Using AI to fight Cybercrime!
Senior members of Fusion IT visited the Imperial War Museum in Manchester last month, where they met with many fellow Sophos partners and shared the latest news and insights on Sophos MSP solutions at the Sophos MSP Get Together.
As you probably, know Sophos MSP products are designed to protect our clients from today’s complex and evolving threats, through next-generation endpoint, network, server, mobile, and email security solutions. In addition, these products work together to provide synchronised security across multiple layers for truly holistic protection.
During the Partners’ session, we gained insight on how to leverage AI in cybersecurity and explored further the features and benefits of managed detection and response (MDR) services.
And of course, we enjoyed some fun activities after the event, such as exploring the museum exhibits!
So how can AI protect our clients?
Going back to the use of AI to fight Cybercrime, the Sophos MSP Get Together revealed a number of key areas where artificial intelligence and, in particular Sophos AI, can make a difference. These were discussed and can be summarised as follows.
Next Generation Web
As the frequency of web-based attacks continues to rise, conventional security software faces limitations in keeping pace with these evolving threats. Web vulnerabilities, including malware delivery, phishing, and cross-site scripting, exploit the highly adaptable nature of web pages and URLs. This complexity poses a challenge for traditional security solutions, often only detecting malicious activities in the later stages, such as after a phishing page has compromised credentials.
Sophos AI is at the forefront of enhancing web security, employing advanced deep neural networks to proactively identify and address threats. Their technology is designed to recognise malicious URLs, alert users to potential phishing sites, and prevent malware delivery at its source. These innovative deep learning models seamlessly integrate into Sophos’s synchronised security architecture, providing an additional layer of defence to stop threats before they can infiltrate your network. Safeguarding the web environment, Sophos AI is dedicated to making the internet a safer space for users and businesses alike.
Behavourial Detection
As cyber threats become increasingly sophisticated, traditional antivirus defences relying on file scanning are facing challenges in detecting complex attacks like polymorphic malware and scripting, including living-off-the-land techniques. To effectively counter these evolving threats, Sophos AI marks a shift towards more comprehensive cyber defences, with behaviour analysis taking centre stage.
Behaviour analysis and detection offer a potent defence strategy, as all malware ultimately reveals malicious behaviour to achieve its objectives. However, implementing behaviour detection, especially machine learning-based approaches, is a complex task due to factors such as the sheer volume of data, the diverse range of behaviours across various software running on different machines, challenges in collecting and accurately labelling a representative dataset, and the need to understand the complete context surrounding each behaviour trace.
The Sophos AI team has adopted a step-by-step approach to address this challenge, aiming to develop practical solutions deployable to their customers. Initially, Sophos AI’s efforts focused on simplifying and comprehending vast behavioural data by identifying key automatically discovered features to avoid overfitting. Building on this foundation, Sophos AI are currently exploring the potential of deep learning techniques, such as learning on graphs, to construct more robust models. Simultaneously, Sophos AI are working on developing simpler yet resilient context models, enhancing existing static models by incorporating additional information like filepaths or process trees. This multi-faceted approach aims to strengthen cyber defences against the dynamic landscape of modern cyber threats.
Infrastructure
One of the well-known secrets within the realm of machine learning (ML) is that the most effective method for enhancing model accuracy involves acquiring more extensive training data and improving the accuracy of labels. Unfortunately, in the domain of security, generating larger and more pertinent datasets presents a substantial challenge, surpassing that of many other domains. This challenge stems from two significant complications.
Firstly, labelling information is typically unavailable at the time of observation and gradually evolves over time (spanning days to months) as more information becomes available. The second complication arises from the constant concept drift in the distributions encountered in the field, along with fluctuations in the accuracy of the labelling algorithm itself. In such a dynamic environment, relying solely on a specific “gold” dataset for model development is insufficient. Deployed models need constant retraining on updated data, incorporating continually evolving labelling strategies that must be promptly propagated to all observables.
Addressing these complex requirements often exceeds the capabilities of off-the-shelf solutions, even those tailored for ML-focused groups. At Sophos AI, they have established a dedicated team of engineers working closely with our researchers to build the necessary infrastructure and tools for researching, developing, deploying, monitoring, and maintaining multiple ML models and associated products. Some of the common challenges they tackle on a daily basis include:
- Efficiently collecting telemetry from across the company and ingesting it into Sophos’s cloud infrastructure at a reasonable cost.
- Designing internal systems for indexing and storing this data.
- Monitoring the performance of ML models in the field.
- Consistently deploying numerous ML model updates every month.
- Simplifying the development and retraining of new models for Sophos’s researchers and engineers.
Sophos AI’s engineering team concentrates on several key infrastructure areas, collaborating with other teams within the organisation to architect a company-wide big data strategy. This involves developing internal infrastructure to support scalable data ingestion from various internal and external sources. Sophos AI create a flexible set of tools and databases, enabling easy access to collected data. These tools empower data scientists to seamlessly combine and analyse terabytes of data based on ever-evolving requirements. Additionally, Sophos AI focus on developing tools for effortless retraining and deployment of a large number of models while monitoring their performance in the field.
Interpretable ML
Machine learning models are infamous for their non-transparent decision-making processes, often referred to as “black boxes.” In the context of hunting and incident response, this lack of transparency is frequently deemed unacceptable. It is imperative to not only understand the specific behaviours, files, and network traces identified as suspicious by machine learning models but also to comprehend the underlying reasons for flagging them as such. This insight allows Sophos AI to investigate further and confirm whether the models have detected evidence of an attacker. Addressing this challenge, Sophos AI’s focus on Interpretable ML research involves developing, prototyping, and operationalising methods to elucidate the “thought processes” of Sophos’s security machine learning systems. This dedicated effort has led to the successful deployment of multiple commercial models and the issuance of patents to Sophos AI.
Spam Detection
The prevalence of social engineering attacks utilising meticulously crafted emails is on the rise, causing a staggering $12.5 billion in damages annually. These attacks, often individually tailored and incorporating in-depth research on their targets, present a formidable challenge for conventional signature and machine learning detection technologies. Unlike previously encountered attacks, an individually targeted email may lack shared word sequences or choices, appearing subtly distinct from benign messages.
For more on the use of Generative AI for Phishing Attacks see our ‘The Ultimate Guide to Phishing Prevention 2024′ document available for download.
Richard Payne – Support Business Development Manager
In response to this challenge, Sophos AI have developed a neural network model trained on vast amounts of benign text, allowing it to acquire a sophisticated understanding of the syntax and semantics of natural language. This enables the network to discern the subtleties of email topics, tones, and styles. Following this, Sophos AI fine-tune the network to generically detect phishing attacks based on these abstract semantics. As a result, Sophos AI’s detector accurately identifies new and targeted phishing attacks with precision.
Here at Fusion IT we are delighted to be a Sophos Gold Partner and have access to the leading solutions and security defences being developed by the Sophos AI team. If you or your business has any IT security issues, we would encourage you to reach out ASAP.
Thanks
Richard
Interested? Call us on 0333 241 4123 or email [email protected] for professional, impartial advice.