It’s what you value

Rethinking how AI can help today

Healthcare’s HIPAA Journal reports that only 20% of people take up its breached organizations’ offers of identity-theft monitoring¹. People feel, among other things, overwhelmed by another letter in the mail of a breach with their personally identifiable information (PII) lost to some criminal. 80% do not respond.

This inaction is part of a larger phenomenon about the relative way we value tangible and intangible things². So what would be a physical corollary to losing your PII in a data breach? It’s like someone going into your house, finding the drawer with your important documents and photographing your social security card, driver’s license, pay stubs, insurance documents, accounts and passwords. This intruder then creates a file about you and walks out of your house.

Feels different that way, doesn’t it?

The disconnect between how we value data and physical things is the barrier that needs to be addressed in thinking about your organization’s security.

Artificial Intelligence is gaining ground among criminals

Just since the last series of Bryley Special Reports, where we looked at how AI is being used by criminals against smaller businesses, one of the most famous breach experts Troy Hunt of the website haveibeenpwned.com fell for a targeted email scam.

But unlike what we usually expect from criminals’ phishing attempts – poor grammar, spelling and just being a bit off – Hunt reports that this email was indistinguishable from a legitimate request from his emailing service. Hunt reports that there were no tell-tale signs that the email was illegitimate (except, that is, for the domain-address link he clicked, a discrepancy Hunt forced his password manager to overlook).

It is hard to prove AI involvement³, but Hunt’s story is consistent with the trajectory of Artificial Intelligence’s ability to fix grammar and replicate language patterns of legitimate sources. AI chatbots – like those that write scam emails – are software that creates answers based on found patterns in its dataset.

Even at the enterprise-level it had been difficult to achieve. But XDR – through AI – is a breakthrough in real-time behavioral analysis.

What’s the cybersecurity-good of a pattern finder?

Because of Artificial Intelligence’s abilities to evade traditional detection, both human (like in the Troy Hunt example) and software (like traditional antivirus and anti-malware)⁴, Bryley advocates three places to use Artificial Intelligence to bolster your defenses:

Email Threat Protection
Endpoint Detection and Response (EDR)
Extended Detection and Response (XDR)

In each of these cases, the AI performs a similar function: observe the typical behaviors of your organization, assess out-of-the-ordinary behavior and, if needed, go so far as to alert an IT department to address it.

Bundles of tech that had been mostly cost‑prohibitive

This is an overview of how Bryley’s XDR operates. EDR, XDR and Advanced Email Threat-Protection are specialized software – the principles remain the same, the nuances will need to be reviewed with a Bryley rep. (You can read about Bryley’s EDR here and Advanced Email Threat Protection here.)

Data Handling (the long view of your network activity, because cybercriminals have been shown to set traps and be patient)
- Not long ago about the only businesses that could afford to generate reams of logs from a network’s operation, make valuable cybersecurity-sense of them and retain this data, were large corporations.
- Bryley’s XDR, through partner SentinelOne, is noteworthy for its integration of Steve Newman’s Scalyr⁵ a large-data collector and analyzer (conceived of when he was involved in Google’s data handling).
- Bryley’s XDR democratizes the availability of log data. Without the event history of logs, you’re missing a key piece of information that can be tracked to find early signs of incursion, before an action that Behavioral Analysis (below) is designed to pick up.
Threat Intelligence
- Beyond what the XDR can gain from looking inside your environment, it also gets data from open-source intelligence (like from the government’s CISA, for example), and, most importantly, near-up-to-the-minute active-threat feeds that let the XDR know about what is being dealt with now by analysts and threat-hunting software world-wide.
- This is in contrast to traditional antivirus and anti-malware that are as up-to-date as the known virus/malware signatures in the installed product’s database – still good information, but these are not a real-time threat defense.
Behavioral Analysis
- This is where the advances in Artificial Intelligence – as a pattern finder – start to shine. Even at the enterprise-level it had been difficult to achieve real-time analysis. EDR (the foundation of XDR) was revolutionary in bringing real-time behavioral telemetry (ex. when an employee launches an app) from the endpoint, analyzing that data and providing visibility into actual process activity.
- A couple examples of the usefulness of behavioral analytics are it can alert about a login from an unusual geographic location or at an unusual time. Also it has the capability to stop new strains of ransomware based on actions alone.
Correlation, Escalation, Containment
- The speed of Artificial Intelligence and its ability to hold all these different kinds of information at once (and I’ve just scratched the surface) processes the log data, the real-time system data and the external threat intelligence sources and synthesizes it.
- One thing to know about the super pattern finder that is AI: the patterns it looks for are not just like employee X seemed to log in from Russia. That’s helpful, but Artificial Intelligence can put together the potential meaning of a series of different, but maybe related events to give a picture of an unfolding attack.
- The internal clues the AI synthesizes might include attempted credential escalation, attempted lateral movement into other accounts, a sudden network connection after a file download, file encryption (like from ransomware).
- These kinds of events are scored, prioritized and evaluated.
- XDR can then kill processes, quarantine files, isolate infected parts of the network and alert a Security Operations Center (SOC) analyst to investigate.
Remediation
- XDR not only speeds the containment of a threat it also is very fast at its role in remediation after a cyber-attack event.
- Bryley’s XDR can be set-up to delete files and scripts, etc. that were used by a bad actor.
- It can execute follow-up scans to try and verify all associated traces of the threat are gone — this could be lingering emails with links or attachments sent to resume the attack.
- And the automated processes are monitored by the 24/7 SOC whose analysts have tools to help restore compromised identities or accounts.

The cost of undervaluing your data

I understand fatigue about breach events. I understand fatigue about cybersecurity. Being overwhelmed by cybersecurity demands is a common feeling. But the underlying risk usually isn’t burnout, but failing to fully see the value held in an organization’s data.

Data is the foundation of your business operations. Like a building’s foundation, you don’t remake it every day, and you don’t often inspect it. It’s just there, supporting everything built on top of it. Your data means your sales processes, your customer relationships, your financial reporting, your strategic planning and more. If the foundation cracks (analogous to a business being compromised by a data theft), the building becomes unstable. The whole structure is suddenly at risk of collapse.

Your data is like a building’s foundation. It’s mostly unthought-of and out-of-sight, but the whole structure stands on it.

I just wrote at some length about AI’s use by criminals against smaller organizations:

AI gives criminals cheap scaling to broadcast attacks.
AI gives criminals quick data-scraping of smaller businesses’ data.
AI gives criminals easy and convincing deep-faking.

Why not harness the same Artificial Intelligence breakthroughs for your protection? It’s not only possible today, but how else can an organization keep pace with the evolution of attacks?

Bryley can deploy or help your IT team deploy a sophisticated XDR system – with bundled technologies that were formerly enterprise-only. Bryley has provided security solutions for hundreds of New England clients since 1987. See your data’s value? Call 978•562•6077 or email Roy Pacitto to discuss protecting it.

Subscribe to Up Times by Bryley, the monthly tech newsletter for New Englanders by New Englanders.

^{1 https://www.hipaajournal.com/few-victims-of-healthcare-data-breaches-take-advantage-of-free-credit-monitoring-services/}
^{2 https://marketing.wharton.upenn.edu/wp-content/uploads/2019/04/04.04.2019-Morewedge-Carey-PAPER-DigitalvsPhysicalGoods.pdf}
^{3 https://mitsloanedtech.mit.edu/ai/teach/ai-detectors-dont-work/}
^{4 https://www.mimecast.com/blog/polymorphic-viruses-and-malware/}
^{5 https://www.sentinelone.com/blog/the-circle-expands-again-joining-sentinelone-to-solve-cybersecuritys-data-problem/}
^{6 https://www.inverse.com/input/culture/a-bookshelf-in-your-job-screening-video-makes-you-more-hirable-to-ai}
^{7 https://cisoseries.com/how-about-this-only-attack-the-endpoints-we-configured/}

Per-device features	Basic	Pro*
Response to network-critical issues	Within four hours. Same Day, as the situation requires	Within four hours. Same Day, as the situation requires
Response to non-critical issues	Within eight hours. Same Day, as the situation requires	Within eight hours. Same Day, as the situation requires
Performance optimization	Included	Included
Security optimization	Included	Included
Monitoring and alerts	Included	Included
File and patch updates	Included	Included
Reporting	Included	Included
Administration	Included	Included
Reliability optimization	Partial	Included
Software issues	Partial	Included
Hardware issues	Partial	Included
Network issues	Partial	Included
PC imaging		Included
On-site response		Included

How to achieve enterprise-grade security