One of the mega trends coming out of the cybersecurity industry is AI-based protection. Especially AI-driven threat hunting is thriving vigorously as organizations navigate a digital world filled with hidden threats and unknown vulnerabilities.
We talked to Chen Burshan, CEO of Skyhawk Security, at AWS re:Invent, to learn how they leverage AI for threat detection and response.
Testing Defenses with AI
“One of the benefits and challenges in the cloud is that it’s very easy to deploy changes. The continuous deployment creates a security challenge because the environment changes all the time, therefore the risk changes all the time,” notes Burshan.
It requires paying unusual attention to detail to put one’s finger on camouflaged threats in such a busy environment. Adversaries have the means to build bespoke attacks, that, at machine scale, can cause unprecedented damage.
A familiar concept in cyber security is offensive/defensive security. It is an exercise borrowed from military trainings. The security team splits up to form a red team and a blue team. The red team tries to orchestrate an attack by modeling malicious behaviors, while the blue team tries to defend the ecosystem. This way, they can test the effectiveness and resilience of the network security safely.
Skyhawk adopts the same approach, but with AI. At AWS re:Invent, Skyhawk announced a new a capability that leverages generative AI to forecast attacks proactively. The solution has an AI-based blue team that is the defensive part of the solution. The red team is an offensive addition whose job is to ingest information and generate all possible attack scenarios.
“This helps our customers to prepare against the most imminent risks that are relevant to them. It also helps fine-tune and get the Cloud Detection and Response (CDR) piece ready according to the relevant trends to the customers. That’s why the end result is adaptive CDR,” he said.
The platform forms an autonomous purple team that continuously performs this exercise. No matter how complex or dynamic the ecosystem is, continuous testing ensures that the security stack remains effective against all incoming threats.
Tapping into the Power of AI
Using machine learning makes perfect sense in cybersecurity, and no doubt it has changed the equation for attackers, but one’s way of handling also makes big difference. For example, with undertrained models, it is no better than the reactive tools from the pre-cloud era. It can low-ball many of the risks, and open the environment up to breaches. Defenders need to take heed and harness the speed and sophistication that AI is capable of.
Amid industry-wide AI washing, Skyhawk reinforces protection by capturing the full potential of AI. There are three layers of machine learning at work. The first layer is where a glut of raw data is accumulated. Skyhawk models digest all kinds of telemetry from the environment and third-party services over APIs, learning about the inventories, the crown jewels, the topology, and the paths of least resistance.
“As a company that’s been serving multiple customers over five years, we have a lot of data on threats. We have models that are tuned globally, but also on specific customers’ environment and we apply this data so that we can have the most accurate threat detection for our customers,” says Burshan.
At the next layer, Skyhawk filters out the noise from the data through event correlation and distills down the important bits. Using a second set of AI to crunch this tremendous amount of data saves vast amounts of time and effort.
Skyhawk models are trained and retrained continuously with the latest threat intelligence from the customers’ environments. That data is rolled into the global threat intelligence that Skyhawk has access to. This automated deep learning ensures that the models are learning to recognize new anomalies and behaviors continually, and are getting better over time.
Prolonged periods of decision making in high stake scenarios such as this often leads to cognitive burnout in security professionals. The result is low-confidence decisions that can heavily impact security. To avoid that, Skyhawk organizes threat intelligence into a single alert that carries all the information of interest.
The last layer is the generative AI layer that acts like a virtual incident responder accelerating responses of incident responders.
“In order to be able to deal with data drift as well as to prevent bad actors from being able to evade detection, our models are deploying new models and retraining daily on each customer’s environment. So basically see how the data drift and changing behaviors happen, and update models daily for our customers.”
This allows them to make fine-grained observations and spit out analytics in near real-time.
Skyhawk’s solution works in any cloud-native environment. Burshan dispelled the misconception that the platform works like a firewall. “It’s not an edge protection. It protects the environment from the inside,” he explained.
The red and blue teams, by challenging each other, keep each other sharp. “It also helps to learn how to adapt with the constantly changing environment,” added Burshan.
Available in AWS Marketplace, Skyhawk’s platform is consumed as a SaaS solution with quick, hands-off onboarding, and fast time to value.
Contact Skyhawk Security at Skyhawk.security for a free demo. You can also check out their free Cloud Security Posture Management (CSPM) product to get hands-on with the solution. For more such interesting interviews from AWS re:Invent, keep reading here at Gestalt IT. Also check out the Utilizing AI Podcast on Gestalt IT for more stimulating discussions on AI.