The principle of double control in cyber defense

There are two types of cyber attacks: automated opportunistic network penetration attempts and targeted Advanced Persistent Threat (APT) attacks. The former are for the most part, and artificial intelligence (AI) can automatically block most of them. But there are often people behind APT.

Defending these increasingly frequent attacks at the network level requires both artificial intelligence and human intelligence. Hackers are first identified by the traces of their malware on the network. However, these unusual traffic patterns are easily lost in the mass of information. Left to their own devices, the IT manager is overwhelmed when it comes to recognizing them.

Artificial intelligence makes an important contribution to defense by detecting anomalies in real-time data traffic from metadata, then triggering an alarm to trigger defensive responses. According to Splunk experts, artificial intelligence and automated cyber defenses can automatically detect 90 percent of Level 1 security incidents and initiate corrective actions.

The question remains: what about the remaining 10 percent? Since human perpetrators are often behind complex attacks, both human logic and human judgment in analyzing information are essential to defend against the future.

Six times the human IT security analysts added value
No cyber defense can do without artificial intelligence anymore. But human observers still offer an important plus:

  1. Artificial intelligence and human intelligence complement each other:
    AI optimized with machine learning (ML) and threat intelligence can analyze large amounts of information quickly and without error. An IT security expert builds on this and interprets data traffic patterns. At the same time, it manages the defense using proven procedures. Due to his knowledge of the company and IT, he is also an important AI trainer.

    Here, it speeds up the definition of normal, and therefore lawful, data transmissions – including by tagging IT security-critical systems. It also takes into account information that is not visible in the network traffic: if, for example, devices are available but not centrally managed, or if the company sets up a new headquarters, which explains the queries with so far unusual IP addresses point. Or when it implements new technologies, applications, and thus systems.

  1. Evaluate the information in context:
    Artificial Intelligence is a statistical approach. Because recognizing, defending against, and preventing dangers require connections that go beyond individual data, people and their ability to judge play an important role.

    Specific knowledge about the company helps, for example, when an IT service provider commissioned by the company suddenly operates in a subnet for which there is no order at all. Even if the pattern of data traffic seems imperceptible at first, exceeding the competencies may indicate a compromised IT service provider and should be investigated.

  1. Predicting the hacker’s next moves:
    Complex Advanced Persistent Threats (APTs) are still man-made. Often, spam bots do not hide behind phishing attacks on important people in a company, but social engineering specialists who get onto the Internet via a targeted email attachment.

    The AI ​​then recognizes that the attacker is manipulating the network. The hacker’s individual tactic is not reflected in the statistical indicators. To predict the attacker’s next steps, an experienced security analyst can put himself in the hacker’s shoes and predict his next moves.

  1. Assess the overall motivation of the perpetrator:
    Cyberdefence must take into account the criminal’s motives. Not every attacker wants to steal data, encrypt it and receive a ransom. Hackers have different motives: seizing resources to mine bitcoins, perhaps politically or personally motivated sabotage, or simply wanting to destroy. Therefore, the defense needs not only to secure data or close information leaks. A lasting response requires an understanding of human psychology.
  1. Adequate and priority safeguards instead of automatic defense mechanisms:
    An IT security analyst sets risk priorities individually for the company. The choice of defense depends on the context: is it recoverable data that may no longer be of any value to the company, or a frequently cited crown jewel? AI cannot answer the resulting defense questions appropriate to the situation, given the importance of data or processes to business success.

    In addition, the analyst keeps an eye on common industry attacks. If hackers currently attack e-vendor X with malware, it cannot be ruled out that they will try competition from Y and Z later. An AI that only watches its own network only sees such a risk if supported by up-to-date threat intelligence.

  1. Be defensive and avoid collateral damage:
    Artificial intelligence has great power to recognize dangers and can automatically start defending. However, any defense has side effects and can negatively impact IT or business processes. Defense can be no less complex and consistent than APT.

    Security analysts are therefore in demand here because they can consider and consider the consequences of actions. Human expertise helps to avoid unjustified collateral damage, such as blocking access to IoT-controlled buildings or information systems in nursing.

    When analyzing the attack, the security analyst then plays an important advisory role. By using whole network mirroring, he can get an idea of ​​what happened and how future attacks can be prevented.

AI and humans are interdependent
IT security without AI is a thing of the past. Nevertheless, a security expert will not become redundant. He remains relevant as a continuous alarm interpreter, as a crisis supervisor and as an advisor on future IT security. Each “Detect and Response” is perfectly complemented by a “Managed Detect and Response”.

Leave a Comment