Automation in Cybersecurity: Salvation or Loophole for Cybercriminals

Sergey Soldatov, Head of the Kaspersky Security Operations Center, emphasizes the importance of evolving endpoint protection (EPP) and threat intelligence to counter increasingly complex cyber threats, leveraging automation and machine learning.

Cybersecurity providers are primarily research centers facing with threats and developing technologies for their detection and prevention. They constantly strive to offer the most effective and reliable threat management mechanisms. As the development of any cybersecurity solution is a resource investment and the nature of threats constantly changes, we see that attacks become more complex under the influence of technological advancements in threat management. This is leading us to a new wave of technological advancements in protective solutions.

Attack techniques and procedures are constantly evolving, and the more effectively they are fought against, the faster attack methods progress. Modern endpoint protection mechanisms are necessary to defend against modern threats, capable of resisting new attack tactics and techniques.

What is Endpoint Protection?
The endpoint protection represents modern platforms that combine a variety of technologies to manage threats. The detection logic of these solutions can be implemented in the endpoint or the cloud, and threats detection can be based on malicious objects (files, IP addresses, URLs, memory objects, operating system objects) or on behavioral characteristics.

Under endpoint protection we mean a system that can manage threats fully automatically. Endpoint Protection Platform (EPP) can do it if an attack can be effectively and successfully processed without human involvement. If the attack is more complex and sophisticated, it requires a specific set of technologies to be developed. There is no fundamental difference between modern EPP and “fully automatic EDR (Endpoint Detection and Response)” because any task that can be solved completely automatically must be solved within the endpoint protection system.

Threat Intelligence also plays crucial role for high-quality threat detection because the more threat data we have, the broader our threat management capabilities. Furthermore, it’s impossible to develop protection technologies and conduct any threat research without the latest Threat Intelligence.

Automation of malicious software. How do cybersecurity companies combat this threat?
Cybersecurity vendors use various approaches to threat management, often combining detection based on malicious tools with behavioral analysis.

For any identified threat scenario “circular” detection is always used. It means that for the same attack technique multiple management approaches with various technologies, including threat analytics, are developed. This approach significantly reduces the likelihood of missing a threat. If an attack does occur on a host, telemetry from it will be transmitted to the cloud and processed using more advanced algorithms, and automatically created rules will protect others from similar threats.

Should neural networks be used in developing cybersecurity solutions?
A neural network is one of the implementations of machine learning. To train a model, a training set is needed on which the model will adjust its parameters and be able to apply the acquired “experience” on real data. However, it is important to remember that the future never exactly repeats the past, especially if the attacks are led by a person with their limitless improvisational and adaptive abilities.

One solution may be to separate attacks into techniques and procedures, and detect TTPs (Tactics, Techniques, and Procedures) and their popular combinations. Machine learning, deep learning, and neural networks are tools for addressing threat management tasks. Machine learning is useful, but it is not a magic solution to all problems — it is one of the technological approaches in the arsenal of threat researchers developing threat management mechanisms.

Instead of a conclusion
All scenarios involving completely automated attacks will be automatically neutralized within EPP. In the long term, the focus will be shifted on automating threat management: databases of automatically classifiable techniques and procedures will be replenished, the range of technologies for effectively and efficiently preventing identified attacks in a fully automated manner will expand. However, due to the endless adaptability of attackers, the need for threat research and proactive threat hunting will not disappear, so the development of telemetry for the needs of SOC teams and threat researchers will also continue to remain a significant direction in the development of EPP providers.