eweekchat

A4: The majority of modern cyberattacks are unique, so technology that waits around for patient zero is now obsolete. Cybersecurity solutions need AI and deep learning to provide predictive protection.

A4: ML and AI itself can't do much by themselves. The core tech has to be competent. Behavioral analysis vs. binary decisions is where it's at.

A4: Successful security AI engine will also have a side effect of elevating the attack level. AI will be attacking AI.

Of course, not all ML is equal and ML won't solve all problems. ML is great right now against PE files, URLs, document based attacks, but not great against exploit attacks on vulnerable legitimate applications, yet...

A4: Your training the machines to look for the behaviours rather than a specific malicious file as well. To steal a file you must touch it, move it and exfiltrate it. Watching for behaviours can reduce 0-day risk.

.@daronin +1 -- AI can influence other AI learning

A4: IMHO reducing attack surfaces is one of the things ML/AI helps do best. When the system can identify and classify all of your sensitive content, it allows the human to properly manage it (i.e. move into secure areas that are not susceptible to attack)

@daronin The challenge for using AI to attack AI is that AI needs to be trained and the attacker would need a large training set to create an AI based attack. Not impossible, but clearly very challenging

A4: We've seen ML be tremendously helpful in Ransomware detection. The minute abnormal behavior is detected it can be cut at the knees

@Sophos Not impossible. A good pen tester can collect plenty of data.

that is why in Sophos Intercept X, we use Cryptoguard for that specific reason. We focus on identifying hacker techniques and no ML or file scanning. We can protect against StackPivots, HeapSprays, Bootloader alternations, etc.

There are only 100 of us in the industry and we just move from company to company :-)

Heheheh

A6: You will never be 100% secure. :)

A6: Blockchain!

A6: Cybersecurity is as evolutionary as the attackers who are breaking it. As mentioned here before, no one solution will handle it all and your strategy needs to constantly adapt

The thing I love about the industry is that it is always changing so you probably know this already, but the greatest thing about cybersecurity is you never know whats going to come next.

@chetwisniewski In our product I am pushing to get blocklist renamed to blockchain. Does that count? :)

@daronin I hope that is not surprising to anyone :)

A6: More seriously though, we need to do the basics and stop shaming people for not getting them right. It is *hard*. Knowing your inventory, patching, protecting and monitoring goes further than anyone wants to admit. It's just a lot harder than any of us think.

I think the new protection techniques will be focused around the changing landscape of IT and move to protecting compute instances, whether that is a traditional EP, Container, Cloud Workload, Application, SD-WAN, etc. They will be ML and behavior based & predictive

A5: opportunistic criminals will always look to the next profitable scam. Ransomware is slowly receding, cryptojacking is evolving from web to server. Much more money to be made compromising one powerful host for a long time than a few small ones for a minute.

A5: targeted criminals will stick with attacking our most vulnerable assets: humans. We need the ability to detect & respond as much as we want to prevent. We also need to have incident response as high a priority as prevention, as we all face the inevitable failure

no, so hire them ;)

Best answer we can get, right there ;-)

G7: I think we are making headway. This is political as much as it is technical. Providing legitimate work to talented tech folks helps, but that isn't a reality is some parts of the world.

A7: There is so much at stake for the professional or state sponsored hacker it is hard to believe we will always be ahead. But we should still invest in protection AND detection AND response. It is the only way to deal with the world we live in

A7: We also have to remember that we have a lot more at stake and we care more. That energy will take us a long way. We need to organize more as defenders, as the crooks are already organized.

A3 add: This is where the channel plays such an important role. They know their vendors and how to deploy them effectively to provide seamless solutions

A3: Agreed, that is why we must adopt the combination of cross ecosystem ML and automated response. Synchronizing the response based on the input from multiple sensors is critical. Don't put the onus on the analyst to mentally correlate that and expect response

The reason I like the Darwin approach is that it doesn't discern. We look at compute instances which includes workloads, along with apps, data, network, etc. We can't pick one over the other because the adversary will just find the gap in protection

A3: We believe in the content-centric security approach. We don't want to prohibit users from working the way the want to (apps, devices, locations, etc.) so we focus on securing the content itself from cradle (creation) to grave (retirement)

A3: This includes the behaviors surrounding content. I.e. anomaly detection for access locations, upload/download behavior, etc.

A3: You have to look at 2 things needed to secure your org. Devices that have integrity to handle data processing and the security of the data itself while in motion or in transit.

A3: Whether endpoints are phones, PCs or the cloud you need to have an inventory and assurance they haven't been tampered with.

I wish I could automate my kids sometimes, but there is no machine learning powerful enough for that! :)

If only we could patch humans...

@chetwisniewski That I think we can do. At least on hardware level. :)

A1: Darwin's theory is about adapting to survive, and we need to do that in a full security ecosystem. We need to do this automatically by having sensors, event models, analytics and enforcement all automated

As we learn more about what is happening in the ecosystem it feeds machine learning that can automatically ask enforcement points to respond to the conditions

Couldn't agree more here Dan. What I take away from the theory also involves evolution. While a company can be compliant or secure at one moment in time, seconds later everything can change. It is so important to be able to monitor an environment in real-time, at all times!

Exactly and the more we can automate, the more we can allow SOC analysts to do the more intense work. A product ecosystem of any compute instance as well as SD-WANs, FW, APs, etc., can really add avlue

Humans will always play a role in cyber, but we know we’re imperfect. Dealing with overwhelming amounts of data, we need machine learning and data science to help cut through the noise before humans step in

But we must keep pushing ahead. Keep raising the bar and making it more expensive and intensive for them to get that one right, which is why we also need detect and respond

Not really. That's why we have defense in depth. They have to be right many times and each one is a tripwire if they are wrong.

.@Sophos +1, no doubt. but it is an ongoing process.