Leveraging AI in Cybersecurity Risk Modeling & Mitigation
Originally, there was a poor understanding of why cyber breaches were happening. In the early 2000s, Verizon began developing standardized methodology for describing breach incidents. This helped to prioritize which breaches were most troubling or urgent.
Challenge: most businesses have limited budgets, resources, and technology that would be needed to effectively deal with breaches.
What is needed: the ability to build a strategic plan for predictive elements.
Bottom line: we want to get better at figuring out when and where a security breach is likely to happen.
Training the modeling with real-world data
To achieve results, Verizon invited expert collaborators to do the necessary research. One of the initial goals was not to present this project as a marketing or sales tool, but rather a project based on real knowledge.
All the data published in the resulting reports is based on actual evidence, from hundreds of thousands of breach incidents. The project gathered hundreds of thousands of metrics about every single breach.
Note: none of this is survey-based. Verizon needed to be sure that the data was concrete/rock solid. In other words, apples-to-apples comparisons.
Unique sources of cybersecurity threat intelligence
Verizon doesn’t get its data only from its own breaches. It also looks to breaches found in other organizations: financial services, retail, transportation, hospitality, energy utilities, manufacturing, healthcare and others.
Also, Verizon is a giant Internet service provider (ISP). Analytics can be performed on the data it carries in order to look for threats and risks. This also can feed into its overall data pool.
After reviewing and researching hundreds of thousands of incidents, information was broken down and analyzed.
90 percent of all the incidents in the entire data set fit into one of these nine breach-type categories:
- Point of sale intrusions
- Web app attacks
- Insider misuse
- Physical theft/loss
- Misc. errors
- Card skimmers
- Denial-of-service attacks
- Cyber espionage
- Everything else
Who (and where) are the threat actors?
One of the most common questions asked: is the threat coming from the inside or the outside? The difference is fairly stark.
Not all breaches are the same. Most insiders already have insider access, or put another way, the “keys to the kingdom.”
Most of the breaches seen in this research are inside actors exploiting the access that they’ve already been granted. Behavioral patterns are assessed for analytics and predictions.
External actors can be anyone from organized crime to a nation state.
Dollar impact of internal vs. external threat actors
- external threat actor incidents sometimes go on for weeks, months and even years before the victim identifies it.
- internal threats tend to be lower and slower. It all depends on the kind of data you’re dealing with.
Threat actions include:
Key takeaway: securing against an insider is dramatically different from securing against an outsider.
From this data, Verizon created a risk report.
How do you take this data and make it relevant? How do you predict the likelihood of certain breaches?
- There is no perfect solution. The data is honed on a daily basis to try to get it better and closer to reality. It’s based on the large quantities of data that feeds into it.
- That data is scored so that companies can understand where they stand in terms of the threats and risks that they face. Issues can be carved out by industry, sector, size, geography, and the systems being used.
Three perspectives in the report:
Outside-in view (this is the easiest of the three). Looking at the surface of what can be seen about the organization.
Inside-out view: hooking into tools within the inside of the organization and collecting metrics. The goal is to discover how they compare to other companies that have data collected by Verizon. This view gives a deeper granularity of what that organization looks like.
Culture and process: a lot of these breaches are not just about gaps in technology. Organizations often become overwhelmed and buy so much technology that they don’t know how to use it. That could be more problematic than beneficial. It can also present new and different types of exposures. Usually, people are a big component of the problem. It’s often about human error (example: somebody didn’t close a port on a firewall). Therefore, questions must be asked: how effective is the company policy? Is there a gap that could lead to breaches? A lot of people tend to not report unusual activity, thinking that it’s just IT working, or that IT is already on top of it.
Note: breaches have a really long tail in terms of costs. You’re spending massive amounts of money on incident response, legal support, PR, and crisis communications — usually within those first six months to a year, but it can go on even longer.
Bottom line: take all of this data, map it out, and let it allow you to make predictions of a breach. The program is fed with real data where actual breaches have occurred. It continues to evolve.