SEPTEMBER 15, 2019

Beating the Bullet: From Detection to Prevention

A core evaluation of AI in cybersecurity indicates that AI is at the precipice of overhauling the threat landscape. The growing awareness and knowledg

A core evaluation of AI in cybersecurity indicates that AI is at the precipice of overhauling the threat landscape. The growing awareness and knowledge of AI, combined with the ongoing development of new attack vectors and evasion techniques, means that the days of AI in the attack domain are undoubtedly approaching.

Organizations need to be ready for this next wave of attack. The reality on the ground makes it very difficult for the cybersecurity eco-system to adequately prepare themselves. CISO’s and their staff are often overloaded and overwhelmed with the amount of work that’s thrown at them, leaving them with very little time to broaden their knowledge and understanding of what is happening in the threat landscape. On the one hand, security and IT experts are slow with implementing new products because it takes a long time and it’s hard to ascertain the efficacy pre-emptively. Yet on the other hand, they are all too aware of the gaps with their current solutions. The result is that many enterprises are taking a reactive - detection and remediation-based - approach, where they are overloaded with so many events occurring in their current system, that they don’t have the time or the mindset to switch to a proactive approach.

The Legacy Anti-Virus Era

In the period after the widespread adoption of AV solutions the cybersecurity market became rapidly disillusioned with the ongoing stream of breaches that appeared to seamlessly bypass solutions. Blacklists, signatures and heuristics were routinely being bypassed by attack vectors that continued in their merry paths of destruction.  This era was eventually replaced by the current approach based mostly on a combination of AI, detection and response. However, the constant pursuit of threat hunting and analysis, couples with FP and alert fatigue is causing many to once again lose confidence. Companies are finding that they are losing the technological upper-hand against an attack landscape that is increasingly sophisticated, and where advanced attacks are easily evading modern detection and response-based solutions.

Not surprisingly, CISO’s and company boards are growing incredibly weary of spending a lot of money on a raft of security products, only to later spend much more in the aftermath of a breach which inevitably occurs. This comes at an enormous cost, where time and resources are occupied in remediating the breach, rather than being able to focus their efforts on developing revenue streams. The frequency of this scenario has prompted some industry leaders to a pursue a new frontier of prevention, with an approach that it is now possible to pre-emptively stop an attack before any damage can be done.

Beating the Bullet: The Preventative Approach

Many question the possibility. “Is a preventative approach realistic?” The answer from Deep Instinct, is a resounding, Yes! There is a false sense of security in the wealth of data and analytics that a detection solution provides, but real, effective security is the difference between detection and prevention.

For both networks and endpoints, there is a widening gap between the capability of threat actors and the efficacy of detection solutions, making it harder to adequately protect a device. In the detection and response approach, an attack or the steps taken to carry it out are analyzed post-execution, as only once it’s been executed does the SOC team go into granular detailed analysis, as the malicious activity unfolds, creating additional artifacts. However, this effectively puts the security solution and the attack in a race condition, where the solution is pursuing the attack by running behind the threat actor. This reactive approach means that you have all the data you could possibly care to have on a breach, with little to nothing being done to actually stop it, relying mostly on the human factor identify, contain and remediate damage

This common approach of detection and response, which is intended to reduce risk, but actually exacerbates it, highlights the business case for a pre-emptive cybersecurity solution. CISO’s shouldn’t resign themselves to solutions that operate post-execution but should demand a solution that acts pre-emptively to keep them protected.

By definition, a zero-time preventative solution must incorporate five elements that distinguish it from a detection and response-based solution, or other supposedly preventative tools. These include:

  1. Pre-execution – The solution is designed to be triggered before any malicious business logic takes place. For example, as soon as a file is accessed, downloaded on to a device, or malicious code injection is fully executed.
  2. Autonomous – Once the solution is activated, it autonomously analyses and makes decisions on prevention and alerts, regardless of human involvement and internet connectivity. If a human is involved it’s not a real-time solution.
  3. Zero-time – Any new data artifact or file must be analyzed in a matter of milliseconds, prior to being executed, opened or causing compromise, effectively providing a zero-time response.
  4. All threats – The solution’s design should cover a broad range of cyber-attack vectors and surfaces, both known and yet unknown threats.
  5. All environments – the solution should protect a wide range of environments and OSs, be it networks, endpoints, mobile devices or servers and to all major operating systems from a single unified platform.

Currently, deep learning is the only technology available that is able to deliver these five elements to provide a real prevention-oriented solution. The adaptation and application of deep learning make it possible to harness its innate advantages of fast inference and high accuracy to provide prevention. The rigorous analysis of deep learning also provides a remarkably low false-positive rate, despite the higher rates of detected files.

Consolidate solutions

CIOs and CISOs do not need an endless suite of products sitting in their systems in order to ensure protection, they can and should work to consolidate their solutions. If they have a solution running in their environment for two or three years, they should consider a replacement. Not necessarily to replace current solutions, but they should consider the real value that they are getting. Likewise, vendors should also be keen to ensure their solutions on offer provide real value if they want to retain their customers.

Advanced AI

CIOs and CISOs need to also be aware that while there are many machine learning-based solutions available on the market that have proven to provide reasonable protection against human authored malware, AI-based malware is altogether another ball game. Recent events have shown that AI solutions are not immune to being bypassed and attacked. An attack that incorporates AI in its business logic, can be designed to evade machine learning solutions. It is the vendor’s responsibility to provide users with a sophisticated solution that realistically holds a chance of beating off AI-based attacks. To stand a chance at defeating the most advanced threat types, any security solution’s algorithm must be regularly challenged against sophisticated malicious algorithms to ensure that it is sufficiently robust and able to remediate any type of threat. Ready for whatever the future may bring.

The Takeaway

As a security professional there are three important things to realize. The first is that we should not be afraid of AI. AI technology is only going to become more prolific in our lives and the best way to ensure protection is by having an advanced AI solution that is adequately up to the challenge.

The second factor is to look for a solution that has a focus on prevention, rather than detection and response. A security solution with strong predictive capabilities is able to analyze a file with a high level of accuracy, doing so in pre-execution, where no damaged can be wrought. As opposed to a solution that is designed to operate post-execution, where the threat is given the chance to materialize.

Finally, any decision that you make as a CISO, should not be a bet. Selecting a solution should be based on an educated decision that involves testing the latest technologies after implementing them.  It is clear to vendors that the deployment process needs to be quick and easy, so it’s on them to work with you to address this need.


To learn more about the evolution of cybersecurity solutions towards a preventative approach, read the whitepaper Reinventing Cybersecurity Prevention with Deep Learning