By Dr. Aviv Yehezkel, co-founder and CTO, Cynamics
From hospitals to schools to meat packing plants, no industry is insignificant to ransomware attackers. Ransomware will cost U.S. companies $3.68 billion this year alone. Network and security operators need high-level network coverage to prevent and mitigate ransomware attacks. The increasingly complexity of architectures – that includes legacy on-premises, virtual and cloud components running on the network – has made gaining complete visibility almost impossible. The status quo isn’t working. A new approach is needed.
Current solutions can’t meet network demands
In addition to becoming more complex, networks have also increased in size, scale and volume. Across sectors, these networks are handling massive amounts of data that continues to grow in volume and involve more endpoints, more connectivity (internal and external) and more network sites (physical and/or logical). While the networks are exponentially increasing in scale and complexity, most of the security solutions are still relying on traditional approaches such as appliances and agents. And these aren’t made for these levels of complexity and these volumes of data.
Current network detection and response (NDR) solutions are still based on an approach meant for networks belonging to a simpler time. The solutions are laborious, expensive to implement and decreasingly effective. They entail placing appliances, sensors and/or probes that collect and analyze the network data. However, it isn’t possible to cover the entire network with these appliances. They require analysis of 100% of the network data – which isn’t practical. That forces companies to compromise every day by limiting coverage and detection to small portions of their network, leaving most of the network a vulnerable blind spot.
In addition, most NDR providers use an appliance-based approach that taps or spans ports to analyze network traffic. This doesn’t scale easily and expands an organization’s attack surface as a direct backdoor into the core of the client network as was noticed so many times last year with the supply-chain-attacks “pandemic.” In today’s interconnected digital environment, this approach fails to provide sufficient transparency across increasingly complex smart networks and leaves organizations vulnerable to blind spots.
Issues with visibility and novelty
The majority of ransomware attacks start with a network breach that is typically made possible via a vulnerability in the network perimeter. And the bad actors will start to move through your network and try to maximize damage, hop from one place to another, until infecting enough hosts to be used for the attack. They will find the blind spots that aren’t being monitored – when you leave areas uncovered, you create a lot of room for cybercriminals to sneak in.
There’s another significant issue, as well: with most detection solutions, novelty goes unnoticed. They are trained to look for very specific signatures and rules associated with known ransomware activities. But new variations and types of ransomware attacks are being developed all the time – and even a slight change from the signatures these tools are trained to detect and flag can cause the attack to go unnoticed.
The role of AI and ML
Human analysts, however smart and capable they may be, simply cannot monitor today’s networks on their own – and you can’t cover the full network with appliances and agents. But leaving portions of your network uncovered is not an option. Attackers and cybercriminals are always on the lookout for ways to infiltrate and sneak inside.
How can you overcome these challenges? AI and machine learning (ML) techniques can play a key role in network detection and response. ML can be used to infer the behavior of the full 100% network traffic, based on sampling of just a small fraction of network data. And then, it can automatically learn if a network pattern is legitimate or suspicious and autonomously “understand” changing trends in the network.
What makes ML and AI so helpful is their ability to detect find the hidden patterns that signal attacks – to reveal what’s really taking place on networks in real time. This eliminates the impractical and costly need to cover the entire network. This also helps address the issue noted above about the ongoing evolution of new forms of ransomware attacks.
Ransomware is unrelenting. It’s obvious at this point that legacy security solutions aren’t working or keeping pace with the evolving threat landscape. It’s a scourge that costs organizations billions of dollars; it seems unstoppable, yet it must be stopped. But that’s easier said than done when most networks are becoming increasingly complex and include a mix of legacy and new components.
Cybercriminals are making the most of AI, so network operators need to, as well. A new security strategy should include AI-driven, sample-based NDR. Solutions of this kind use a small portion of network traffic to learn what’s normal for the whole network, enabling visibility that’s not otherwise possible. It’s an example of the kind of innovative solutions needed to stay ahead of ransomware and the many other network threats in operation today.