In the past, cyber security systems relied on manually defined rules and human inspection to identify and classify security incidents. This was effective but limited, because it required a high level of expertise to manage security tools, and overloaded security staff.
Many modern security tools use machine techniques to automate security decision making, without requiring rules to be defined in advance. This can save a lot of time for security teams and result in a faster and more accurate response to threats.
A few examples of the use of machine learning in cyber security are:
Application Programming Interfaces (APIs) allow computing systems to communicate with each other and share data. An entire API economy has emerged that allows organizations to share data and software capabilities with each other.
While APIs provide a lot of value to organizations, they also represent a security risk. There is limited awareness for the importance of API security, and many API endpoints lack basic security measures. They can be manipulated by attackers to abuse the service behind the API, and can also be an entry point to an organization’s critical systems.
In the past few years, dedicated API security solutions are emerging that help organizations lock down API endpoints, protect them from malicious traffic, and defend against DDoS attacks. The OpenAPI initiative helps organizations define their APIs in a standardized way, making it possible to enforce a security policy built around API capabilities.
Bots are systems that access websites and perform automated actions. Some bots are legitimate, for example, the Googlebot crawls websites in order to add them to Google’s search index. But other bots are malicious, used by threat actors to launch attacks against millions of vulnerable websites.
Bots account for 58% of web traffic today, and a full 22% of web traffic is attributed to bad bots. Bad bots can be installed on end-user devices compromised by attackers, forming massive botnets. These devices might be home computers, servers, and IoT devices such as game consoles or smart TVs. Attackers leverage networks of compromised devices to launch DDoS and many other types of attacks.
Bot management systems help organizations identify unwanted bot traffic and filter it out, while allowing legitimate bot traffic and user traffic to continue uninterrupted. To do this, they need to identify bad bots, using a variety of methods like:
File security is critical to ensure sensitive data has not been accessed or tampered with by unauthorized parties, whether internal or external. Many compliance standards require that organizations put in place strict control over sensitive data files, demonstrate that those controls are in place, and show an audit trail of file activity in case of a breach.
File security technology can automatically identify suspicious file activity, which may represent an attempt at data exfiltration, a ransomware attack, or even a careless user deleting files by mistake or copying them to an insecure location.
Historically, many organizations adopted Application Security Testing (AST) tools that automatically scanned application code for code quality issues and software vulnerabilities. Today, many organizations are shifting to Runtime Application Self-Protection (RASP), which scans and monitors application code in real time, when it is running in production.
RASP is deployed together with a web application. It monitors traffic and user behavior, and if it detects an issue, it can block specific user requests and alert security staff. RASP does not rely on specific attack signatures, and is able to block entire categories of attacks.
The unique element of RASP is that it leverages inside knowledge of an application’s source code. It knows how an application behaves and can detect attacks that leverage weaknesses in the code, like code injection and exploits of known vulnerabilities.
As organizations undergo digital transformation and move mission-critical workloads to the cloud, cloud security becomes an essential part of a cyber security strategy. Securing the cloud is a challenge, because cloud-based systems do not have a traditional security perimeter, and can provide attackers access to almost every aspect of the IT environment.
Organizations must understand the division of responsibility between themselves and their cloud provider, and correctly configure security features offered by the cloud provider, in particular network isolation features like Virtual Private Cloud (VPC). They must also have a robust Identity and Access Management (IAM) solution – a way to define user accounts, roles and access control policies.
When deploying hybrid cloud or multi-cloud infrastructure, which connects between private and public clouds or multiple public clouds, organizations must ensure security is consistent across all their cloud environments, and pay special attention to integration points.
Organizations collect a huge volume of logs and events from IT systems and security tools. It is now common, even in small to medium organizations, to use Security Information and Event Management (SIEM) to aggregate security data and create alerts for security teams.
The sheer number of alerts, together with the chronic shortage of security staff at many organizations, results in alert fatigue. Security teams receive thousands of alerts at all hours of the day, making it difficult to sift through the alerts and identify real security incidents.
The problem is not new and there are several approaches to mitigating alert fatigue. For example, organizations implement threat intelligence to identify when an alert correlates with a signature or attack pattern of a known attacker. Machine learning approaches like User and Event Behavioral Analytics (UEBA) help identify unusual behavior, and automatically score it to identify events that are more likely to be malicious.