Faced with the increasing complexity of networks and a shortage of human resources, the active defence of networks must be entrusted to automated systems… provided that they are reliable in recognising threats.
The need for behavioural analysis
The beginning of 2016 has been marked by the resurgence of ransomware, with particularly harmful effects for health establishments. Several hospitals, particularly in the USA but also in France, have borne the brunt of recent ransomware campaigns. For some, the consequences have been severe: consultations postponed, patients transferred and ambulances diverted to other hospitals, chemotherapy sessions that could not take place… Never before has cybercrime so directly endangered human lives.
Yet ransomware is not known for its stealth. After infecting the host, the first action of malware is usually to contact its master server to obtain the various modules constituting the ransomware itself. The next step is to obtain an encryption key. Finally, using this key, the ransomware attempts to encrypt its host’s files, as well as all the machines on the network.
This shows the impotence of current antivirus solutions. The inadequacy of solutions based on signature detection has already been proved some time ago. Most current antivirus systems comprise heuristic modules (that is to say, modules focusing on behaviour analysis). These are still far from convincing. In reality, today’s most reliable heuristic modules are those that are integrated into larger solutions, deployed over the entire information system and dealing with network flows.
Although these security solutions based on behavioural analysis do exist, they have not yet been widely deployed. They are expensive, in terms of both purchase price and management time. For such a system to be efficient, a lot of time must be devoted to its original configuration, as well as during each information system development. This explains why many organisations that could potentially benefit from this type of solution shy away from it.
Contributions of artificial intelligence and machine learning
Artificial intelligence is interesting for three main reasons:
- Machine learning: a good capacity for autonomous learning, capable of recognising a legitimate user action, allowing for the installation of a SIEM solution that does not represent a heavy burden for IT departments;
- Quick reaction time: an automated defence system allows for an unparalleled reaction time. By the time a human being realises that a computer intrusion is in progress, it is usually too late;
- Scalability: it is always easier to adjust a machine’s capabilities to the growing complexity of networks than for human resources to make this adjustment.
Enormous progress has been made over the last decade in the field of artificial intelligence, and machine learning in particular, notably driven by the major players such as IBM and Google.
These advances could allow for a democratisation of SIEM (Security Information and Event Management) security solutions, provided that they are appropriated by IT security solutions publishers.
However, convincing artificial intelligence programmes require supercomputers to run. This means that, to provide these capabilities to their customers, cyber publishers will need to pool them using the Cloud.