How AI closes identity and endpoint gaps that attackers exploit

Endpoints are among the weakest but most valuable attack vectors, and as more companies pursue AI development, the stakes are higher than ever. That is one of the most important conclusions from a roundtable discussion on this topic during Transform 2024.

Endpoints are under attack, especially for AI companies

The level of effort and intensity that adversaries are putting into trading techniques aimed at breaching the endpoints of AI companies is increasing. From running scans of every endpoint and looking for potential disconnects that lead to an easy breach, to refining malware-free trading techniques to launch undetectable breaches, adversaries are using LOTL (living-off-the-land) techniques that rely on legitimate tools to breach endpoints undetected. AI companies are an attractive target for their intellectual property, finances and future R&D plans.

Malware-free attacks are on the rise in the enterprise software industry and the AI ​​community, with a specific focus on companies with leading AI, generative AI, and machine learning (ML) technologies. By relying on legitimate tools, which rarely generate a unique signature and rely on fileless execution, malware-free attacks are often undetectable.

Taking into account all the malicious activities tracked by CrowdStrike in their recent Threat Hunting Report71% of detections indexed with CrowdStrike Threat Graph were free of malware. A total of 14% of all intrusions relied on remote monitoring and management (RMM) tools, based on activity tracked by Falcon Advisory Overwatch. Attackers have increased their use of RMM tools for malware-free attacks by as much as 312% year-over-year 2023.

Adversaries launching intrusion attempts combine multiple techniques at once, hoping to find gaps they can exploit. Weaknesses that lead to an AI company being hacked include endpoints that are several months late for patch updates, a lack of multi-factor authentication (MFA), and adversaries using privilege escalation. In one case, VentureBeat learned of a sophisticated man-in-the-middle (MitM) attack targeting a leading software company that was innovating itself toward an AI-first platform strategy.

More AI companies monitor all telemetry data

Another key takeaway from the roundtable discussion is that more and more companies are seeing real-time telemetry data as the core of their endpoint security strategy. AI startups and leading AI companies are data-centric by nature, and their security teams are focused on how they can use real-time telemetry data to identify anomalous patterns and perform breach predictions.

Experts at the roundtable noted that the data proves to be invaluable for identifying the hardware and software configuration of every endpoint at every level: files, processes, registries, network connections and device data.

BitDefender, CrowdStrike, Cisco, Ivanti, Microsoft Defender for Endpoint, Palo Alto Networks, Sophos, McAfee, Symantec Enterprise Cloud (Broadcom), VMware Carbon Black endpoint And SentinelOne are leading providers that capture real-time telemetry data and use it to derive endpoint analytics and predictions. Managing telemetry data is inherent to any enterprise-level comprehensive detection and response (XDR) system. An XDR is designed to provide more effective threat detection, investigation, and response capabilities by providing a holistic view of threats across the entire digital environment.

Cisco’s deep expertise and decades of experience interpreting telemetry data are at the core of its future cybersecurity strategy. The collaboration and networking giant is deploying native AI at the core of its progressive cybersecurity strategy. This starts with the recently introduced HyperShield, Cisco’s new hyper-distributed framework that acts as an enterprise-wide security fabric.

“It is extremely difficult to do anything when AI is seen as a complement; you have to think about it,” said Jeetu Patel, EVP and GM of security and collaboration for Cisco, told VentureBeatwith reference to findings from the 2024 Cisco Cybersecurity Readiness Index. “The key here is that AI is used natively in your core infrastructure.”

Nikesh Arora, chairman and CEO of Palo Alto Networks, also told VentureBeat that “we collect the most endpoint data in the industry through our XDR. We collect almost 200 megabytes per endpoint, which in many cases is 10 to 20 times more than most industry participants.”

The importance of calculating IOAs and IOCs

CrowdStrike, ThreatConnect, Deep instinct And Orca security use real-time telemetry data to calculate attack indicators (IOAs) and indicators of compromise (IOCs). IOAs focus on detecting an attacker’s intentions and identifying their targets, regardless of the malware or exploit used in an attack. IOCs provide forensics to prove a network breach, including malicious IP addresses, URLs, file hashes, and other known signs of compromise.

IOAs must be automated to provide accurate, real-time data to understand attackers’ intentions and stop intrusion attempts. CrowdStrike, a leader in this field, has developed AI-powered IOAs that rely on real-time telemetry to further improve endpoint protection. By integrating AI, IOAs can work in sync with sensor-based ML and other defense layers, significantly improving detection and response capabilities against complex cyber threats.

Michael Sentonas, president of CrowdStrike, told VentureBeat in a recent interview: “If you look at the view of CrowdStrike in 2011, one of the things George was talking about was that we couldn’t solve the security problem unless we used AI. In the run-up to going public as a company, he also talked about AI, and since we went public, we talk about AI every quarter when we talk to Wall Street. We use AI as part of our effectiveness models and prevention models, and we use AI in threat hunting. It is an important part of what we do.”

Ten areas where gen AI can help close the endpoint security gap

Almost every AI-related startup or large-scale enterprise is experiencing a growing number of intrusion attempts. They all see gen-AI as the answer to the challenge of protecting endpoints and their businesses. The key areas where companies participating in the VB Transform roundtable were most interested in seeing Gen AI’s contribution included the following.

Continuous monitoring and verification of network telemetry: Tracking network telemetry and interpreting it at scale is one of the key foundations of zero trust. Generation AI’s ability to interpret the security status of devices, continuously verify the legitimacy of credentials, and enforce least privileged access through modeling is necessary. Best of all, network telemetry-based insights can identify an intrusion attempt as it happens and, with the right agents, shut it down.

Real-time threat detection and response: Speed ​​is crucial in security. AI is being used today to increase the speed and accuracy of threat detection by analyzing massive amounts of telemetry data in real time, identifying complex patterns and responding to threats immediately.

Behavioral analysis and detection of anomalies: Identifying subtle deviations from normal behavior patterns in users, devices and applications is essential for quickly identifying insider threats and more advanced attacks. A few of the companies at the roundtable are adopting this today as part of their XDR strategies.

Reduction of false positives as models learn more: Security Operations Center (SOC) teams are inundated with false positives. Using gen AI to identify an actual positive alert is the first step. Learning from these alerts and helping SOC analysts better decipher when there is a real threat is a great use case for generation AI. It immediately buys more time for the teams reporting false positive alerts throughout the day.

Automated threat response: Another high-priority design goal for XDR systems: all major XDR platform providers are shipping or have announced this feature. AI-powered XDR platforms can automate initial responses to threats, such as isolating compromised endpoints or blocking suspicious network traffic, speeding incident response times.

Adaptive learning, including training LLMs on attack data: More and more leading cybersecurity companies are training large language models (LLMs) on attack data so their systems can respond quickly. CrowdStrike co-founder and CEO George Kurtz told the keynote audience at the company’s annual Fal.Con event last year that “one of the areas we’ve really pioneered is that we can detect weak signals from different endpoints.” catch. And we can link these together to find new detections. We’re now extending this to our third-party partners so we can look at other weak signals, not just across endpoints but across domains, and come up with a new detection.” Training LLMs with endpoint data is the future of cybersecurity.

Improved real-time visibility and correlation. Aggregating and correlating data from a broad base of telemetry data is now critical to any XDR platform as it improves real-time visibility and correlation of events. As a result, Gen AI is already being integrated into more XDR platforms.

More accurate threat hunting: AI/ML models are proving effective at identifying signs of compromise that older systems would have missed. One area where AI/ML will deliver the most is identifying breaches in real-time and significantly reducing false positives and negatives.

Automation of manual workloads on the SOC: Security analysts face the challenging tasks of documenting important alerts and maintaining reporting. By using AI to automate reporting for compliance, they can immediately work on more complex (and interesting) tasks.

More accurate predictive analytics: In an area where competition between XDR platform providers is fierce, predictive analytics is becoming increasingly intuitive and real-time. Every XDR platform relies on it to predict future attack trends and vulnerabilities. AI/ML provides greater predictive accuracy and insight in this area.

Conclusion

The age of weaponized AI has arrived, and XDR platforms must step up and rise to the challenge of extracting the full value from AI and ML technologies if the cybersecurity industry and the many organizations they serve are to remain secure. No one can afford to lose the AI ​​war against attackers who see gaps in identities and endpoints as an opportunity to take control of networks and infrastructure.