and being technically feasible.
VentureBeat’s conversations with CISOs at industry events, including RSA, BlackHat 2022, CrowdStrike’s Fal.Con and others, found several core areas where AI and ML adoption continue to get funded despite budget pressures being felt across IT and security teams. These areas include behavioral analytics (now a core part of many cybersecurity platforms), bot-based patch management, compliance, identity access management (IAM), identifying and securing machine identities, and privileged access management (PAM), where AI is used for scoring risk and validating identities.
In addition, the following are areas where AI and ML are delivering value to enterprises today:
Using AL and ML to improve behavioral analytics, improving authentication accuracy. Endpoint protection platform (EPP), endpoint detection and response (EDR) unified endpoint management (UEM), and a few public cloud providers, including Amazon AWS, Microsoft Azure, and others, are combining AI techniques and ML models to improve security personalization while enforcing least-privileged access. Leading cybersecurity providers are integrating predictive AI and ML to adapt security policies and roles to each user in real time based on the patterns of where and when they attempt to log in, their device type, device configuration and several other classes of variables.
Leading providers include Blackberry Persona, Broadcom, CrowdStrike, CyberArk, Cybereason, Ivanti, SentinelOne, Microsoft, McAfee, Sophos, VMware Carbon Black and others. Enterprises say this approach to using AI-based endpoint management decreases the risk of lost or stolen devices, protecting against device and app cloning and user impersonation.
Discovering and securing endpoints by combining ML and natural language processing (NLP). Attack surface management (ASM) is comprised of external attack surface management (EASM), cyberasset attack surface management (CAASM), and digital risk protection services (DRPS), according to Gartner’s 2022 Innovation Insight for Attack Surface Management report (preprint courtesy of Palo Alto Networks). Gartner predicts that by 2026, 20% of companies will have more than 95% visibility of all their assets, which will be prioritized by risk and control coverage by implementing CAASM functionality, up from less than 1% in 2022.
Leading vendors in this area are combining ML algorithms and NLP techniques to discover, map and define endpoint security plans to protect every endpoint in an organization. Leading vendors include Axonius, Brinqa, Cyberpion, CyCognito, FireCompass, JupiterOne, LookingGlass Cyber, Noetic Cyber, Palo Alto Networks (via its acquisition of Expanse), Randori and others.
Using AI and ML to automate indicators of attack (IOAs), thwarting intrusion and breach attempts. AI-based IOAs fortify existing defenses using cloud-based ML and real-time threat intelligence to analyze events at runtime and dynamically issue IOAs to the sensor. The sensor then correlates the AI-generated IOAs (behavioral event data) with local events and file data to assess maliciousness. CrowdStrike says AI-powered IOAs operate asynchronously alongside existing layers of sensor defense, including sensor-based ML and existing IOAs. Its AI-based IOAs combine cloud-native ML and human expertise on a common platform invented by the company more than a decade ago. Since their introduction, AI-based IOAs have proven effective in identifying and thwarting intrusion and breach attempts while defeating them in real time based on actual adversary behavior.
AI-powered IOAs rely on cloud-native ML models trained using telemetry data from CrowdStrike Security Cloud combined with expertise from the company’s threat-hunting teams. IOAs are analyzed at machine speed using AI and ML, providing the accuracy, speed and scale enterprises need to thwart breaches.
“CrowdStrike leads the way in stopping the most sophisticated attacks with our industry-leading indicators of attack capability, which revolutionized how security teams prevent threats based on adversary behavior, not easily changed indicators,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike.
“Now, we are changing the game again with the addition of AI-powered indicators of ttack, which enable organizations to harness the power of the CrowdStrike Security Cloud to examine adversary behavior at machine speed and scale to stop breaches in the most effective way possible.” AI-powered IOAs have identified over 20 never-before-seen adversary patterns, which experts have validated and enforced on the Falcon platform for automated detection and prevention.
AI and ML techniques enrich bot-based patch management with contextual intelligence. One of the most innovative areas of cybersecurity today is how the leading cybersecurity providers rely on a combination of AI and ML techniques to locate, inventory and patch endpoints that need updates. Vendors aim to improve bots’ predictive accuracy and ability to identify which endpoints, machines and systems need patching when evaluating the need to take an inventory-based approach to patch management.
Ivanti’s recent survey on patch management found that 71% of IT and security professionals found patching overly complex and time-consuming, and 53% said that organizing and prioritizing critical vulnerabilities takes up most of their time.
Patch management needs to be more automated if it’s going to be an effective deterrent against ransomware. Taking a data-driven approach to ransomware helps. Nayaki Nayyar, president and chief product officer at Ivanti, is a leading thought leader in this area and has often presented how the most common software errors can lead to ransomware attacks. During RSA, her presentation on how Ivanti Neurons for Risk-Based Patch Management provides contextual intelligence that includes visibility into all endpoints, including those that are cloud- and on-premises based, all from a unified interface, reflects how advanced bot-based match management is coming using AI as a technology foundation.
Using AI and ML to improve UEM for every device and machine identity. UEM platforms vary in how advanced they are in capitalizing on AI and Ml technologies when protecting them with least-privileged access. The most advanced UEM platforms can integrate with and help enable enterprise-wide microsegmentation, IAM and PAM. AI and ML adoption across enterprises happens fastest with these technologies embedded in platforms and, in the case of Absolute Software, in the firmware of the endpoint devices.
The same holds true for UEM for machine identities. By taking a direct, firmware-based approach to managing machine-based endpoints to enable real-time OS, patch and application updates that are needed to keep each endpoint secure, CISOs gain the visibility and control of endpoints they need. Absolute Software’s Resilience, the industry’s first self-healing zero-trust platform, is noteworthy for its asset management, device and application control, endpoint intelligence, incident reporting and compliance, according to G2 Crowds’ crowdsourced ratings.
Ivanti Neurons for UEM relies on AI-enabled bots to seek out machine identities and endpoints and automatically update them unprompted. Ivanti’s approach to self-healing endpoints is also worth noting for how well its UEM platform approach combines AI, ML and bot technologies to deliver unified endpoint and patch management at scale across a global enterprise customer base.
AI and ML are core to zero trust
Every enterprise’s zero-trust security roadmap will be as unique as its business model and approach. A zero-trust network access (ZTNA) framework needs to be able to flex and change quickly as the business it’s supporting changes direction. Longstanding tech stacks that sought security using interdomain controllers and implicit trust proved too slow to react and be responsive to changing business requirements.
Relying on implicit trust to connect domains was also an open invitation to a breach.
What’s needed are cloud-based security platforms that can interpret and act on network telemetry data in real time. CrowdStrike’s Falcon platform, Ivanti’s approach to integrating AI and ML across their product lines, and Microsoft’s approach on Defender365 and their build-out of the functionality on Azure, are examples of what the future of cybersecurity looks like in a zero-trust world. Gaining AI and ML-based insights at machine speed, as CrowdStrike’s new AI-powered IOA does, is what enterprises need to stay secure while pivoting to new business opportunities in the future.