By Eyal Elyashiv, Founder and CEO, Cynamics
It’s estimated that ransomware damages will cost $20 billion this year – more than 50 times what it cost just six years ago. And no sector has been left unscathed. In the past couple of years, there have been attacks against everything in every sector from schools to pipelines to agriculture – and even other types of critical infrastructure that are vital to the functioning of society.
To prevent and mitigate ransomware attacks, network and security operators need high-level network coverage. But with the increasingly “messy mix” of architectures, combining legacy on-premise, virtual and cloud components running on the network, gaining complete visibility has been almost impossible. It’s clear that the status quo isn’t working. A new approach is needed.
Today’s network demands outpace existing solutions.
Networks have become bigger in scale, volume, and size as well as more complicated. This is true across sectors. These networks are handling massive amounts of data that continue to grow in volume and involve more endpoints, more connectivity (internal and external), and more network sites (physical and/or logical). While the networks are exponentially increasing in their scale and complexity, most of the security solutions are still relying on traditional approaches such as appliances and agents, which aren’t made for these levels of complexity and these volumes of data.
While the networks have become more complex, the existing network detection and response (NDR) solutions are still based on the same age-old approach. They’re laborious, expensive to implement, and decreasingly effective. They entail placing appliances, sensors, and/or probes that collect and analyze network data. However, it’s not possible to cover the entire network with these appliances. They require analysis of 100% of the network data – which isn’t practical. That forces companies to compromise on a daily basis – limit coverage and detection to small portions of their network, which leaves most of the network a vulnerable blind spot.
And what’s more, existing NDR vendors use appliances that span or tap ports to analyze network traffic. But this appliance-based approach doesn’t scale easily and expands an organization’s attack surface as a direct backdoor into the core of the client network as was noticed so many times last year with the supply-chain-attacks “pandemic”. In today’s interconnected digital environment, this approach fails to provide sufficient transparency across increasingly complex smart networks and leaves organizations vulnerable to blind spots.
Ransomware actors are seeking those blind spots.
Most ransomware attacks begin with an initial breach, often enabled by a vulnerability in the network perimeter. And the bad actors will start to move through your network and try to maximize damage, hop from one place to another until infecting enough hosts to be used for the attack. The lack of complete visibility is a major issue because bad actors will find those blind spots that aren’t being monitored. By leaving areas uncovered, you are creating a lot of room for cybercriminals to sneak in.
The other major problem is that most existing detection solutions are trained to look for very specific signatures and rules associated with known ransomware activities. But new variations and types of ransomware attacks are being developed all the time – and even a slight change from the signatures these tools are trained to detect and flag can cause the attack to go unnoticed.
A new blueprint for NDR requires ML and AI.
Today’s networks are simply too complex for human analysts alone to monitor – and you can’t cover the full network with appliances and agents. As mentioned above, it’s not practical or possible. And leaving portions of your network uncovered is not an option. Attackers and cybercriminals are always on the lookout for ways to infiltrate and creep inside unnoticed.
So, how do you circumvent this problem and avoid opening yourself up to the massive amount of cybersecurity risk associated with blind spots?
This is where AI and machine learning (ML) techniques can play a key role in network detection and response. ML can be used to infer the behavior of the full 100% network traffic, based on the sampling of just a small fraction of network data. And then, it can automatically learn if a network pattern is legitimate or suspicious and autonomously “understand” changing trends in the network.
AI and ML can be used to find the hidden patterns that precede attacks and anomalies – to reveal what’s really taking place on networks in real-time. This eliminates the impractical and costly need to cover the entire network. This also helps address the issue noted above about the ongoing evolution of new forms of ransomware attacks.
Changes for the better
Ransomware has flourished in the past year, and it’s clear that the status quo security solutions aren’t working nor keeping pace with the evolving threat landscape. It’s a scourge that costs organizations billions of dollars; it seems unstoppable, yet it must be stopped. But that’s easier said than done when most networks are becoming increasingly complex and include a mix of legacy and new components.
Bad actors are using AI for their malicious activity. To get the upper hand, operators need to fight fire with fire and use a new approach that includes AI-driven sample-based NDR. Such solutions learn from a small portion of network traffic samples how the full 100% network traffic looks like and “normally” behave, creating the kind of visibility and coverage that’s simply not possible otherwise. Bad actors continue to innovate, and organizations need to keep adopting innovative solutions to defeat them. AI and ML-based network detection and response offer new opportunities for today’s network operators to get ahead of the problem.