Cybersecurity 5O5: Five Key Predictions Over Five Years
By Vinod Vasudevan
Here are some of my views on what cybersecurity will look like five years from now. AI used for the detection of deeper and more complex attacks today typically runs on generic algorithms that are modeled around the attacks for detection of outliers, anomalies, patterns and associations. This is because the attackers have not yet intensified domain-specific attacks — though there are some early examples of these, including Stuxnet.
1. Business-domain-specific AI algorithms will detect attacks.
AI used for the detection of deeper and more complex attacks today typically runs on generic algorithms that are modeled around the attacks for detection of outliers, anomalies, patterns and associations. This is because the attackers have not yet intensified domain-specific attacks — though there are some early examples of these, including Stuxnet.
The availability of the cloud for computing and the use of AI for attacks could lower the barriers for cybercrime syndicates to formulate domain-specific attacks. This could mean that a higher fidelity for attack detection could be achieved by modeling on industry-specific attacks. Just like credit card fraud today can be detected using AI algorithms based on past fraud data such as FICO’s Falcon Platform and SAS’s Detection and Investigation for Banking, we may soon be able to detect attacks in financial, energy, retail, manufacturing, technology, health and other industries by modeling business domain-specific attacks. Business domain-specific AI algorithms would make it easier to detect and respond to attacks.
As an example, a business email compromise (BEC) attack in the energy sector could be used to cross over to IIoT systems to disrupt or contaminate the water supply. There could be several variations of the attack for the same outcome, and it would be impossible to write rules to detect all of them. A high proliferation of attacks over the next few years could enable the availability of attack data for AI algorithms to learn from. Industry-based specialization and corresponding AI algorithms to detect attacks will be key requirements.
2. Autonomous response: Learning algorithms will automatically contain attacks without human intervention.
Ransomware attacks have already shown us the gaps in current mechanisms for rapid response. This will become even more complex in the future with the proliferation of devices across the cloud, edge data centers and other locations. Cybercrime syndicates will keep improvising mechanisms to proliferate and cause large-scale damage in a matter of minutes, if not seconds. This would require large-scale autonomous response mechanisms for containment and recovery after detection. AI-based autonomous systems could be used in the future to quickly contain attacks based on deeper learning of organizational network structure and software-defined perimeters. Such autonomous systems could have inbuilt intelligence to understand the business criticality of systems and coarse-grain the response.
As an example, a critical IIoT system required to continue a business service would not be shut down, but the malicious process within it could be microsegmented. Similarly, fast initiation of the recovery process, including reimaging or initiation of fresh workloads in the cloud or fast patching, would be orchestrated in the context of business priorities. I believe this can be achieved at a rapid pace only with the use of AI; manual response could become too slow to be effective. Machines will take the required action, learn the environment, sequence containment and take recovery actions. Cybersecurity incident-response personnel can then focus on more strategic learnings from incidents to make these autonomous systems perform even better in the context of their environments.
3. Natural language interfaces will interact with cybersecurity platforms and services.
Humans and machines interface today largely through visual user interfaces. This could become outdated five years from now, given that we are already getting used to natural language interaction with Alexa, Google Assistant, Siri and Cortana. Natural language interaction could also become “natural” given the rapid pace of decision-making required in the future due to the increased volume of precision attacks. It will be easier to simply talk to the cyber defense platform to find out which assets are at the highest risk against a specific ransomware and instruct the platform to immediately patch them instead of clicking through several screens to find out the same information.
This could be extremely useful in scenarios where a high-speed response is required to contain incidents. The cyber defense platform could compute the response required, talk to the CISO on appropriate actions and ask for approval. Once the CISO verbally approved, the autonomous response could be put into action. Going through ticketing systems and approvals will be a thing of the past.
4. Supply chain attacks could focus on employees’ home networks and social presence.
Cybercrime syndicates are always looking at easier pathways to reach crown jewels. When perimeters became stronger, the focus shifted to an innovative and easier option of socially engineering employees. As we strengthen our defenses against social engineering, attackers will likely shift toward compromising the home network of the employee and then using this as a segue to infiltrate the official perimeter. The same concept could also extend to social media. Attackers could use social media to target the personal profile of an employee instead of targeting the same employee through work channels. This would be the shift toward an easier pathway for compromise.
The implication is that monitoring and response will have to incorporate a 360-degree view for critical employees that marries their corporate footprints, home networks and social media.
5. Cyber defense could become a universal utility service — any device, anywhere, in a plug-and-play service.
I expect large-scale proliferation of devices and systems across all industries. Every industry will have systems in the cloud, edge architecture data centers, operational technology (OT) and IoT devices. Cybercrime syndicates will have an easier time compromising a few systems from an even larger footprint of systems compared to today. This could create companies that offer cyber defense as a utility-based service, where users can rapidly and seamlessly integrate devices anywhere, on demand. This means these companies would need to provide seamless integration, apply use cases for detection and develop response mechanisms that kick in on demand. The service delivery model could be modeled around utility services, meaning it would be as easy as getting water and electricity: Switch on and get metered.