The beauty of AI-driven self-learning cybersecurity solutions is that they can be taught to discern contexts to reduce false positives.
When triaging cybersecurity incidents, context is incredibly important as the necessary process can help defenders identify the severity of the incident, says Stanley Hsu, Regional Vice President, SEA, Mimecast.
For example, you need to know if the thick smoke you smell is coming from burnt toast or if the electrical circuit board in the store room is on fire. “Context helps to provide broader insight into the event and improve the decisions made. And for cyber professionals it stops SOC analysts from wasting time on false positives and allows them to focus on the highest-priority incidents,” said Hsu.
CybersecAsia queried him to find out more.
CybersecAsia: Why is analyzing context (analyzing events, neutralizing vulnerabilities, and enabling an effective IT asset security) in cybersecurity incidents important?
Stanley Hsu (SH): When it comes to cybersecurity you can look at context through three different perspectives: Platform, People and Ecosystems—all of which should be analyzed together to gain valuable insight:
- People: How can their behavior- and communication- patterns be fed into the system to improve prevention of mistakes?
- Platforms: How can security platforms benefit from the additional context gained from people and other toolsets in an organization’s security environment?
- Ecosystems: How can context and data acquired from both People and Platforms be merged to provide a holistic ecosystem view when coupled with Machine Learning (ML)?
It is ML that connects all three entities to provide contextual insights, to achieve greater understanding of the security risks.
CybersecAsia: Despite rising awareness of the cyber threat landscape in APAC, why are cyberattacks still surging? What is being done insufficiently or wrongly in the regional context?
SH: Cyberattacks are still surging for many reasons, but one key trend is that hybrid working has continued trending due to the COVID-19 pandemic.
Both the public and private sectors have become more reliant than ever on email, collaboration tools and other forms of electronic communications. Criminals have quickly responded to this dependency by refining their tactics and stepping up their attacks.
In our studies, email usage has risen in more than nine-in-10 Singapore firms, and about 84% of them, the number of email-based threats has increased. Our data also shows that just 15% of IT budgets are being spent on putting a cyber resilience strategy in place, and respondents had indicated that there is only a small difference between the budget they need and the budget they have. Yet, they overwhelmingly blame budgetary limitations for undermining their preparedness.
The rise in cyberattacks could also potentially be attributed to user risk; a new era of cyber threats; increasing attack sophistication; more highly-organized criminal gangs, and the increasing rewards of cybercrime. Examples of this include increased media coverage on successful attacks, leading to greater recognition for the criminal parties involved, and democratized access to sizeable Ransomware-as-a-Service (RaaS) tools, to generate even more threats and rewards.
Furthermore, ass the sophistication of cyberattacks increases, and the massive push to undergo digital transformation presses on, the cybersecurity skills gap and attack surfaces will continue to grow: organizations do not always have enough time to investigate or remediate cyber breaches.
Finally, many firms have not implemented enough controls, because they lack a comprehensive cyber defence and cyber resilience plan, because of conflicting priorities for the IT team and business as a whole, lean IT, and because of the perceived lack of budgetary resources.
CybersecAsia: As emails are a dominant source of cyber threats, what latest email contextual filtering techniques are being used to thwart social engineering and other ploys to steal login credentials?
SH: As emails remain the number one business communication tool and users have inherent trust in it as a platform, threat actors are constantly evolving their techniques, tactics and procedures (TTPs) to combat technology advancements.
With many organizations not deploying and utilizing tools to detect and prevent the latest TTPs, there is also a significant rise in online brand impersonations and business email compromise attempts.
Today, the use of constantly improving AI and ML technologies to filter emails based on contextual intelligence is increasing, which can in turn help organizations to layer-on better threat detection tools and other automation measures to preempt human error when confronted with advanced email attacks.
However, it should also be acknowledged that ransomware syndicates are being run as highly-organized enterprises, and as long as organizations continue to fall prey to attacks and pay the ransoms, threat actors will continue to launch these attacks because there is a significant return on investment.