How AI is closing identity and endpoint gaps that attackers exploit

Endpoints are among the weakest yet most valuable attack vectors, and with more companies pursuing AI development, the stakes are higher than ever. That’s one of several key takeaways from a roundtable discussion on the topic during Transform 2024.

Endpoints are under siege, especially for AI companies  

The level of effort and intensity adversaries are putting into tradecraft aimed at breaking AI companies’ endpoints is growing. From performing scans of every endpoint and looking for potential disconnects that lead to an easy breach, to fine-tuning malware-free tradecraft to launch undetectable breaches, adversaries are using living-off-the-land (LOTL) techniques that rely on legitimate tools to breach endpoints undetected. AI companies are a compelling target for their intellectual property, financials and future R&D plans.  

Malware-free attacks are growing across the enterprise software industry and AI community, with a specific focus on companies with leading AI, generative AI and machine learning (ML) technologies. Trading on the trust of legitimate tools, rarely generating a unique signature and relying on fileless execution, malware-free attacks are often undetectable.

Taking into account all malicious activity tracked by CrowdStrike in their recent Threat Hunting Report, 71% of detections indexed using CrowdStrike Threat Graph were malware-free. A total of 14% of all intrusions relied on remote monitoring and management (RMM) tools based on activity tracked by Falcon Advisory OverWatch. Attackers increased their use of RMM tools for malware-free attacks by an astounding 312% year-over-year in 2023.

Adversaries launching intrusion attempts combine multiple techniques at once, hoping to find gaps they can exploit. Weaknesses that lead to an AI company being breached include endpoints several months overdue for patch updates, lack of multi-factor authentication (MFA) and adversaries using privilege escalation. In one case, VentureBeat learned of a sophisticated man-in-the-middle (MitM) attack aimed at a leading enterprise software company revamping itself to an AI-first platform strategy.

More AI companies monitoring all telemetry data

Another key takeaway from the roundtable discussion is how more companies see real-time telemetry data as core to their endpoint security strategy. AI startups and leading AI companies are data-centric by nature, and their security teams are focused on how they can use real-time telemetry data to identify anomalous patterns and perform breach predictions.

Experts in the roundtable remarked that the data is proving invaluable for identifying the hardware and software configuration of every endpoint to every level — file, process, registry, network connection and device data.

BitDefender, CrowdStrike, Cisco, Ivanti, Microsoft Defender for Endpoint, Palo Alto Networks, Sophos, McAfee, Symantec Enterprise Cloud (Broadcom), VMware Carbon Black Endpoint and SentinelOne are leading vendors that capture real-time telemetry data and use it to derive endpoint analytics and predictions. Managing telemetry data is inherent in any enterprise-grade extended detection and response (XDR) system. An XDR is designed to provide more effective threat detection, investigation and response capabilities by offering a holistic view of threats across the entire digital environment.

Cisco’s deep expertise and decades of experience interpreting telemetry data are core to its go-forward cybersecurity strategy. The collaboration and networking giant is doubling down on native AI as the core of its go-forward cybersecurity strategy. This begins with the recently introduced HyperShield, Cisco’s new hyper-distributed framework that acts as an enterprise-wide security fabric. 

“It’s extremely hard to go out and do something if AI is thought about as a bolt-on; you have to think about it,” Jeetu Patel, EVP and GM of security and collaboration for Cisco, told VentureBeat, citing findings from the 2024 Cisco Cybersecurity Readiness Index. “The operative word over here is AI being used natively in your core infrastructure.”

Nikesh Arora, Palo Alto Networks chairman and CEO also told VentureBeat that “we collect the most amount of endpoint data in the industry from our XDR. We collect almost 200 megabytes per endpoint, which is, in many cases, 10 to 20 times more than most of the industry participants.” 

The importance of calculating IOAs and IOcs

CrowdStrike, ThreatConnect, Deep Instinct and Orca Security use real-time telemetry data to calculate indicators of attack (IOAs) and indicators of compromise (IOCs). IOAs focus on detecting an attacker’s intent and identifying their goals, regardless of the malware or exploit used in an attack. IOCs provide forensics to prove a network breach, including malicious IP addresses, URLs, file hashes and other known signs of compromise.

IOAs must be automated to provide accurate, real-time data to understand attackers’ intent and stop intrusion attempts. CrowdStrike, a leader in this space, has developed AI-powered IOAs that rely on real-time telemetry to further improve endpoint protection. Having AI integrated enables IOAs to operate synchronously with sensor-based ML and other defensive layers, significantly improving the detection and response capabilities against complex cyber threats.

Michael Sentonas, CrowdStrike president, told VentureBeat in a recent interview: “If you look at CrowdStrike’s conception in 2011, one of the things that George talked about was that we couldn’t solve the security problem unless we used AI. In the lead-up to going public as a company, he also talked about AI, and since we’ve gone public, every quarter when we talk to Wall Street, we talk about AI. We’ve been using AI as part of our efficacy models our prevention models, and we leverage AI when we do threat hunting. It’s a big core part of what we do”.

Ten areas where gen AI can help close the endpoint security gap

Nearly every AI-related startup or large-scale enterprise is dealing with a growing number of intrusion attempts. Every one of them sees gen AI as the answer to the challenge of protecting endpoints and their companies. Key areas that attendee companies participating in the VB Transform roundtable were the most interested in seeing gen AI make contributions to include the following.

Continuous network telemetry monitoring and verification: Tracking network telemetry and interpreting It at scale is one of the core foundations of zero trust. Gen AI’s ability to interpret device security status, continually verify the legitimacy of credentials and enforce least privileged access through modeling are necessary. Best of all, network telemetry-based insights can identify an intrusion attempt as it’s happening and, with the right agents, shut it down.

Real-time threat detection and response: In security, speed is critical. AI is being used today to increase the speed and accuracy of threat detection by analyzing massive amounts of telemetry data in real time, identifying complex patterns and responding to threats instantly.

Behavioral analysis and anomaly detection: Identifying subtle deviations from normal behavior patterns across users, devices and applications is table stakes for quickly identifying insider threats and more sophisticated attacks. A few of the companies at the roundtable are adopting this as part of their XDR strategies today.

Reduction of false positives as models learn more: Security operations center (SOC) teams are getting inundated with false positives. Using gen AI to identify an actual positive alert is the first step. Learning from those alerts and helping SOC analysts better decipher when there is a real threat is a great use case for gen AI. It immediately delivers more time to the teams that field false positive alerts throughout their day.

Automated threat response: Another high-priority design goal for XDR systems, all major XDR platform providers either are shipping this feature or have announced it. AI-powered XDR platforms can automate initial responses to threats, such as isolating compromised endpoints or blocking suspicious network traffic, speeding up incident response times.

Adaptive learning, including training LLMs on attack data: More of the leading cybersecurity companies are training large language models (LLMs) on attack data so their systems can react quickly. CrowdStrike co-founder and CEO George Kurtz told the keynote audience at the company’s annual Fal.Con event last year that “one of the areas that we’ve really pioneered is that we can take weak signals from across different endpoints. And we can link these together to find novel detections. We’re now extending that to our third-party partners so that we can look at other weak signals across not only endpoints but across domains and come up with a novel detection.” Training LLMs with endpoint data is the future of cybersecurity.

Enhanced real-time visibility and correlation. Aggregating and correlating data from a broad base of telemetry data are now table stakes for any XDR platform, as it improves real-time visibility and event correlation. Gen AI is already being integrated into more XDR platforms as a result.

More accurate threat hunting: AI/ML models are proving effective in identifying signs of compromise legacy systems would have missed. One area where AI/ML is paying off the most in real-time breach identification and a significant reduction in false positives and negatives.

Automating manual workloads on the SOC: Security analysts face the challenging tasks of documenting significant alerts and keeping up with reporting. Using AI to automate reporting for compliance immediately frees them up to work on more complex — and interesting — tasks.   

More precise predictive analytics: An area of competitive intensity between XDR platform providers, predictive analytics continues to become more intuitive and real-time. Every XDR platform relies on them to forecast future attack trends and vulnerabilities. AI/ML is bringing greater predictive accuracy and insight to this area. 

Conclusion

The era of weaponized AI is here, and XDR platforms need to step up and take on the challenge of getting all the value they can out of AI and ML technologies if the cybersecurity industry and the many organizations they serve are going to stay safe. No one can afford to lose the AI war against attackers who see the gaps in identities and endpoints as an opportunity to take control of networks and infrastructure.