When you work in a security operations center, time matters. This has always been the case, obviously, but in recent years, the time intervals between successive cyber indicators have been reduced dramatically. A great irony, however, is that organizations generally miss early indicators of attacks, sometimes remaining cyber-ignorant for long periods of time, unaware that their data or intellectual property have been compromised. For this reason, platforms that are used by professional threat hunters must support this need to minimize incident and indicator response times.
It goes without saying that automation must be at the base of this design, but in addition, the use of artificial intelligence (AI)-based methods to detect, triage, and correlate cyber security attacks in enterprise networks can be a powerful means for rapid risk reduction as well. We recently connected with Hitesh Sheth, President and CEO of Vectra Networks, to better understand how all this can be accomplished on a modern platform. He was kind enough to share his views on automation, AI, machine learning, and other aspects of modern cyber security.
EA: Hitesh, what are some of the challenges of the modern security analyst in detecting threats to the enterprise?
HS: Whenever a new breach is reported, it’s instructive to review the time lag between the attacker’s successful intrusion and when their presence had been first detected. Typically, this interval is measured in months. The information security officers employed by government agencies and enterprises are not at fault here. These security professionals are typically well trained and have the best equipment and software at their disposal. So, it is reasonable to ask what is wrong. My belief is that they are overwhelmed by the deluge of security events occurring at a pace and scale that is almost impossible to manage. And this stream of attacks will not decrease; if anything, it will increase. Security operations teams will thus continue to be overworked and understaffed to support this burden. They are dealing with too much noise and low-fidelity signals, resulting in them getting burned out doing tedious work. This is not scalable.
EA: How important is it for security teams to rely on automation to detect advanced cyber attacks?
HS: Clearly, humans cannot deal with the flood of security events occurring in a typical enterprise, to sort real threats from pesky nuisances. Instead, humans must introduce machine learning and behavioral analysis – essentially artificial intelligence – to automate the hunt for threats, and perform triage, correlation and prioritization of threats inside enterprises. AI and automation augment the human analyst by putting the highest risk threats with rich context at their fingertips so they can act before the attacker causes damage. Once data is breached, there’s very little a company or agency can do to recover, regardless of how much money they spend on the effort. Once data is lost, it’s lost forever. What we can do, however, is make sure that we detect attacks as they are happening, leaving sufficient time to act.
EA: Tell us about how your platform utilizes artificial intelligence to improve attack detection and response.
HS: Vectra AI can spot malicious intruders instantly and inform the security operations team, with considerable precision, about what the attacker is doing. Vectra AI can detect the tools an attacker is using and can monitor those tools, as they might morph to improve concealment. Vectra AI can determine what data the hackers are focused on obtaining, and can learn how they plan to move it out of systems. The platform also includes the ability to stop this malicious activity – and it can support such mitigation in real-time.
EA: Do you see the biggest risks emerging from IoT, cloud, enterprise data centers, or perhaps all the above?
HS: All the above. Attackers do not see the world in silos. Instead, they focus on data and opportunities. The data lifecycle extends across IoT, cloud, and enterprise, so to locate an attacker, analysts need security visibility everywhere. It is not enough to have visibility in one area, but not in the other. For instance, Vectra has seen attackers hide on IoT devices to launch attack campaigns. We have also seen attackers hide in the virtual infrastructure of enterprise data centers. Cloud is just an extension of those datacenters with the same set of internal problems. You must watch them all.
EA: Hitesh, you have such a wonderful personal background in the network security industry. What advice do you have for young people who might be interested in a career in cyber security?
HS: Young people aspiring for a rewarding career in cybersecurity should view that as an avenue to be a force for good. The impact of cyber threat is pervasive across our day-to-day lives and is increasingly affecting geo-political situations. This creates an incredible opportunity for innovation for people who are willing to think outside the box.