The challenge security teams face is that the traditional approach to defending against malware can’t keep up with the daily barrage of new malware in circulation, no matter how diligently security companies update their software.
“The traditional AV world has known for probably 15 years or more that they can’t keep up with creating signatures for every single type of malware or attack that there is,” said Brian Robison, Chief Evangelist at BlackBerry.
Attackers continually create new malware, variations on malware and new techniques for gaining access to networks. Between 300,000 and 500,000 samples of new malware are created every single day. “You’d have to employ thousands of researchers writing signatures to keep on top of even Monday’s threats, let alone Tuesday’s and Wednesday’s and Thursday’s,” he said.
Cybersecurity providers have addressed the evolving malware threats by adding layers of security, such as host-intrusion protection and behavioral analysis, to generally good, though limited, effect.
“Signature-based, traditional AV does very, very well against known malware,” Robison said. But it’s the unknown malware, the zero days, behind many of today’s most pernicious threats.
For example, zero-day attacks — which exploit previously unknown vulnerabilities — have become increasingly common. WatchGuard reported that 67% of all cyberthreats in the second quarter of 2020 were zero-day exploits.
“For all the improvements the cybersecurity industry has made,” Robison said. “We are still stuck in a detect-and-respond paradigm based on getting hit first, then initiating an endless loop of getting a sample, analyzing it, assigning a signature and releasing a software update.”
For state and local agencies with limited staff and resources, it’s impossible to keep up.
Solution: Artificial Intelligence
Agencies need a new approach based on prevention.
“The only way to stay ahead of malware-based attacks is to create a predictive capability where you can learn from history to predict the future,” Robison said. “And that is precisely what machine learning and artificial intelligence are absolutely fantastic at doing.”
Many high-profile attacks — such as the recent ones involving SolarWinds and Microsoft, or even going back to the infamous Office of Personnel Management (OPM) attack of 2015 — have involved systems that traditional security products and services protected, albeit with some holes in how they were implemented. But they also didn’t see the attacks coming.
“Those products failed to predict the malware that was used to exploit the system because the world had never seen it before — until there’s a sacrificial lamb,” Robison said. An AI-driven system would have made a difference.
AI systems can review and analyze millions of features instantly and recognize patterns and draw on historical behaviors to discern good from bad — even if it’s something that has never been seen before. This makes it possible for AI to recognize previously unknown threats and prevent them from executing.
“As demonstrated in the report, AI could have prevented the OPM attack had it been in place before the attack rather than after,” Robison said. The same is true for other major ransomware attacks, such as WannaCry, REvil, and more recently, DarkSide, that have plagued state and local governments.
AI’s automation and learning capabilities also help relieve some of the workload and stress in managing IT security. In addition to requiring substantially fewer updates, its ability to detect threats, sort alerts and even initiate a response automatically, removes many manual duties that security personnel handle.
“We see these attacks happening essentially on a daily basis, whether in federal government, state government, local governments, school districts, whatever,” Robinson said. “We see ransomware attacks constantly. And if there’s a better way to prevent those things, there’s really no excuse for not doing that.”
This article is an excerpt from GovLoop’s recent report, “Smart Move: Why Government Agencies Need AI-Powered Cybersecurity.” Download the full report here.