Transcription
Smart cyberHow AI can help manage cyber riskCyber Risk
Smart cyber How artificial intelligence technologies can help manage cyber riskSmart cyber Managing cyber risk with smart cyberManagingcyber risk withsmart cyberIn the digital age, artificial intelligence technologies arestarting to have the same kind of game-changing impactthat factories and assembly lines had on manufacturingat the dawn of the industrial age—dramatically improvingefficiency and enabling new products, services,and business models that simply weren’t possible before.Driven by internal and external pressuresto continuously evolve and maturetheir capabilities for mitigating andminimizing cyber risk, organizationsare actively exploring new technologiesand improvement opportunitieswherever possible.Artificial intelligence (AI) is a hot topic in theboardroom and at the watercooler, pushinginnovation to new heights in many businessareas. Advancements in AI technologies,processing capabilities, and data availabilityare enabling computer systems toperform tasks that once required humanintelligence to execute. Examples of theseinclude machine learning, natural languageprocessing, speech recognition, computervision, image comprehension, and robotics.In cyber, AI technologies can improvethreat intelligence, prediction, andprotection. It can also enable faster attack02detection and response, while reducing theneed for human cybersecurity experts—specialists who are in critically short supplythese days.1 AI can learn from securityanalysts and improve its performanceover time, leading to time savings andbetter decisions. These "smart cyber"capabilities are urgently needed as cyberattacks continue to grow in volume andsophistication.Analytics and big data are a key enablerfor AI, making it possible to process andanalyze vast quantities of data—withparsing, filtering, and visualization done innear real-time. The adoption of advancedanalytics is also a critical step towardbecoming an insight-driven organization.This report describes how you can use AItechnologies to improve your cybersecuritycapabilities and manage cyber risk moreefficiently and effectively.1. The changing faces of cybersecurity: closing the cyber risk gap, Deloitte, 20181
Smart cyber A perfect storm for cyber riskSmart cyber A perfect storm for cyber riskA perfect storm for cyber riskSmart cyber technologies span a broad spectrum, from basic rules-based automation that mimics human actionto predictive artificial intelligence that mimics or even surpasses human intelligence and judgment. (Figure 01).Figure 01: The spectrum of smart cyber technologiesCybersecurity is one of the biggest challengesof the digital age. And it keeps getting bigger.Robotic process automationThe cyber threat landscape is growingexponentially. Insider threats are learningto evade signature-based systems, and badactors are using AI to avoid detection bylearning the most common detection rules.The size and complexity of this growingchallenge is overwhelming cybersecurityteams, while the qualified cybersecuritytalent necessary to successfully fight back isincreasingly expensive and hard to find.Lack of clarityand compromiseddecision-makingWith all these forces combined, a perfectstorm is forming—but organizations canemploy emerging technologies to helpthem weather the worst.Shortage andexpense ofsecurity skillsOverwhelmedteams andtechnologyConcerns aboutreputation nearlydouble as thefuture is consideredRepercussionsof incidents andbreaches increasing2Mimics/augmentsquantitative humanjudgmentMimics humanactionsCyber risks and eventsgrowing exponentially Used for rules-based processes Enables:–– Faster processing time–– Higher volumes–– Fewer errorsCognitive automation Used for judgment-basedprocesses Capable of:–– Machine learning–– Natural language processing–– Interpretation of humanbehaviourMachine learning uses statisticaltechniques and algorithmsthat iteratively learn from data,automatically building andimproving models withoutadditional programming. This hasnumerous potential applicationsin cybersecurity, such as enablingautomated and predictive cybercapabilities whereby an intelligentsoftware agent could identifyan active attack and make thenecessary changes to thwart it.Natural language processing (NLP)also has many critical applicationsin cybersecurity, including theprevention of data leakage.Using behavioural analyticsto create baseline markers ofnormal user behaviour, NLP coulddevelop a profile for each userand then monitor for abnormaloccurrences while continuallylearning and inferring from newbehaviour patterns.Artificial intelligenceAugments humanintelligenceMimics humanintelligence Used for making predictivedecisions Dynamically self-adapting andself-managing Used for machine intelligencethat learns unsupervised, butalso communicates and interactsseamlessly with humans (or humanassociates) as cohortsIn the realm of cybersecurity and cyber risk, current capabilities are most matureon the robotic process automation (RPA) side of the technology spectrum. However,the more sophisticated end (cognitive and artificial intelligence) is rapidly evolving.This is being driven by five main factors:123The rising accuracy of predictive algorithmsAdvances in machine learning are improving theability of predictive risk intelligence to accuratelyidentify emerging risks.The declining costs of technologyAs automation and computing capabilities getfaster and cheaper, it's becoming more economicalto operationalize predictive risk models.The increasing availability of rich data sourcesCoupled with advances in unstructured dataanalytics, the availability of rich external andinternal data sets is increasing the power andimpact of predictive risk intelligence.45The growing sophisticationof AI technologiesAI now has the ability to generateits own hypotheses (such aspredicting attack techniques) andthen provide recommendationsto address them.The use of risk managementto drive business valueRisk is an integral part ofbusiness; however, gaining thepredictive insight to make smarterdecisions can be a valuablesource of competitive advantage.According to MIT's Computer Science and Artificial Intelligence Laboratory, the foreseeablefuture of cybersecurity will likely revolve around a hybrid approach, with humans andmachines working together to manage cyber risk more effectively and efficiently.3
Smart cyber Benefits of smart cyberSmart cyber Getting in front of risks with predictive risk intelligenceBenefits of smart cyberBy applying AI and advanced analytics to vast amounts of internaland external data, smart cyber technologies can generatepredictive, usable insights that help you make better cyber decisionsand protect your organization from threats. They can also helpyou detect and respond to threats faster by monitoring the cyberenvironment with a level of speed and accuracy only machines canprovide. Perhaps most important, smart cyber helps you keep pacewith today's endless barrage of increasingly sophisticated attacks.The traditional layered approach tocybersecurity is only capable of deterringand detecting the least sophisticatedthreats. Meanwhile, modern cyberattacksare being carefully designed to circumventtraditional security controls by learningdetection rules. Also, traditional controlsmay not adequately address insider threats,which are an insidious form of attack frompeople with legitimate access.By tapping into a wide range of data sources,smart detection platforms can learn andrecognize normal behaviour, developbaselines and detect outliers, identifymalicious actions that resemble previouslyseen events, and make predictions aboutpreviously unseen threats. These objectivescannot be achieved with traditional rulesand signature-based controls.In addition, smart cyber technologiesperform tasks in a highly consistentand repeatable way, reducing manualintervention and human errors. Thishas the extra benefit of making it easierto secure, manage, and audit the cyberenvironment to achieve compliance withgovernment regulations and other externalrequirements.Last but not least, smart cyber technologiescan help you make the most of scarcecybersecurity talent. They enable yourcyber teams to get the job done with fewerresources by, first, doing the heavy liftingon routine, labour-intensive tasks so humanexperts can focus on activities that aremore valuable and strategic, and, second,giving cyber specialists the tools to performat a high level without requiring years ofexperience and training.Key benefits of smart cyber technologies:4 They complement existing security controls andapplications in detecting progressive, emerging,and unknown threats. They enhance the threat-hunting process bycollecting, correlating, and analyzing a wide rangeof security data. They enable enterprises to detect advancedpersistent threats and identify indicators ofcompromise that may go undetected withexisting security defences. They determine threat patterns by tapping intothreat intelligence feeds, vulnerability information,device event logs, and contextual data—enablingproactive and predictive security insights.Getting in front ofrisks with predictiverisk intelligenceCyber risk management has typically beena reactive activity, focusing on risks andloss events that have already occurred.But with the rising adoption of advancedanalytics and AI technologies, the practiceis becoming more forward-looking andpredictive.Predictive risk intelligence uses analytics and AI to provideadvance notice of emerging risks, increase awareness ofexternal threats, and improve an organization’s understandingof its risk exposure and potential losses.Monitoring activities now occur throughout the riskmanagement lifecycle, and can be divided into three categories:Reactive activitiesCapture losses and identify near-miss past events. Developbaseline information to quantify the impact of losses fromevents. Report on the status of current risks and correctiveactions.Predictive activitiesAccumulate and integrate internal and external information toprovide reporting alerts in near real-time. Describe trends andemerging risks. Use reactive and integrated inputs to generatepredictive risk insights with advanced analytics.Integrated activitiesObjectively measure risk performance by facilitating thedevelopment of key risk indicators, key performance indicators,and associated threshold measures. Enable an accuratedescription of risk exposure by providing a holistic view acrossthe entire organization.How to apply predictiverisk intelligence to yourorganizationThis type of risk intelligence could likelyhelp your organization in four importantcybersecurity areas: Risk-related decision-making. Analyzinglarge volumes of contextual data and decisionpoints to determine rational choices, thushelping executives make strategic and financialdecisions that align with the organization’s riskappetite (e.g., analyzing historical investmentdata and real-time financial news to makeinvestment decisions; rationally assessing andevaluating asset risks). Risk-sensing. Identifying or predicting risksthat are difficult for humans and rules-basedsystems to spot, such as new categoriesof risks, diffused risk signals, or potentialsources of future risks (e.g., using data frompublic forums—such as social media andblogs—where customers, critics, and othersgather to discuss and assess an organization’sreputation and related risks). Threat monitoring and detection. Trackingactivities and entities to establish normalbehaviour, and detecting sources of anomaliesthat could create potential risks (e.g., fraud andmoney-laundering detection; insider-threatdetection, including cyber and compliancerisks from insiders; real-time cyber threatintelligence). Automation of risk processes. Automatinglabour-intensive, error-prone, complex riskprocesses that deal with high volumes ofstructured and unstructured data (e.g.,third-party due diligence; identity and accessmanagement; credit risk management; modelrisk management)—especially processesthat could benefit from a tool that self-learnsover time.5
Smart cyber Where to startSmart cyber Where to startWhere to startMany companies are sittingon a wealth of valuable datathat's buried beneath a jumbleof inefficient and disconnectedbusiness processes, making ithard to know where and how toget started. To help you, Deloittedeveloped a capability-basedframework to identify specificareas where AI technologies andcyber analytics can be applied.The framework is depicted asa table that spans all phases ofcybersecurity. (Figure 02).1Resilient32Strategy andoperatingmodel2PaSecure5Policies,standards andarchitecture3AwCyber riskculture ty6TpThird-party riskmanagement7Cyber riskmanagement,metrics, andreportingHs98PsPhysicalsecurityPeople andworkplaceS13Secure softwaredevelopmentlifecycle10ApPostdevelopmentapp e6Capability nameSt4Figure 02: The periodic tableof cybersecurity elementsSymbolStStrategy andoperatingmodelGovernance1Capability 2EsSsSystemsecurity16UaUser ata lossprevention22Rbac23Role-basedaccess control20IcInformationclassificationIdentityand asecurity30BpBrandprotection27TdPvmPatch ecurityplatformadministrationCyber tiontesting BcBusinesscontinuitymanagementand erabilityidentificationThreathuntingThreat intelligenceSecurity operations7
Smart cyber Where to startSmart cyber Where to startThe following are some compelling use casesfor automation in specific cybersecurity areas,which may include multiple elements in the table.4RmCyber riskmanagement,metrics, andreportingGovernance, risk,and complianceGovernance and risk managementInforms overall strategy and improvesreporting capabilities by using largevolumes of contextual data and decisionpoints to help with strategic decisionmaking that aligns with the organization’srisk appetite.Regulation synthesis and mappingDevelops and maintains an organization'sintegrated security controls framework,extracting information from multipleregulatory sources and guidelines.Assessment triggeringConducts automated assessmentsperiodically, or is triggered automaticallyby changes to applications and/orbusiness processes.KRI automationAutomates the collection and visualizationof key risk indicator metrics to enable theorganization to assess and address riskexposure.Responsibility allocationUses self-service processes to allocatecybersecurity responsibilities acrossteams, improving efficiency and enablingcloser alignment with risk owners.Control testingAutomates control testing so that itcontinually assesses control effectivenessand provides near real-time updatesabout the organization's security posture.8At the more sophisticated end of the technologyspectrum, the following are some of the many potentialuses for AI and analytics technologies in mPrivilegedaccessmanagementIdentity and accessmanagement (IAM)System security15SsRole maintenanceUses an AI engine to providerecommendations on role maintenance,helping organizations streamline thedifficult, costly, and time-consuming taskof keeping role definitions up-to-date.SystemsecurityRole mining engineExtends the role maintenance engineto mine roles from multiple datasources, recommending new rolesand entitlements.Access request recommendation engineMakes the access request processsimpler by analyzing various datasources—such as peer group accessand historical access requests—andthen recommending the level of accessrequired for a user.Access certification analyticsAnalyzes different data sets and appliesanalytics to improve the certificationprocess by: pre-approving certificationitems based on access request data,detecting anomalies in the attestationcycle, and using peer group data tocalculate a confidence score that helpsreviewers make informed decisions.Access usage data for analytics engineIncorporates access usage data into theanalytics engine to help it generate moreinformed and efficient insights.Control effectivenessAugments and assesses theeffectiveness of tried and tested toolssuch as firewalls, proxies, and data lossprevention solutions by monitoring theavailable log data and then identifyingand remediating misconfigurations.Threat detection27TdThreatdetectionAnomalous behaviour detectionHelps identify anomalous data accessactivity and malicious applicationactivity by focusing on user logins,changes in user behaviour, andunapproved changes.Threat discoveryMonitors activities and entities toestablish normal behaviour, and detectssources of anomalies that could createpotential risks such as fraud, moneylaundering, and insider threats.Alert cleansing and prioritizationUses machine learning to significantlyautomate the first level of triage basedon factors such as type of attack,frequency, and previous experience.Targeted investigation and supportUses a big data platform to drive newinsights through historical analysis,thereby allowing investigations intoincidents based on current and historicaldata to be done quickly and efficiently.25CtiCyber threatintelligence28ThThreathunting30PvmPatch andvulnerabilitymanagementCyber threatintelligenceCyber risk sensingIdentifies or predicts risks that areoften difficult for humans and rulesbased systems to detect, including newcategories of risks, diffused risk signals,and potential sources of future risks suchas increased use of social media.Threat huntingand vulnerabilitymanagementThreat huntingQuickly searches for new threats byimporting known tactics, techniques,procedures, and attack patterns—alongwith vulnerability details and remediationinformation—to help neutralize threatsearly in the attack cycle.Vulnerability scanningUses bots to initiate and scanapplications, systems, and other assetsfor vulnerabilities, assessing risk andprioritizing the patch schedule.Configuration reviewUses bots to review systemconfigurations to ensure baselinehardening and ensure nomisconfigurations.Attack-path modellingPerforms predictive analytics on securitydata to determine vulnerable entrypoints and the likely path an attackermight use to gain access.9
Smart cyber From promise to practiceSmart cyber From promise to practiceFrom promise to practiceAI technologies have been getting a lot of buzz lately. Now it’stime to move from talk to action. Here are seven steps you canstart taking today to boost your organization's cyber capabilitiesthrough the use of AI technologies and analytics.1234567Embrace the futureCollaborate with yourecosystem to help shapethe future of thesepowerful new cybertechnologies.Educate yourself andyour teamsUnderstand the businessopportunities associatedwith AI technologies andanalytics in cyber, immersingyourself in internal forumsand decision-makingprocesses to ensure you area valuable contributor.Reassess the risk andthreat landscapeUnderstand the impactof new technologies anddevelop appropriate riskmanagement responses.Redefine youraccountability modelConsider how changes inthe operating environmentwill affect the risklandscape and requiredcontrols, and then adjustyour cyber team’s roles andresponsibilities accordingly.Rationalize your controlframeworkEncourage risk-intelligentdesign for new systems,technologies, and controlframeworks to reduceunnecessary control layersand build more preventativeand automated capabilitiesup front.Start small and scale fastDevelop a practical strategyfor applying AI technologiesand analytics to cybersecurityby identifying opportunitieswith high impact, lowcomplexity, readily availabledata, and insufficient currentcapabilities.Rethink your cybertalent strategyUpdate your talentstrategy, taking stepsto ensure highly skilledcyber professionals areleading the way on yourcybersecurity efforts.AI technologies and analytics can lift your company’scyber capabilities to the next level. By taking thelead on applying these disruptive innovations tocybersecurity, you can tip the balance in your favourand stay a step ahead of the threats.1011
Smart cyber ContactsSmart cyber How artificial intelligence technologies can help manage cyber riskContactsNick GallettoGlobal and Canada Cyber Risk Leaderngalletto@deloitte.ca 1 416 6016 734Andres GilAmericas Cyber Risk Leaderangil@deloitte.com 54 114 390 2600Chris VerdonckEMEA Cyber Risk Leadercverdonck@deloitte.com 32 280 024 20James Nunn-PriceAsia Pacific Cyber Risk Leaderjamesnunnprice@deloitte.com.au 61 293 227 9711213
www.deloitte.caDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK privatecompany limited by guarantee (“DTTL”), its network of member firms, and theirrelated entities. DTTL and each of its member firms are legally separate andindependent entities. DTTL (also referred to as “Deloitte Global”) does not provideservices to clients. Please see www.deloitte.com/about to learn more about ourglobal network of member firms.Deloitte provides audit, consulting, financial advisory, risk advisory, tax and relatedservices to public and private clients spanning multiple industries. Deloitte servesfour out of five Fortune Global 500 companies through a globally connectednetwork of member firms in more than 150 countries bringing world-classcapabilities, insights, and high-quality service to address clients’ most complexbusiness challenges. To learn more about how Deloitte’s approximately 245,000professionals make an impact that matters, please connect with us on Facebook ,LinkedIn , or Twitter.This communication contains general information only, and none of DeloitteTouche Tohmatsu Limited, its member firms, or their related entities (collectively,the “Deloitte Network”) is, by means of this communication, rendering professionaladvice or services. Before making any decision or taking any action that may affectyour finances or your business, you should consult a qualified professional adviser.No entity in the Deloitte Network shall be responsible for any loss whatsoeversustained by any person who relies on this communication.Copyright 2019 Deloitte Touché Tohmatsu Limited
existing security defences. They enhance the threat-hunting process by collecting, correlating, and analyzing a wide range of security data. They determine threat patterns by tapping into threat intelligence feeds, vulnerability information, device event logs, and contextual data—enabling proactive and predictive security insights.
