Having leapt into public consciousness with the likes of ChatGPT and Google Bard, Artificial Intelligence (AI) has already begun to play a decisive role in Network Detection and Response (NDR). Typical benefits of AI have been seen across both aspects.
AI in detection
One of the biggest benefits of AI within NDR is its ability to recognise patterns in network traffic and identify anomalies or suspicious activities. These could suggest potential threats as deviations from ‘normal’ behaviours are a precursor to an attack or attempted breach.
This differs from relying on known signatures of attacks or predefined rules because the AI investigates and assesses network traffic behaviour in multiple ways. It identifies threats based on unusual patterns of behaviour and – over time – can do this without specific instruction, developing its own methodologies.
As such, the network’s behaviour and content (including new and unknown traffic) is the source of learning for the system.
Over time this becomes a process of continual evolution: the AI enables the NDR to learn from the analysed network traffic and will adapt to changes in the landscape. This helps recognise new threats that traditional, signature-based methods could overlook.
AI can also help enable more precise recognition. By analysing enormous quantities of data and identifying complex interrelationships, AI can create a more refined, nuanced recognition of threats, including those that conventional, rule-based systems might overlook.
AI systems can therefore adapt to changing patterns of attack and new threat vectors. Whilst this is not a completely automated security posture, it does enable systems to keep up with the dynamic nature of cyber threats and provide an early warning against new threats.
But AI is not just confined to detection: it can also profoundly impact response.
AI in response
Firstly, by differentiating better between normal and abnormal patterns of behaviour in network traffic, AI can reduce the number of false alarms (false positives). In turn, this reduces the burden on security teams whilst increasing the overall efficiency of security operations.
To further ease the demands on these teams, AI enables automated reactions to threats in real-time and at scale. This includes measures such as the following:
- Blocking IP addresses
- Isolating affected devices
- Applying security patches
- Updating firewall rules
Speed of response is critical – when responses are automated, reaction times are shortened, and potential damage is minimised.
AI is not confined to a purely reactive response either – it can proactively search for potential threats in the network before they cause damage. This enables the security team to recognise threats early and to take countermeasures before these threats escalate.
However, whilst AI undoubtedly has a role to play in the evolution of cybersecurity, especially concerning NDR, there is a danger of relying exclusively on the technology.
The challenges of AI in NDR
Firstly, AI can take a substantial time to ‘get up to speed’ with a threat environment as complex as the networks within an enterprise. AI systems need large volumes of network traffic to be analysed before the engine can define the nuanced, precise responses outlined above. Like any learning, this takes time. However, by using supervised AI, the learning phase is reduced to a minimum.
This reduction in time is important as, left unchecked, it offers threat actors a window of opportunity to evade detection and – in some cases – develop behaviours on the network that can function as cover for future attacks. The AI itself becomes as much of a target, especially if it is managed outside of a business.
Secondly, relying solely on AI creates exactly one of the same issues that it was supposed to solve – too many false positives. As an AI learns deviant behaviour, it runs the risk of recognising every new behaviour as a threat.
Consider the image of a hotel door and doorman. Once the AI learns that the door should only be opened by the doorman, it risks returning everyone else opening that door as a threat and triggering a response. But that may not be the case – it could simply be that the AI has not developed enough contextual awareness of who else may open the door and under what circumstances. Alternatively, it may not recognise that someone else is impersonating the doorman by wearing his uniform.
Lastly, AI depends on the big data it learns from – which makes accurate, up-to-date and dynamic Cyber Threat Intelligence a critical component of effective AI. This huge requirement creates a systemic flaw in ‘AI-alone’ cybersecurity solutions.
Evolving AI in NDR
The solution lies in blending AI alongside other technologies to create a comprehensive, rounded approach. One that mixes the strengths of AI with the benefits of established technologies.
Using existing signature-based rules and additional live, intelligent input from systems such as a comprehensive CTI feed can compensate for the time (and cost) it takes to get an AI up to speed. Factoring in known signatures can also accelerate the time to return – and ‘plug and detect’ becomes feasible once AI is paired with existing Cyber Threat Intelligence that knows what to look for in the immediate short-term.
These summaries are then submitted for human progression. Even though the AI can read the whole book and knows to classify it as a whodunit, and that it was the butler, with the candlestick in the kitchen, it must always feed that data forward to a person to decide what happens next.
This combination of technologies also extends benefits beyond the frontline. By adding in the capability for metadata, the management of forensic data analysis and cybersecurity is made quicker.
Overall, AI can be seen as yet another instance of the technology industry coming to terms with the benefits – and limitations – of what it creates.
The new era of easy-to-use interfaces has undoubtedly opened AI to the masses. That will mean both offensive and defensive uses of the technology, at scale. Smart organisations will see it as another tool in the armoury, but they would be fools to bet it all on just one technology.
Gatewatcher is a cybersecurity software provider specializing in advanced intrusion detection and is a market leader in high-performance solutions based on automation and machine learning methods.
