BT is to deploy an epidemiological AI to combat cyber-attacks. The technology, called Inflame, has been developed in-house by BT and is already in beta. It will use deep reinforcement learning to identify and respond to cyber-attacks. It is intended to become a key component in BT’s recently announced Eagle-I platform.
Howard Watson, Chief Technology Officer, BT, said: “We know the risk of cyber-attack is higher than ever and has intensified significantly during the pandemic. Enterprises now need to look to new cybersecurity solutions to understand the risk and consequence of an attack and quickly respond before it’s too late.
“Epidemiological testing has played a vital role in curbing the spread of infection during the pandemic, and Inflame uses the same principles to understand how current and future digital viruses spread through networks. Inflame will play a key role in how BT’s Eagle-i platform automatically predicts and identifies cyber-attacks before they impact, protecting customers’ operations and reputation.”
Why take an epidemiological approach?
The technology mirrors that used to track the spread of medical viruses and is not a new approach in cybersecurity. Many of the early uses of graph database technology by cybersecurity vendors enabled a similar response. However, those were designed as a post-attack forensics solution.
The approach is simple:
- Identify the source of infection/compromise (in medical terms, patient zero)
- How did that machine/user get infected/compromised?
- How did the attack spread throughout the organisation?
BT is changing the dynamics of that process. Instead of waiting for an attack, it intends to use Inflame to identify how an attack might spread. This will allow it to proactively deploy defences to stop an attack before it gets started.
How ill BT deploy Inflame?
To understand more, Enterprise Times talked with Ben Azvine, Global Head of Security Research at BT. We started by asking Azine how this would be deployed? Would it be agents or another technology?
Azvine replied: “This is part of our managed security service platform. The idea is that we manage and host the data, and therefore, have access. We will use probes that allow us to model the network that we’re trying to protect. We may move to an edge computing type model in the future, but we haven’t done that yet.
“The data we collect will be available either in the cloud or a private cloud repository for threat intelligence. To model this, we need the network data because the epidemiological model is stochastic modelling. We need that network data to understand which devices or people on the devices talk to each other.
“Based on the traffic that we monitor, we then build these stochastic models that we’re going to use to understand the propagation. We’re not trying to understand the malware itself or the virus itself. That’s the beauty of epidemiological modelling. You don’t need to have a vaccine before you do epidemiological modelling. You do it because you want to find measures by which you contain the spread of a virus.
“It’s exactly the same in Inflame. We want to understand what would happen if we had highly infectious malware on our network. Attackers what to identify vulnerabilities, weak points, and also the vulnerabilities of our response.
“So there’s two parts to it. One part is the modelling and understanding of the network, which is done using epidemiological modelling. The second part is, what’s the best response to actually contain or eliminate the threat?”
The benefits of machine learning
Azvine says this is where machine learning comes in. It allows BT to use reinforcement learning to run tens of thousands of simulations to see what might happen. From there, it can develop a range of strategies for countering an attack.
Importantly, for customers, a key element of this is the identification of vulnerabilities such as poor privilege management. While Azvine says BT is not going to look explicitly at issues such as privilege management, he did say: “One of the scenarios we model using Inflame is how long does it take for an attacker and malware to get to a privileged account. That’s when the speed of infection, speed of spread, accelerates.
“That’s what the bad guy is trying to get to. What we can do with epidemiological modelling is identify critical nodes. Once you have your model, you say, ‘Okay, these are the critical nodes in the network’. Then the objective of the agents would be to slow down or eliminate access to those critical nodes, which are essentially privileged access accounts. And we can do that modelling and do that simulation right now.”
How will BT use this information?
Enterprise Times asked Azvine if Inflame would track specific types of devices with known issues, such as printers. He said that it hadn’t gone to the level of analysis yet. However, it has begun to look at the impact of changing the authentication of devices to slow an attack.
“One of the actions we’ve modelled is to change the authentication of devices. Once you detect that the level of threat has gone up, or there are early indications of an attack, you could, as a matter of precaution, either change your encryption or authentication of what you have on your network.
“Remember, we can only do things that we have control over. You can’t go into people’s devices and start changing things. What we can do is stop the spread of that virus. If that laptop or printer is connected back to the network, and we detect some anomalous behaviour, we could try to isolate that. We don’t have permission to go into the printer and change anything. We are not really touching the end devices that we don’t have control of.
“But what we do have control over is the propagation of that malware into the other elements of the network. At that point, we start modelling, and we start taking action.”
Azvine also mentioned that BT has plans to deploy continuous authentication in a release of its Eagle-I platform. He believes that it is the future of authentication and will help eliminate a whole load of infected devices from the network.
Enterprise Times: What does this mean?
The use of epidemiological tracking techniques in cybersecurity is not new. What is new here is using it proactively to detect flows between devices and across the network to detect and prevent attacks. It is a good idea, but the question is how far BT can go with it? For example, there seems to be plenty of scope to extend this to a more detailed view of privileges. Users often gain these based on the time served at a company. A system that could show the current state of risk from excess privilege would be well received.
What is also interesting here is the overlap between the Inflame approach and behavioural analytics. The latter has become a buzzword around the cybersecurity industry over the last few years. The problem is that many customers don’t know how to interpret it or even if it is working properly. Combine the threat intelligence from that with Inflame, and both will get more accurate. It will especially expose unexpected attempts to connect across the enterprise.
BT has no date when this will go live except “sometime in 2022”. Whether BT will make a separate announcement or just deploy as part of an Eagle-I update remains to be seen.