Popular discussions about machine learning (ML) and artificial intelligence (AI) invariably become long conversations about robots and smart machines. Yet ML and AI are already transforming the practice of securing networks – and smart businesses are realising that an effective ML algorithm may be the only thing between a cybercriminal and your most valuable corporate secrets.
That’s a sobering thought for most companies, but analysis after analysis reveals that companies’ networks are being penetrated every day and never even realise it. Cybercriminals often breach networks within seconds or minutes and exfiltrate data within hours, but most companies take months to discover the loss – and by then it’s much too late.
In the past, security administrators’ only hope of detecting such breaches was to pick up on the right security alerts – and successfully isolate the root cause. But this is not an exact science: analyses of real-world breaches often find that attackers have been moving undetected on target networks for weeks or months – representing a massive and dangerous window of vulnerability.
With cybercriminals now regularly modifying their attack strategies, network administrators are run off their feet to keep up. And while they might hope to close the gap by collecting more network data, that data is of little use without some way to analyse it all.
Building AI into the network fabric
Here is where AI promises to level the playing field. By churning through mountains of network performance data, ML algorithms can identify baseline characteristics of network performance over time. By noting and responding to changes in those characteristics over time, AI platforms can detect unusual network activity that often indicates a cybersecurity incident has occurred – or is occurring.
In such cases, AI tools can make the decision to automatically shut down network access to the suspect devices – or to add additional user challenges in line with corporate policies. This approach transforms AI/ML tools from being retrospective tools for data log analysis, into proactive allies in the battle to police the corporate network in real time.
Aruba, a Hewlett Packard Enterprise company, has built its AI/ML engine into its IntroSpect tool, which forms part of the Aruba 360 Secure Fabric and works in conjunction with Common Criteria-certified ClearPass secure network access control and the Aruba Secure Core.
By building AI/ML capabilities into the network fabric, the act of patrolling network activity becomes a routine function. Tight integration with, and visibility into, network devices provides a wealth of performance metrics that help identify network performance issues – and focus security incident detection and enforcement efforts – with pinpoint accuracy.
“Out-of-the-box solutions don’t necessarily provide the right data to gain these insights,” explains Mark Verbloot, Asia-Pacific Systems Engineering Director with Aruba. “You can’t make these informed judgements without a large data set.”
“Every network is unique in the way it is implemented – so we can consider the network as one very large sensor, and use anonymised insights from multiple customer networks as a large data set. This lets us apply ML metrics to that and understand what a well-performing network looks like. We need to look for commonality and metrics.”
Putting together the pieces
Aruba IntroSpect’s ML methodology draws on techniques used in image and pattern recognition, whereby an algorithm is fed a large number of images – for example, of a dog.
By identifying common characteristics of a dog, as well as evaluating a broad range of variations of those characteristics, the algorithm builds up a flexible understanding of what a dog looks like – which can then be used to decide whether a new image shows a dog or not.
IntroSpect takes a similar approach, generating an image from the network data that is fed to it. Over time, it learns not only what specific activities are regularly conducted on the network – but what variations of those activities are also OK.
For example, it might note a user regularly logging in from the Sydney office and accessing particular network servers, and logging in from the Hobart office but accessing those same network servers.
AI would recognise both scenarios but, supported by the access-management controls of Aruba ClearPass, would recognise that both are legitimate activities for that user.
If the same user’s account was used to log in from Macau or Moldavia, however, the system would interpret it as an anomaly – particularly if the account started trying to access network servers or devices that it had never accessed before.
This approach works as effectively for insider threats as it does for external breaches – helping illuminate a chronic blind spot that often leaves businesses exposed to internal compromise. Since the beginning of 2016, only a quarter of the insider breaches supported by NTT Security’s Incident Response Team have been from overtly hostile activity. The rest were accidental or the result of simple negligence.
Picking out this activity is like putting together the pieces of a puzzle. Baselining a network can take 3 to 4 weeks of data collection and fine-tuning, but in that time it has proven remarkably effective in learning what is normal for a particular environment – including the limited range of activities that Internet of Things (IoT) devices would be expected to conduct.
Once network activity deviates significantly from this, the AI/ML tool can accurately pick suspicious malicious or IoT-generated activity out of massive volumes of network performance data – and potential breaches stopped before they strike.
Because this function is run at the network level, it becomes an extension of established security policies and strategies rather than a bolted-on extra. In many cases, network baselining even identifies devices that network administrators didn’t even know about.
“We often find there are twice as many devices connecting to the network as administrators knew about,” Verbloot explains. “It’s these unaccounted-for devices that present the biggest risk.”
“When you’re facing a fast-moving, professionally funded cybercrime industry trying to work out new ways of attacking an enterprise network, the ability to react to them and shut them down becomes very important.”
Learn more about NTT Communications’ Security Services and Solutions at https://www.nttict.com/services/ict-security
Learn more about Aruba IntroSpect User and Entity Behaviour Analytics at https://www.arubanetworks.com/products/security/ueba/