Chris Morales, Vectra AI: The Goal Is for AI and Humans to Work Together
When you go online, you should know that things aren't always as safe as they appear to be, so, whether you're simply browsing the Internet, or using a smart device in your home, you need to know how to protect yourself. About these topics, using AI on security, and VPNs, we talk with Chris Morales, the Head Security Analyst of Vectra AI, a company that uses AI to detect and hunt for cyber attackers.
Before he joined Vectra AI, Chris Morales worked in similar positions for several other companies, including HyTrust, NSS Labs, and Accuvant. Needless to say, he has a lot of experience in the industry, and we couldn't wait to hear what he has to say.
Without further ado, here is TechNadu's interview with Chris Morales, Head Security Analyst at Vectra AI.
TechNadu: Artificial Intelligence (AI) has become an integrated part of numerous security solutions nowadays. How exactly does Vectra's Cognito help keep attackers at bay?
Chris Morales: When AI or machine learning is the foundation behind a product, the promises that the product makes should be specific and measurable. Customers should ask for a number they can measure. The whole point of these technologies is that they can be specific and predictive in a way that human intuition on its own cannot be.
If someone who talks up their AI tech won’t promise you specific numeric results, they may have a useful product in other ways, but you’d best proceed cautiously when it comes to their AI implementation. The power of these technologies is in the numbers.
To this point, when looking at Vectra’s AI platform, Cognito, we can demonstrate consistent patterns across our entire install base. Our latest 2019 RSA Edition Attacker Behavior Industry Report reveals cyber-attack detections and trends from over 350 Vectra enterprise customers across 11 different industries. By examining attacker behaviors, we can see the real-world results of applying AI to incident response. From the report, we learned that of the organizations that participated, over a 6-month period they could expect on average 383 hosts with detections for every 10,000 hosts that were monitored. This is a reduction from 11,390 security events detected that would normally require an analyst to manually investigate and interpret. This breaks down to representing a 37x reduction in the number of events requiring investigation and triage. More important, of those hosts with detections, Cognito could distill that to 3 hosts considered high or critical on a daily basis requiring immediate investigation.
The way Cognito leverages machine learning to reduce workload boils down the visibility of the entire attack lifecycle, which becomes a big data problem properly suited to data science. Attacks fundamentally all perform a lot of the same behaviors as there is a certain sequence of events they must follow to succeed. These behaviors include things like remote access tools, hidden tunnels, backdoors, recon tools, credential abuse, and exfiltration.
By looking for all the behaviors that an attacker could perform across the entire attack lifecycle, we dramatically increase the probability of detecting attacks. Effectively this detection model flips the classic equation from “the attacker only has to get it right once, and the defender has only one chance for detection” to “the defender has multiple chances for detection and the attacker only has to get it wrong once to be detected.” The more behaviors that are detected, the better the awareness of the attack. By combining behaviors, we move away from the purely human-based decision-making process of what is an incident.
TechNadu: What do you think is the best feature Cognito has at its disposal?
Chris Morales: Prioritizing the handling of the incident is perhaps the most critical decision point in the incident handling process. Incidents should not be handled on a first-come, first served basis because of resource limitations. Instead, handling should be prioritized based on the relevant factors.
The outcome of the combination of multiple methods of data science is the ability to instantly extract the attacks that truly matter from the rest of the noise in the organization, real or not. Even if attacks occur daily, it is important to know which ones can cause the most harm and require immediate attention. Machine intelligence detects events, triages those events to a single host, and then prioritizes the ones that matter most for fast analysis.
The Threat Certainty Index™ in Cognito Detect consolidates thousands of events and historical context to pinpoint hosts that pose the biggest threat. Instead of generating more events to analyze, Cognito Detect boils down mountains of data to show what matters most. Threat and certainty scores trigger notifications to a security analyst or a response from other enforcement points, SIEMs, and forensic tools.
TechNadu: How far do you believe the integration between cybersec and AI will go? Is there any part of cybersec that's better to be handled by actual humans or should we rely on AI more from here on out?
Chris Morales: AI will not replace humans. Humans and machines working together is the goal here. There are tasks well suited to machines – those that are big data problems requiring long term memory of systems and behaviors. There are also tasks well suited to humans – those that require critical or creative thinking for problem resolution. Machines reduce the workload of the tedious work so that humans can focus on artisan work.
What we have also discovered about AI is that it not only reduces the workload for existing security staff, but it also reduces the barrier of entry to security and I can take any intelligent student or IT staff member and provide them a repeatable process with which they can learn the necessary security skills to become a security expert. We are working closely with universities and organizations to implement training programs designed to train new security analysts by using AI to augment staff for the tedious work and then leveraging the existing security staff to focus on high-level work while acting as mentors to new junior analysts. Everyone wins.
TechNadu: How do you see the threat map nowadays? Are things going better or worse in terms of attacks than they were, let's say, a year ago? Are your systems catching more attacks?
Chris Morales: I don’t think the threat landscape is any better or worse than it used to be. What does happen is the type of attacks we detect evolve with time and the total size of the threat landscape has increased exponentially. What doesn’t change is the motives or behaviors behind the attacks. They are primarily driven by financial motivation or espionage and involve the use of some form of command and control, lateral movement, and data exfiltration or destruction.
What is interesting is that when I look at the numbers reported back from the Cognito platform, while the total volume of incidents has increased over time, the number of incidents scored as critical or high hasn’t really increased on a daily basis. With more devices, there is more noise for an attacker to hide their signal.
The exponential growth in connected devices and IoT means the amount of work required to monitor and analyze all these connected devices to figure out what is important from what is noise has grown in parallel. This tells me the biggest threat facing cybersecurity is not advanced attackers or evolving technology. It is the lack of people able to defend networks.
To address the problem, the security industry has made it too hard for some very smart people to enter our industry while asking some very talented people who are already in cybersecurity to take on a large amount of busy work sifting through large volumes of data generated by connected devices to find attackers already on the network. Threat hunting manually is highly inefficient, even for skilled analysts. It is just a lot of data.
The ramifications of the difficulty in hiring new people and the exponential growth in connected systems mean increasing workloads for existing security staff with most of an analyst’s time spent on emergencies and reactive work.
In the end, many security analysts typically feel as though they haven’t contributed to the overall cybersecurity posture of an organization and thus begins burnout, making the problem even worse.
TechNadu: There's been a lot of talk about people using VPNs day in and day out to help encrypt their communications and keep their privacy online. What do you think of this? Is it overkill?
Chris Morales: I find it to be interesting. In general, I think a VPN is a great idea. VPN has been the go-to tool for road warriors in the enterprise space for a long time. It does work to extend the enterprise perimeter over internet communication, allowing road warriors to run internal apps wherever they might be.
That is the thing though. A VPN has to terminate somewhere, and while the network communication is encrypted, what happens on either side of the VPN is not. It comes down to the quality of the VPN provider. Someone has access to user browsing habits and application. An enterprise VPN terminates at the enterprise controlled perimeter, which means the enterprise has full visibility into remote user access. A commercial VPN terminate at the VPN provider, meaning the VPN provider has access to all of the users browsing habits.
What does this mean to me? Think carefully about the VPN provider you use. Many of the free VPN providers are in the business of monetizing your personal data to pay for their services. The commercial ones might be better, but you need to validate how well they manage the termination points and what their user privacy policy dictates can be done with your data.
On top of all that, VPN is not completely anonymous either. There are logs on both sides of the communication that tell me where you have been. Just be careful of the promises. I think a good multi-factor authentication and strong use of encryption of the websites you visit is better.
TechNadu: Do you use VPNs? What do you think people should look for when picking such a tool?
Chris Morales: I used to manage my own VPN instance in the cloud. It worked, but I decided against it. I cannot recommend a tool as I don’t use any outside of my corporate work today.
TechNadu: What about IoT devices? Given the notorious bad security surrounding most products like this, what features should customers always look for when buying a connected device? Do you have any IoT devices in your own home?
Chris Morales: Over the last few years, there has been an alarming increase in IoT-based denial-of-service attacks based on variations of IoT-powered botnets. These botnets are used for various type of cybercrimes like a cheap clone army. All those new smart TVs, cameras, door locks, and maybe even a fridge or two, are going to be the gifts that keep on giving to attackers.
In addition to default usernames and passwords, most IoT devices are shipped to consumers and enterprise with out-of-date, unsecure software that is never updated by manufacturers. IoT devices are also trivial to access with no regulations or guiding principles mandating how secure they should be. Vectra Threat Labs published research on how a consumer-grade Webcam can be turned into a backdoor to enter the network it's connected to.
IoT security is going to be a hard problem to solve. It must start with some basic regulations defining minimum security standards for every device, especially consumer devices. We also need for manufacturers to implement a process to update devices for security patches that are maintained by the vendors in some automated fashion with little intervention required by consumers or end users.
At a minimum, I recommend home users consider the vendor and look to see if there are default user names and password on a device. If so, change them to something much stronger.
What did you think? How do you feel about AI-usage on security and how do you stay safe online? Let us know by dropping a note in the comments section below and share the article online if you have the time. Follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.