How Self-Learning AI is changing the paradigm of endpoint security
Article by Darktrace director of threat hunting, Max Heinemeyer.
In this era of remote working and distributed digital ecosystems, the endpoint represents an easy point-of-entry into an organisation. These devices contain mountains of sensitive data that cyber-criminals look to monetise – and most endpoint solutions today are ill-equipped to handle the machine-speed threats that target organisations.
Most endpoint security tools used by organisations today rely on static rules and historical attack data. This ‘rear view mirror’ approach only recognises threats that have been previously encountered – ‘known bad’ endpoints, patterns in code, email domains – but what about the unknowns? And what new attack infrastructure, which cyber-criminals are setting up every day?
The conventional approach is blind to novel threats, and is consistently failing to catch more sophisticated attacks: those that use legitimate tools to blend in, those that leverage known, trusted domains, or those that exploit zero-day vulnerabilities.
Moreover, many of these tools lack the holistic coverage required to expose attackers traversing the digital ecosystem – probing email systems, cloud environments and the corporate network, looking for areas of weakness. Point solutions often lack the context necessary to reveal the full scope of an incident – and in other cases, miss the attack entirely.
A new approach to endpoint security uses Self-Learning AI to understand the entire digital ecosystem from the ground up. With an evolving understanding of its surroundings, the AI has a sense of ‘self’, and can detect subtle deviations indicative of a cyber-threat. In this way, the technology acts as a digital immune system, stopping the attacks that get through an organisation’s first layer of defence.
Correlating endpoint data with data from across the rest of the organisation enables the technology to reveal the origin and full scope of an incident, reducing time-to-meaning for defenders. IT and security teams are becoming more stretched in the wake of digital transformation, and the cyber-skills gap has never been more apparent. Handing over the heavy lifting to AI to perform the manual work is crucial in enabling human teams to spend their time on higher-level tasks rather than keeping them in the weeds.
Another significant development is autonomous response: the ability of AI to fights back in real-time, taking targeted and proportionate action to contain emerging cyber-threats in their earliest stages. This capability on the endpoint will be crucial in interrupting fast-moving cyber-attacks, allowing human teams to catch up and remediate the incident.
Self-Learning AI is designed with an open and accessible architecture, integrating with leading endpoint solutions such as Crowdstrike, Carbon Black and Microsoft Defender. This innovation is set to change the game for endpoint security – detecting the novel and sophisticated attacks that cause so much disruption today.