Going beyond hype - How AI is rewriting the cybersecurity playbook

Tom discusses the current state of cyber security and the emerging threats in different environments. Attackers are taking advantage of the hybrid nature of environments, using native capabilities to move laterally and gain privileged access. Vectra's solution focuses on post-compromise behaviors rather than traditional detection techniques. They aim to identify patterns and behaviors that indicate an attack is taking place, assuming that preventative measures may fail. The goal is to detect and respond to intrusions in the environment. Okay, Tom, welcome to the Leading Edge as I'm Monica for the IT Wire. I'm delighted to be able to speak to you today about the paper that you've published on the piece of work that you've done. I just want to kick off with a general exploration of the current state, if you will, of cyber security. It's a very hot topic here in Australia because of the episode at Medibank and a similar episode at Optus, which probably played some part in the CEO at Optus losing her position. So it's a very pertinent topic for us to discuss. How do you see the domain at the moment, the threats that are emerging, how technology is evolving, and so on and so forth? Yeah, yeah. Well, first off, very much appreciate you having us on, Gareth. It's a pleasure is mine. We at Vectra really appreciate being able to share what we're seeing, our vision, how we're trying to tackle some of these problems with the audience, with IT Wire's audience. So thank you for that. Sure. Yeah. And as far as what we're seeing in terms of the domain, as well as, you know, we follow this very closely within our customer environments. We have a lot of data to work with from that. We've got a managed detection service as well that's managed detection and response service that we're actively monitoring our customers' environments through. And so we see a lot of activity from that. But we're also following reports from some of our partner, you know, cybersecurity vendors. And we're closely in tune with all of this and a consistent theme that we continue to see is just the hybrid nature of environments and how attackers are starting to take advantage of that. And, you know, the thing that expressly stands out is very interesting to me is, you know, in on-prem environments, like let's say in Windows Active Directory domains, for example, attackers have been in tune with the native capabilities available to them there for quite a while. And so they would leverage, you know, those native capabilities to do things like reconnaissance and lateral movement and generally persist in an environment, you know, kind of under the radar for extended periods of time. And with, you know, the attack surfaces expanding to the cloud, we've got, you know, the Identity Cloud and, you know, cloud infrastructure and other such things. They're finding that, you know, starting to realize that a lot of those, you know, native capabilities are available to them in different ways, you know, different native abilities that are available to them, but they can use them in the same sort of ways. And so, you know, we saw some recent attack scenarios where it started on-prem, but they leveraged the Okta agent in order to help them move to the Identity Cloud and really just get a lot of information about the users within the environment to move laterally to more privileged access within the environment. So that notion that, you know, this sort of hybrid attack surface of on-prem plus Identity Cloud plus infrastructure cloud, you know, all of these different elements, they all have their own, you know, sort of control plane, so to speak. And they're really becoming adept at using that to not only pivot, but also once they've pivoted, let's say from on-prem into the cloud, then they're also using it to further extend their reach there. Right. Okay. Okay. Moving forward as a vendor with that context is kind of the, that's the primary, you know, most difficult problem we think our customers are having to manage right now. Right. So it's dealing with these various different environments. And, you know, malevolent actors, if you will, they're able to break into one and then move throughout the whole ecosystem, if you will, by, you know, leveraging on that weakness there. So how do you think that your particular solution best addresses those, that your vision about the way in which the landscape is changing? How do you think you can best address that? Yeah. So, well, you know, one of the things that's a challenge for, for, you know, all the organizations that are trying to defend against this kind of thing is there's a degree of maturity that comes to play here. One of the topics there is, you know, lots of organizations are collecting the data that's available to them from these, you know, service providers. The problem is they're having a really difficult time deriving attack signal from it. And so that's one of the things that we can, you know, kind of create some leverage for them around. So, you know, in terms of how Vectra tackles that problem and how it's maybe different from what people are used to, there's, you know, traditional tooling that tends to focus on attacker tools and infrastructure. So they'll be looking for, you know, maybe specific exploits taking place or, you know, some known bad file being executed in the environment, something like that. Maybe some interaction with known bad infrastructure out on the internet. That's a lot of the, you know, common techniques that detection tooling uses. And if you think about, you know, the notion of what we were just talking about, sort of these native capabilities, you know, a lot of that tools and infrastructure-oriented detection technique is not effective when somebody is, you know, operating in a live-off-the-land sort of environment. Yeah, for sure. So what you're trying to do is identify, you know, I was looking at the paper, I haven't had to look at a hex dump for quite a few years, but it's a very highly technical thing. And so you're trying to really understand, I guess, what are, in some sense, an undifferentiated stream of bytes, whether that represents an attack or whether it's, you know, a benign, you know, byte. How do you detect the patterns that exist within those agents, as it were? Yeah, so that's a great kind of segue to come back to the report that is sort of the core of this conversation, right, is, you know, we're not necessarily looking for the exploit in and of itself within the Vectra platform. So that report actually served as, you know, sort of a good demonstration of how, you know, kind of traditional attack detection techniques are very challenging to get right. Yeah, yeah. The team at Proofpoint that puts out that emerging threats rule set, they put a lot, this is not intended to disparage them in any way whatsoever, like they put a lot of effort into making sure that they get those rules right. And it just so happens that it's a very, very difficult thing to be, it's, you know, as a security practitioner, I expect those rules that I'm implementing to be effective. But I also, you know, temper that expectation with, you know, a reasonable understanding that it's impossible to be 100% correct all of the time. For sure. Right. And so, you know, rather than try to solve the same problem that they're already trying to solve, we operate through a slightly different lens, which is to focus on the post compromise behaviors. And so what we're advocating for really is, you know, kind of a defense in depth concept, which is keep those, you know, keep that signature based tooling in place. And where we can, we'll, you know, either support it as we did with this report or augment it in some sort of way. But, you know, assuming for some reason that detection strategy falls short for a particular attack, maybe it's a zero day, right? Maybe it's a scenario like this where, you know, a known vulnerability is being exploited, but the exploit is being crafted in a way that is evasive to whatever existing detection mechanisms are in place, whatever existing signature. So we're sort of operating from the expectation that that's going to happen at some point, you know, one of those failures. And once the attacker gets their mitts into the environment, then we need to be able to identify the behaviors that they're engaging in that would expose their presence, right? And so that's, you know, kind of coming back to the question of how does Vectra do this differently from others? We're really looking at the behaviors in a post-compromise scenario. So signature based tooling tends to be more preventative in nature. Yeah. You know, detecting, detecting, if not preventing, then at least detecting the initial access point. Yeah. And we're assuming that's going to fail eventually. And, you know, you can never get it 100%, can you? So there's always going to be a case where there's going to be an intrusion, that you're going to have to deal with. Yeah, 100%. And this vulnerability was a great example of that. I mean, before Barracuda released the patch for this vulnerability, it was being actively exploited in the wild. Prior to a patch being available, that sort of hits the criteria for being a zero day kind of scenario, right? And so what we're doing is basically looking at, okay, assuming an attacker gets in and starts operating inside of an environment, they use some sort of zero day exploit, for example, at the point where they start then looking to extend their reach into that environment, they're going to have to engage in, you know, behaviors within the environment that are going to stand out, if you're looking for that sort of thing, which is challenging to look for, because most times they're using normal protocol, you know, activities or protocols, at least that are normal environment. Yeah. But they'll do it from machines that don't normally perform those actions. Right. I'll do it using accounts that don't normally perform those types of actions. So there are other, if you will, indicators that you can use, you put that together, and that gives you a sort of a pattern that you can then say, this is highly likely to be some sort of attack in that way. And then you can deal with that in that. That's right. All right. You got it. So it's a sort of assume breach kind of mentality that I think a lot of the industry has kind of come around to, you know, that notion that we're not going to be 100% effective from a preventative standpoint. So if that's the case, you know, then how do we, how do we, if we're going to assume breach, identify, you know, activities that an attacker is going to engage in once they are present in the environment. And there are a number of things that we can, we can do there using AI models, basically have the ability to identify, for example, in one of our sort of hallmark capabilities is to detect command and control traffic through HTTPS sessions. So, you know, assuming that it's an external adversary, they have to be controlling the machine inside of the environment in some manner. Oftentimes they'll do that using a reverse tunnel that's hidden inside of an HTTPS session. And they tend to be very effective at obscuring their, you know, command and control traffic. And that way it just blends in with all the rest of the encrypted traffic in the environment. So if you're not doing wholesale decryption of that traffic, then it's very difficult to identify their behavior. And in some cases, in a lot of cases, actually, even if you are decrypting the traffic, it's still difficult to identify their behavior because they, they really, they control both sides of that session, right? So they can make clients communicate with their command and control server in any manner they choose. And that may be able to be very evasive. But there's at some level, you know, a basic sort of communication pattern that has to happen through command and control. So, you know, you have to issue a command, you have to get the responses to that command back. For sure. Okay. So, sorry, Sam. No, I was just going to, that's kind of the key to, you know, this approach is, you know, at some level that the attacker is always having to move towards an objective and they're having to engage in activities that are going to help them achieve that objective. Yeah, yeah, yeah. And so those are the big issues we can, we can define models to spot. Okay. So obviously you've got the AI is obviously very front of mind for everybody at the moment. How in particular have you, are you using it as a kind of an evolution from your existing approaches that you've had in the past? Or is it introducing something that's really brand new for you as a, if you will, a cost effective tool that you can use in your work? Yeah, well, I'd say it's an evolution from what has traditionally been present in the cybersecurity industry, you know, most vendors, at least at the point where Vectra started. So we've been at this for well over a decade now. Actually, when we started, it was with the express purpose of leveraging AI to do cybersecurity detection. In fact, at this stage of the game, we have more patents using more AI based patents for doing cybersecurity based detection of threats than any other vendor on the planet. Right. So we've been at this for quite a while. But in the process of that, you know, we've done quite a bit of innovation around how you would leverage AI for this sort of thing. Right. Yeah. And that is, that is where I think the approach that Vectra takes is pretty novel compared to what a lot of other vendors are doing. You know, everybody talks about AI, but... Well, there's certainly plenty of talk, isn't there? Yeah. But how you apply it matters. And that's one of the things that we've learned and enabled us to be incredibly effective over that 10 year span. And, you know, the proof is in the pudding. We have large enterprise customers that come back and, you know, renew their contracts with us year over year because we're consistently helping them identify the most difficult attackers to make their way into the environment, you know. And so if we were to kind of just talk about AI for a second, I think it's an interesting conversation to have simply because it's been so front and center lately in the media storm, right? The hype cycle is, you know, sort of maximum generative AI. Oh, yeah. Yeah, for sure. Yeah, the volume's turned up to 11 at the moment. For sure. Yeah. Yeah. And it's interesting because, you know, I think everybody's looking at generative AI as a new capability that they can potentially apply to some difficult problems, right? But if you take a step back and look at, you know, some of the traditional approaches of AI, this isn't exhausted by any means, but there are three categories that you can break AI up into. One is that the generative AI that seems to be, like, grabbing all the headlines right now. And then you've also got this, like, classification type of AI, which, you know, basically is able to identify things or put them into categories, right? And then you've got more traditional anomaly detection types of AI. And from a cybersecurity standpoint, the primary type of AI that was applied across most vendors is kind of that anomaly detection based AI. So it's also different, you know, let's elevate that and get some attention or eyes on it, right? The problem with that is work tends to not be static, right? There's a lot of variability in people's work. Yeah. Like, you and I didn't do this interview yesterday. And while it's a pleasure, we're probably, to speak with you, we're probably not going to do this interview again tomorrow, right? Like, we're not living groundhog day. Yeah, for sure. So naturally, that the data that's present, that's being collected in these environments is going to reflect that variability. And the impact of that on anomaly detection models is that they tend to be very voluminous in terms of the number of alerts that they generate, right? And so, you know, some of the early attempts to do, you know, cybersecurity, you know, threat detection through anomaly based models kind of gave AI a bad rap, right? And so people, you know, had this, you know, impression that like, oh, yeah, there's a lot of talk in AI and machine learning and whatever else with respect to cybersecurity, but it just doesn't hold up to, you know, all the problems. Right, so it didn't deliver on the hype as it was basically. Yeah, exactly. But if you kind of, you know, take this from a much more academic approach and think like, okay, well, you know, you can't necessarily just take one class or one type of AI and apply it to all problems. Let's get a little bit more thoughtful about this and see if there are maybe, you know, different types of AI that we can apply in different ways to be a problem. And that was one of the, you know, primary breakthroughs that Vetra had as a research team. We've sort of realized that, hey, you know what, we can combine things like classification models and anomaly detection models and start to, you know, really increase the fidelity, you know, turn up the effectiveness of these things. And so, you know, the way we went about that is to say, like, yeah, there are definitely some instances where anomalies that are taking place in the environment are of particular interest. But we found that where they are of particular interest is when those anomalies tend to be classified as something that we know, like some kind of activity we know. Yeah, yeah, yeah, yeah. So, yeah, two sets of information coming together and you get something, two plus two is five kind of thing from that. Yeah, right. The sum is, yeah, greater than the whole of the parts, right? And so you have, you know, basically this notion that, you know, we've got these massive data sets where we can train a model and say, okay, this is what bad looks like, you know, behavioral standpoint. This is what good looks like from a behavioral standpoint. And a lot of times just out of that, when we see behaviors in the environment, it doesn't matter what tool the attacker is using to initiate that behavior. What's important is the behavior that follows, right? And so we can see that and just straight away from, you know, the behavioral-based classification know that, like, okay, this is suspicious, right? Then if you're in some instances, you can take that a step further and say, okay, well, is this thing that's potentially bad also unusual in the environment where some unsupervised learning that does that anomaly detection sort of stuff can, you know, be merged with your, you know, classification of known bad stuff to be able to really turn up the dial in terms of are reducing the number of occurrences that are going to be false positive, right? Yeah, for sure. That's one of the significant, you know, advantages that this approach can bring. So yeah, that's a key point, I think, isn't it? Is that you cannot afford to be spending your time concerned with things that are not ultimately going to be difficult as it were. It's exactly it. And when you look at the problem, you know, from a cybersecurity standpoint, there's already too much data, you know. Yeah, for sure, for sure. The solution over the years has always been more, right? Like the solutions, you know, it's a cat-and-mouse game, right? Where an attacker devises a new approach to target a particular environment or an attack surface. And then, you know, the solution of that is we're going to devise some new technology to be able to detect that activity or some new rules, you know, rule set. The point is that there's always some additive response to the threat landscape evolving, right? And when you already are dealing with something that has a massive amount of information and a massive amount of required knowledge and expertise, and then you just keep piling more onto that. It becomes completely unmanageable, isn't it? The burden of more, as we like to talk about here, just goes out of control, right? And so if you can, you know, attack that from a different perspective and say, you know, we're going to bring down that level of noise and focus on, you know, high-fidelity attack signal, you know, we can really constrain what, you know, a security team has to spend their time doing, right? Okay. Okay. Great stuff. So just thinking about, you know, business, I guess, and a marketplace here, are there any particular types of firms that you particularly target with your solution? Any characteristics of their businesses or issues that they have within their business? You know, are they in media? Are they dealing with a lot of signals from the outside world? Are they in finance when they have to be particularly concerned with, yeah, personal management of personal information or security of financial transactions? Where's your strong suit, as it were, do you think? Yeah. So we tend to operate across the board in the enterprise, across a plethora of industries. We have finance customers, we have healthcare customers, we have manufacturing customers. It's in particular, there's organizations that really have multiple attack surfaces that they have to manage. So if you take, for example, a healthcare or a hospital in particular, they're never not going to have an on-prem network. They just have to, right? There's no way that they're ever going to be able to get away from that. But that doesn't mean that they can't also embrace the cloud in some manner. For sure. Yeah, for sure. I mean, I'll give you an example of some work that I did for the, actually for the COVID app here. And there was some migration of applications across the health service in New South Wales, where some of those applications were going to private cloud, sorry, public cloud. And so your point about these different hybrid ecosystems, that was a significant issue for them because some of those applications, they had no choice but to go to public cloud because the application provider was no longer supporting on-prem provision. So they were forced into this situation where they had to deal with these different infrastructures. And it wasn't really a positive decision that they were able to take, to your point, healthcare, that they were sort of constrained into it, presented particular challenges. Right. And there are other, on the other end of that spectrum, it just doesn't make a lot of sense to manage identity and productivity suites on-prem anymore. To have your own on-prem mail suite, for example, it just doesn't make any sense at all. Especially with the degree of exposure that comes with that. And the vulnerability management that has to be done on something that's really mission critical. People have to have email, they have to have messaging, right? And so it just sort of naturally makes sense for people to migrate that kind of workload to the cloud, right? And so that's been pervasive over the last, let's say, five years. Every organization I've interfaced with is using some kind of cloud productivity suite provider, like Microsoft 365, the common one, right? But as you do that, now your attack surface gets more complicated. And from a cybersecurity standpoint, if you think of it this way, the move from on-prem to the cloud, it puts a new burden on the cybersecurity team because they've had something that they've learned to manage for quite a long time in terms of what types of alerts does the on-prem stuff generate? What types of things do we need to investigate? How do we respond to those things? And the moment you move to the cloud, that all changes because it's not a lift and shift transition that the log data that's being generated by 365 is fundamentally different from the log data that comes from your on-prem exchange server, for example. Absolutely. Yeah, yeah, yeah. And so whatever rules you had in place to deal with your on-prem exchange logs, all that goes out the window, right? And whatever processes that went along with those rules, they all have to be redefined, rewritten, et cetera. And so that's where we're seeing that transition consistently is creating challenges for teams. As I said in the beginning, the ability to derive high-value attack signals from that stuff is really, really challenging. So any organization that's in route of that kind of migration is really going to get substantial benefit from the AI capabilities that we bring to bear. We basically roll out an M365 solution for our customers that has pre-built models that already understand what the difference between good and bad is and a bunch of unsupervised learning mechanisms in there that then apply those classification models in a very learned and a way that's unique to your organization. Yeah, yeah. Okay, Tom. So I guess we've got to wrap up, but that's a really interesting point to conclude with there because what we can identify is that point of transition, as you say, from a situation for a business where they're looking, if you will, a cyber security team has got almost a very in-depth and particular knowledge of the systems that they've been dealing with on-prem and all of a sudden they're faced with new environments with which they have less control and less familiarity, if you want. They suddenly got to produce a coherent package out of those solutions covered by their cyber security regime, as it were. So that's a huge challenge with which you can assist, I guess. It is, and I think you just sort of subtly hit the nail on the head there, is that just because you have less control and maybe less knowledge or less expertise doesn't absolve you from the responsibility of keeping the environment secure, right? Absolutely, yeah. And every one of these cloud providers, if you're already in the cloud or moving to it, you should be looking at the shared responsibility model that's defined for the various cloud providers that you're working with, because there's this sort of notion that when you move to the cloud, they handle the security of it. And that's true to a degree, but you'll notice if you look at sort of the breakdown of the shared responsibility model from a cyber security standpoint with these cloud vendors, you'll find that that responsibility is sort of sliced in half, but it's more like 40% to the vendor, 60% to the customer. Yeah, everybody's looking for somebody to talk to you about a problem. They don't really care whether it's the cloud man or the this, that man. The cyber security team is going to be the front door to deal with those particular problems, aren't they? Absolutely. And the notion of shared, like they use that term pretty loosely. Sure, yeah, that's right. Okay, yeah. More of the burden falls on their customer than does on the, well, you know, I mean, I say that in terms of like, you know, you're still responsible for, you know, your credentials getting exposed and then those accounts being abused as a result, like the vendor has a tough time doing anything about that, you know. Oh, for sure, for sure. And so that's going to be on you, you know, and that applies across the board, whether we're talking about M365 or AWS or Google Cloud, you know, the conversation is the same with every single one of these Azure, you know, and so you take that and combine it with kind of the problem with respect to the network. You know, the network is still traditionally a very good point of entry for an attacker. Yeah. And then use that and pivot to the cloud and vice versa. They can start, you know, through identity and find a way to, you know, work into the network from there. Maybe that identity allows them VPN access into the on-prem network, right? And then, you know, so there's just so many different angles that this hybrid attack scenario really creates a problem. And then the other thing I'd say, I mean, just to tie a bow on this, generally large enterprises are going to have a problem of, you know, just a massive volume of data to try to deal with. Absolutely, yeah, yeah, yeah. And that's definitely something that we excel at. You know, you can really take that classification and anomaly detection type of AI and all of the, you know, sort of mature, unsupervised learning that we do, all the mature classification that we can do. We can do that at massive scale. So one of the things that's great about AI is we can build profiles of hundreds of thousands of entities in an environment, whether they're, you know, hosts or accounts, user accounts. We identify, you know, what this entity is in terms of based on how it behaves, you know, is it a privileged unit? Is it, you know, an administrator's host or machine workstation, right, that they're operating from? Is it a file server? Is it a domain controller? We can build all these profiles automatically with AI that you would have a really, really tough time building out manually. Yeah, I think actually I have to say that across maybe the last six months, when one is behind the hype of the AI, this organization of very large bodies of knowledge, huge volumes of data is something where that you can see that there may be some actual practical application, because there's no other way of doing it. The volumes are so huge. And so, well, it's just a matter of quantity. And AI is the only way, possibly the tooling that we have available to us, that enables to try and make sense of this and integrate it into some sort of manageable, as I say, body of knowledge. And what's interested me about this, this trying to handle these patterns of data that are flowing through, you know, organizations in enormous volumes, is how to actually try to understand that so you can control it and manage it. Right. And one of the reasons it's such a challenge is because of the unstructured nature of the data. So, you know, you're going to be dealing with data from lots of different sources. And data from your on-prem network is going to look different from your identity cloud, which is going to look different from your cloud infrastructure provider, right, your cloud service provider. And so, each one of these, and within each of those providers, they tend to have, you know, multiple sources where, you know, each data delivered is, again, going to be different. Right. And so, there's just, there's a massive amount of it. And it's really interesting. Generally, when you're talking about big data, you know, you're talking about high volume unstructured data is normally what classified as big data. It's got to be, you know, it's really the unstructured nature of it. But in cybersecurity, we're dealing with a big data times 365 kind of problem, right? Because every day is a new set of data, isn't it? A new massive volume of data. Yeah. And in some large enterprises, you know, it's a new big data problem every hour, because they're generating such large volumes. And when it's unstructured in nature like that, it becomes very, very challenging to find some value out of that data. And AI can really, you know, simplify that process for you, right? So, that's a another significant component of it. And, you know, that just really enables us to kind of relieve the burden for a lot of the security operations center or incident response team, any kind of incident investigator, right? You know, those are trying to figure out what are the things that I really ought to pay attention to. And so, like I said, we can build these profiles of, you know, hundreds of thousands of hosts. And, you know, over the course of a day or the course of a week, we can say, you know, hey, out of these hundreds of thousands of machines here, 10 this week, that are really doing some unusual stuff that you need to focus your attention into. And then we change that, that really fundamentally changes the nature of the work for the analyst or the investigator, because now they're not looking at discrete events. They're looking at sort of a portfolio of behaviors. Behaviors. Okay. All right. And they really the big picture, you know, and that's, I think, you know, aside from Vectra, I think, as a cybersecurity, you know, sort of community, that's much more how we need to be thinking and more of a holistic picture of, you know, entities, as opposed to, you know, operating on an alert by alert basis, which is okay, which is a completely different way of thinking now. Okay, so look, I think we probably have to wrap up now. I'd like to thank you for a really interesting conversation, I think, and it was a great paper that took from a very specific example of the way in which work is performed now. And that led to, I think, to a very, you know, general and all encompassing conversation about both your firm and the work that you're doing and, and the benefits that you can deliver to your customers. So I really appreciate the time that you've taken. I may be in the middle of the night where you are, of course. Yeah, anytime. It's my pleasure. We appreciate you having us. Thank you very much.