AI-Enhanced Attacks Accelerate the Need for Hybrid, Multi-Cloud Network Security and Observability
by Martin Roesch
Gartner forecasts generative AI will be used in 17% of cyberattacks within the next two years. This is not surprising, given that we already see examples of threat actors using AI for their operations. The initial use case involves leveraging AI to simplify access to an environment. For example, threat actors are using AI to:
- Generate more convincing phishing emails.
- Gather information and write scripts for credential stuffing more quickly.
- Research vulnerabilities and create exploits faster, driving down the average time-to-exploit (TTE) from weeks to days.
First-line defenses intended to discover, harden, and configure the environment can’t always stop these AI-enhanced attacks.
- The better the disguise, the more difficult it is for people and anti-phishing tools to see through.
- The easier and faster it becomes to obtain and leverage credentials, the greater the odds that identity-based access control systems will be abused.
- The shorter the TTE, the greater the struggle for even the most well-resourced organizations to patch or mitigate promptly.
Once inside the network, threat actors can move laterally, gain deeper access, inventory data, establish command and control channels, jump to other cloud platforms, and harvest and exfiltrate data. Without network-level security and observability, organizations leave themselves open to attack types, including ransomware, supply chain compromise, and cyber espionage.
The challenges with network security and observability
Most enterprises have evolved to hybrid, multi-cloud networks, and diverse IT, OT, and IoT operational environments. They deploy various security technologies in each environment to try to understand what they’ve got, what it is doing, and what is happening to it to detect and respond to attacks. Unfortunately, they encounter several problems.
Ransomware is commonly considered an endpoint problem, and EDR/EPP as the solution. However, not every device on the network has an agent on it, so many endpoints remain unprotected. Smartphones, printers, wireless access points, and other devices typically can’t support an agent. And there are also devices you aren’t aware of or don’t control, so you can’t put an agent on them.
Appliance-based tools like NGFW, IPS, and NDR that rely on packet inspection are costly and complex to deploy at scale across the entire network and are limited in detecting activity post-compromise. For example, bringing legacy NDR tools to the cloud requires virtual appliances and packet mirroring for every VPC in your cloud network. Flow logs are often considered security gold and can be a powerful supplement to their existing network detection capabilities. However, the ability of these tools to operate on cloud-native network flow logs is an afterthought and incomplete, so they only offer a fraction of the detections they provide on-prem.
Cloud platform-native monitoring tools ingest their own cloud flow logs to provide some level of network observability. However, detections to identify anomalous or malicious network activity are limited to a couple of dozen at most, and these detection tools can be very expensive to use because they are black boxes with inflexible pricing. Additionally, they don’t provide capabilities that span other clouds, your data center, traffic between clouds, and back to on-prem.
Cloud-native tools like CSPM, CNAPP, CWPP, and CDR provide important cloud security capabilities. However they don’t provide network-level security and observability and, therefore, don’t see anomalous activity like the lateral movement of a cloud asset.
Gain network security and observability across modern networks
Now more than ever, as threat actors turn to AI to facilitate access, teams need a way to ask meaningful questions about activities across their environment, including:
- Are trust boundaries being violated?
- Are there communication patterns that shouldn’t happen, like dev talking to prod?
- Are there changes to device communication patterns?
- Are there signs of data movement that may indicate ransomware staging?
- Are applications exhibiting novel behaviors?
- Are users talking to things they shouldn’t be talking to?
The Netography Fusion® platform is a 100% SaaS-based platform that delivers network security and observability across hybrid, multi-cloud networks at scale so you can get answers in seconds versus hours.
Fusion ingests flow logs from your multi-cloud VPCs and VNets (as well as your on-prem network) and DNS logs without the expense, time, and headaches of deploying appliances, agents, taps, or sensors. The data is then brought into a cloud-based AI-powered analytics backend, where normalization, enrichment, analytics, and detection occur.
We have created over 300 open detection models, including a growing number of detections with auto-thresholding capabilities. We alert you to real-time security threats happening in your environment, for example:
- Unauthorized access attempts and lateral movement
- Unusual communication patterns
- Data harvesting before exfiltration
- Internal misuse and policy violations
- Network scanning and enumeration
- Unusual data transfer rates and protocols
- Configuration errors and network mismanagement
Fusion can signal out to the infrastructure or your existing tech stack utilizing our dozens of response integrations if a response is warranted.
As threat actors increasingly use AI to facilitate access to your environment, you need a frictionless and proven way to detect malicious and anomalous activity once they’re inside. Netography Fusion delivers holistic network security and observability to improve detection and response across your hybrid, multi-cloud network.
Want to detect and respond to abuse, misuse, misconfiguration, or compromise in your environment? Sign up for a free trial or contact us for a demo.