Have hackers seized your network unnoticed? Has it become part of a botnet and are thousands of spam emails being set from your email account? How quickly will you discover the attack and be able to initiate countermeasures? In my article, you can learn how criminal activities can be detected using Artificial Intelligence (AI), particularly machine learning – long before they cause any damage. Join me on the hunt for evidence!
As a result of increasing digitalization, it is not just more business processes that are shifting to the digital world, but criminality too. Instead of breaking into shops, corporate networks are being hacked. If things have already reached this point, how can we protect ourselves now and in the future? The answer: First of all, it must be clarified whether companies are thinking of all necessary security requirements and taking precautions at an early stage. If security measures are not correctly planned or implemented during the course of digitalization, security gaps arise that can make life easier for hackers. For instance, if interfaces remain unsecured between legacy and new applications. The goal of attacks: money, money, and even more money. The growing market for cybercrime not only enables the purchasing of stolen credit card information and passwords for a few U.S. dollars; distributed denial-of-service attacks on company servers can also be ordered with a click.
How quickly can you detect a cyber attack? When do things get critical? The fact is that if a company only realizes after three days that an attack has taken place on the corporate network, it is definitely too late to avert huge damage. But how can such attacks be detected directly and sooner? Companies need an alert and monitoring system – and subsequently machine learning. After all, algorithms based on machine learning can be used in cyber security to discover any security incidents, fraud cases, and abuse scenarios affecting the infrastructure – or even better, to avoid them from the outset. The technologies for AI or for machine learning as a sub-discipline of AI have been around since the 1950s. So why haven’t they been used before? The reason for this is the highly scalable computing capacities that are only now becoming available and that can process, evaluate, and store vast quantities of data quickly.
To detect security incidents in the first place, an alert and monitoring system or a security information and event management solution (SIEM) is needed. The SIEM solution collates data about user and system behavior that can subsequently be analyzed. Who is logging in? From what location? How often do unsuccessful attempts occur? Which ports are being used? There is a good reason why we have around 200 Security Professionals who reduce the volume of data to a sensible level with a great deal of energy and expertise and then evaluate it in real time using intelligent tools, taking immediate protection measures in the event of striking events. In this way, we have already tracked down, stopped, and familiarized ourselves in detail with a large number of attack scenarios. With the help of Artificial Intelligence, we evaluate a large volume of network data, detect cyber attacks immediately, and initiate appropriate countermeasures.
During monitoring by SIEM, AI comes into play in the next step: SIEM ascertains that something unusual is happening in the network. For instance, if users log in during the middle of the night or enter an incorrect password several times. Intelligent algorithms learn to assess such incidents to distinguish between normal and abnormal processes. How does the algorithm know whether I have simply forgotten my password or whether a cyber attack is taking place? After all, who hasn’t it happened to? You enter the wrong password and then try again.
Simply entering a password incorrectly isn’t enough to raise the alarm, as SIEM always correlates several factors. However, if SIEM associates the entering of the wrong password with a “log-in attempt at an unusual time,” “repeated entry of the wrong password,” and “privileged user account,” all of the events together trigger an alert.
To prevent affected IP addresses, accounts, or digital identities from being automatically blocked as a result, the IT teams in the Security Operations Center (SOC) assess the situation and initiate the incident response, or in other words appropriate reactions to the IT security incident. So there is very little cause for concern that your behavior might incorrectly be taken for a cyber attack. At the same time, the IT teams in the SOC train the algorithms so that they can detect a similar attack earlier next time and so react more quickly. This means that the more attacks there are, the quicker and better AI learns. In the long term, this leads to systems becoming more secure.
Time is a crucial factor in defense against cyber attacks. AI helps to identify new attack patterns and to react quickly to changes in known attack patterns. In the past, security specialists had to analyze attack scenarios in an elaborate process and write complex rules through which such attacks were able to be identified. AI algorithms are now able to take on this job for large quantities of data. They identify anomalies without having to be specially programmed to recognize particular threats. This is a huge advantage in cyber defense, as it is possible to react much more quickly and flexibly to new threats and altered attack scenarios in this way.
Will AI remain a key element in cyber security in the future? The answer is a definite yes. AI will be a crucial factor for identifying anomalies. There will continue to be application cases where AI provides genuine added value that we would not achieve without it – but this will not be true in all cases! After all, the use of AI is also limited. AI cannot identify all patterns. Experts need to establish clear and individual rules for many application cases. In addition, the use of AI must always comply with ethical, legal, and data-protection-related principles. Through our guidelines for AI and the Sovereign Cloud, we establish a framework to ensure that 1. AI systems and their use comply with our corporate values, ethical basic values, and social conventions, and 2. data processing for AI applications takes place in our ultra-secure, GDPR-compliant data centers on European soil.
