Predicting the future of AI and analytics in endpoint security

Gaps in endpoints are the fuel that’s driving an increasingly intense arms race between bad actors and cybercriminal gangs versus cybersecurity vendors and organizations they protect. The arms race in endpoint security is accelerating, thanks to the increasingly aggressive use of AI and ML by bad actors, cybercriminal gangs and APT criminals intent on wreaking havoc or shutting down organizations for financial gain. 

Exposed services and endpoints a fast onramp 

Palo Alto Network’s Unit 42 research unit deployed 320 honeypots across North America (NA), Asia Pacific (APAC) and Europe (EU) last year. The research analyzed the time, frequency and origins of the attacks observed. Using a honeypot infrastructure of 320 nodes deployed globally, researchers aimed better to understand the attacks against exposed services in public clouds. Unit 42 researchers found that 80% of the 320 honeypots were compromised within 24 hours, and all were compromised within a week. For example, the most attacked SSH honeypot was compromised 169 times in a single day, and one threat actor compromised 96% of the 80 Postgres honeypots globally within 30 seconds. 

What’s troubling about Unit 42’s findings for endpoints is that 40% of enterprises are still using spreadsheets to track digital certificates manually, and 57% of enterprises don’t have an accurate inventory of SSH keys. These two factors contribute to the widening gap in endpoint security that bad actors are highly skilled at exploiting. It’s common to find organizations that aren’t tracking up to 40% of their endpoints, according to a recent interview with Jim Wachhaus, attack surface protection evangelist at CyCognito. Jim told VentureBeat that it’s common to find organizations generating thousands of unknown endpoints a year. Supporting Jim’s findings are CISOs who tell VentureBeat that keeping track of every endpoint defies what can be done through manually-based processes today as their IT staffs are already stretched thin. Add to that how CIOs and CISOs are battling a chronic labor shortage as their best employees are offered 40% or more of their base salary and up to $10,000 signing bonuses to jump to a new company, and the severity of the situation becomes clear. In addition, 56% of executives say their cybersecurity analysts are overwhelmed, according to BCG. 

CISOs turn to AI for insights and scale 

Relying on AI, machine learning, and analytics to improve endpoint visibility and control isn’t optional anymore. Bad actors and cybercriminals automating their attacks using AI and machine learning can generate thousands of attempts a second – far more than the best cybersecurity analyst teams can keep up with. Staying at parity in the arms race requires a solid data-driven approach using AI, machine learning, and predictive analytics. 

The following are examples of how cybersecurity vendors are integrating these technologies into the platforms and defining the future of AI and predictive analytics for endpoint security: 

• Using machine learning and NLP to discover and map all endpoints. Often organizations don’t know how many endpoints they have, where they are located and if they’re protected or not. This is a great use case for combining machine learning algorithms and Natural Language Processing (NLP) techniques to discover and map endpoints across an organization. One of the leaders in Attack Surface Management (ASM) is CyCognito, which relies on a scalable process of discovering, classifying and assessing the security of an organization’s IT ecosystem. Jim Wachhaus from CyCognito created the following maturity model based on anonymized, aggregated customer data:

• The rapid adoption of AI-based real-time authentication and behavioral analytics. Using predictive artificial intelligence (AI) and machine learning to adapt security policies and roles to each user in real-time based on the patterns of where and when they attempt to log in, their device type, device configuration and several other classes of variables in proving effective. Leading providers include Blackberry Persona, Broadcom, CrowdStrike, CyberArk, Cybereason, Ivanti,  Kaspersky SentinelOne, Microsoft,  McAfee, Sophos, VMWare Carbon Black and others. Enterprises say this approach to using AI-based endpoint management decreases the risk resulting from lost or stolen devices, also protecting against device and app cloning and user impersonation.

• AI and machine learning will continue improving patch management to reduce ransomware. Last year’s most notorious ransomware attacks partly started because endpoints weren’t up to date on patches. The Colonial Pipeline, Kaseya, and JBS Meat Packing ransomware attacks show how bad actors are going after large-scale infrastructure for lucrative cash and bitcoin payoffs. AI-based bot management platforms are also helping to improve IT Service Management (ITSM) and IT Asset Management (ITAM) by providing real-time visibility and control of every endpoint. Inventory-based and fleet-based approaches to patch management are often based on incomplete data and can’t react fast enough to keep up with the growing complexity of threats. Add to that the fact that enterprises now have an average of 96 unique applications per device, including 13 mission-critical applications based on a recent Absolute survey, and the scope of the challenge in keeping endpoints current becomes clear. Improving predictive analytics accuracy is the cornerstone of moving patch management out of the inventory-intensive era it’s stuck in today to a more adaptive, contextually intelligent one capable of thwarting ransomware threats.

The future of ransomware detection and eradication is data-driven. The sooner the bot management providers get there, the better the chance to slow the pace of attacks dominating the global cybersecurity landscape. Microsoft’s acquisition of RiskIQ last year to strengthen its cloud-native products and Ivanti’s acquisition of RiskSense in 2021 reflect the high priority enterprises are putting on defeating ransomware with data-driven patch management. Ivanti’s acquisition of RiskSense allowed them to gain the largest and most diverse data set of ransomware attacks available, along with RiskSense’s Vulnerability Intelligence and Vulnerability Risk Rating. RiskSense’s Risk Rating reflects the future of data-driven patch management as it prioritizes and quantifies adversarial risk based on factors such as threat intelligence, in-the-wild exploit trends and security analyst validation. Ivanti’s Neurons for Patch Management and Neurons for Patch Intelligence improve patch reliability while improving endpoint visibility and control.  

What’s still needed in AI and analytics 

The future of AI and analytics in endpoint security needs to quantify risk whenever possible, followed by achieving faster Service Level Agreements (SLAs) with patch reliability. Add to that the need for improved insights on how to automate patching further while identifying non-compliant systems with AI-assisted compliance reporting, and the cybersecurity industry has a solid roadmap to work from. EPP platform providers are struggling to gain greater endpoint visibility and control, expect to see more acquisitions in 2022. Private equity investors are always looking for opportunities to aggregate best-of-breed cybersecurity vendors into new platforms. More consolidation in this market will be driven by CISO’s need to manage fewer apps and platforms and deliver a greater contribution to business outcomes and risk management.