Artificial intelligence and machine learning
Artificial intelligence (AI) plays an increasing role in all aspects of life, and cybersecurity’s no different. AI attempts to mimic human thought and decision-making using machines. AI-driven security tools supplement your core team, taking away much of the routine and allowing your team to make higher-level decisions.
Strictly speaking, AI doesn’t learn on its own. AI uses complex, programmed logic to make smart decisions. However, many modern systems incorporate machine learning, a subset of AI. Machine learning uses algorithms and feedback to teach the machine to make smarter decisions over time without direct human intervention.
A concrete example may help here. Some security solutions use anomaly-based detection to spot potential cyberthreats. For example, an endpoint protection solution could monitor the typical behaviors on an endpoint, using this as an initial dataset to make decisions. Over time, the solution can detect deviations from the norm, such as an atypically high level of file modifications or deletions, and can flag the behavior.
This type of protection can help adapt to newer or emerging techniques. For example, a few years ago, ransomware was easy enough to deal with—you caught the offending file and, if that didn’t work, used backups to restore to a state before the infection began. However, cybercrime is a business, and criminals want to maximize their payday. If that malware contains more instructions than to just encrypt files—such as creating admin accounts or installing a keylogger—traditional AV solutions may not catch the behavior. However, an AI-driven solution could help catch the attack pattern so the damage doesn’t last beyond the initial infection.
Crowdsourced threat intelligence
Cybercriminals have shared tools for decades. If someone develops an exploit for a known vulnerability or they create a pernicious strain of malware, they can share this with other criminals across the globe for free or for a charge. As a community, cybercriminals long had this advantage.
Two can play at that game.
Threat intelligence provides a pool of knowledge from around the world to help businesses combat emerging threats. Threat intel often consists of identifying command and control servers, blacklists of known bad sites, and descriptions of threats. If someone from Australia finds a new threat, they can report this to a threat service, which pushes that info out to the user base.
Unfortunately, there are downsides. Cybercriminals can plant false information to throw threat intelligence vendors off the mark. Additionally, user submissions may not be reliable enough to ensure quality intel. Plus, much of the threat intelligence produced by the industry never gets operationalized.
Some platforms combat this by incorporating pre-vetted threat intelligence into the tools themselves. SolarWinds® Threat Monitor, a cloud-based security information and event management (SIEM) solution, integrates threat intelligence from multiple sources to make decisions on when to alert you to a potential threat and to give added context during investigations. We keep our threat intel continuously up-to-date so you don’t have to worry about falling behind in reading threat reports.
According to Ponemon, it takes an average of 197 days to discover a breach and another 69 days to contain it. If the company can deal with the breach quickly, it can dramatically reduce any fiscal damage—to the tune of $1 million USD if they can do so in under 30 days, according to the same report. Threats don’t have to be this extreme to cause serious damage, especially to SMBs. If you want to keep your customers, fix security issues fast. This is where automation can help.
Let’s say a worm infects an endpoint. The file uses obfuscation techniques to fly under the radar and land on the endpoint. The file initially seems innocuous, but soon launches a script to establish outbound communication to another endpoint on the network. If you have robust endpoint protection in place, it could note this behavior and take automated actions to deal with the issue fast, such as quarantining the endpoint, tracking down the initial infection, rolling the endpoint back to a safe state, and alerting the technician. This not only keeps the infection from spreading across the network, but also helps prevent downtime issues. And if your automation is strong enough, the customer may not even know the difference (unless you report to them to show the value of your security protection).
Cybercrime has evolved. We have, too
As cybercriminals continue changing their techniques, MSPs must adopt new techniques to stay ahead. With AI and machine learning, we can detect threats faster. With threat intelligence, we can be informed of emerging threats faster. And with automation, we can resolve issues faster. MSPs that adopt these technologies can better protect their clients, and keep them safe and paying for the long haul.
Combatting these threats doesn’t have to be hard either. SolarWinds EDR uses AI and machine learning to detect threats on the endpoint that many traditional antivirus solutions can’t. Beyond that, it offers automated responses to threats, such as rolling back an endpoint after a ransomware attack so users remain safe and productive.
Find out how SolarWinds EDR can help you by starting a free demo today.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.