Could artificial intelligence defend us against thieves and barbarians at our digital gates? Or will machine learning be one more addition to cyber criminals’ ever-growing arsenals?
The recent WannaCry ransomware attacks, which infected over 230,000 computers in 150 countries, revealed how most institutions fail at even basic defenses. Microsoft released a critical security patch two months earlier that would have protected systems, but most organizations failed to apply it, even the ones responsible for critical healthcare, telecommunications, and transportation information and infrastructure.
In financial services, security is king, but cybersecurity threats are relentless. Security analysts are overwhelmed with both real and false signals and security teams struggle to hire enough skilled staff. With the advent of new artificial intelligence and machine learning technologies, bank executives and security leaders hope to augment human capabilities by automatically detecting, triaging, and surfacing threats. At the same time, hackers are engaged in an arms race to use the same intelligent tools to probe and create exploits for software.
Challenges Facing Financial Security Systems
Nearly all financial institutions use firewalls, secure authentication methods, intrusion detection tools, data recovery systems, and a wide variety of anti-virus and anti-spam methods. Many are exploring new approaches such as behavioral biometrics, which model how humans interact with computing systems to identify unauthorized access. Data from various systems are ingested and analyzed by SEIMs (system information and event management), which provide real-time analysis and alerts on security threats.
Despite all these technologies, security is still a huge challenge. “Hackers need only one entry point while we must defend them all,” points out Paul Innella, CEO of TDI, a global cybersecurity firm. “Our adversaries have an entire dark web where there is not only collaboration, free access to attack tools and instruction, but even a royalty-sharing scheme to carry out attacks using the tool-producers’ tools. Collaboration on our end is disparate and inconsistent.” Mike Simon, CTO of Critical Informatics, adds that “complete knowledge is impossible in any network of more than five systems. I have to assume that systems will be breached.” Once breaches occur, security teams reactively rush to detect and defend, which Simons emphasizes is “still a non-human scale problem.” Organizations often take weeks or even months to discover breaches and data loss.
The rapidly changing landscape of regulatory laws and compliance requirements adds complexity and can unwittingly weaken security practices for financial companies. Regulatory bodies such as PCI-DSS, Sarbanes-Oxley (SOX), FDIC, Federal Information Security Management (FISMA) and The Federal Trade Commission (FTC) all impose specific guidelines and significant penalties for loss of protected data. GDPR requirements are currently being defined and will impact every financial services company operating in Europe. With regulations in constant flux, institutions scramble to change business practices to comply. Cybersecurity gaps can result when organizations lack sufficient time to invest in a solid security architecture for new processes.
The rise of cloud computing, internet of things (IoT), and dependence on third-party vendors add yet more layers of mandatory maintenance often overlooked by companies. Banks traditionally operate mission-critical technologies on-premise, where they have access and control over physical infrastructure, but modern software vendors and connected devices rely on the cloud, where environments and security levels continually change. “Third party vendors have been the culprit of numerous high profile security incidents,” reports Alok Tongaonkar, Head of Data Science at RedLock. “Security is only as good as the weakest link.”
Though new technologies may introduce additional paths of attack, humans are still the weak link in most security attacks. The vast majority of breaches start with unauthorized leaks by a malicious insider, perhaps a disgruntled employee, or unwitting victims of sophisticated spear phishing or social engineering tactics. Even with the right tools in place, many organizations lag in education and training for both security professionals and regular employees who can be targeted in attacks. “Cybersecurity is a ‘neighborhood watch’, or community police activity,” emphasizes Chris Geiser, Chief Technology Officer of The Garrigan Lyman Group, “Information sharing is the key to success.”
Hackers have become increasingly sophisticated at obscuring their footsteps, at times flooding systems with fake alerts to distract from truly insidious ones. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) demonstrated that a virtual AI security analyst trained by human experts accurately identifies 85% of attacks, beating previous benchmarks by a factor of three while reducing false positives by a factor of five.
With such obvious advantages, both startups and established security providers have integrated machine learning advances into their tools. Mary Jane Wilson-Bilk, Partner at Eversheds Sutherlands, reported “more than 550 cybersecurity vendors selling their wares” at a key industry conference earlier this year. Vendors range from newer entrants like Deep Instinct and Vectra Networks to established industry players like Splunk. All promise real-time monitoring of systems and networks to offer insights beyond traditional security tools and empower analysts to detect and neutralize threats faster.
Other machine learning solutions, such as Sift Science, protect customers of financial institutions by automatically flagging instances of account takeover (ATO) and fraudulent transactions. “Customers are particularly concerned about account takeovers, which typically happen after large data breaches,” explains Jason Tan, Sift Science’s CEO. “In 2016, 554 million records were compromised in the first half of the year alone and ATO losses reached $2.3 billion, a 61% increase from the year before.”
Entities such as the Financial Services-Information Sharing and Analysis Center (FS-ISAC) have been in place for nearly two decades to enable information sharing of cyber threat data between institutions. Recently, eight of the largest banks within the FS-ISAC established a joint effort to use intelligence, technology, and automation to strengthen financial sector defenses. Such collaborative efforts are critical to building modern AI systems with maximum effectiveness.
How Artificial Intelligence Advances Hackers
DARPA, a U.S. Department of Defense Agency responsible for developing emerging technologies for the military, recently held the Cyber Grand Challenge, the world’s first all-machine hacking tournament. The winning team’s AI system, aptly named “Mayhem”, autonomously detected new vulnerabilities it had not been explicitly trained on. “While DARPA’s intention for this Grand Challenge was benevolent – the idea is that AI systems will find flaws and then fix them – similar principles could be used to find software flaws and exploit them,” warns Wilson-Bilk of Eversheds Sutherlands.
Bulk spear phishing tactics traditionally use little personal information, yet are highly effective. Such attacks can be personalized and made more powerful by leveraging machine learning based on victim data and previous attacks. Ransomware users can analyze targets’ business operations to identify and extract maximum ransom values. The most sophisticated criminals can even reverse engineer defending algorithms and feed in manipulative data to subvert or overwhelm security systems.
Perhaps the greatest challenge for defenders is how modern technology systems have become so complex that humans no longer fully understand them. Machine learning technologies can create a false sense of security and complacency, when in reality they must be constantly trained, tested, and updated by competent professionals to defend against new and unknown attacks.
With increasing connectivity and interdependency in the critical infrastructure that enables modern life, the stakes in the arms race between security professionals and hackers are ever escalating. Wilson-Bilk concludes with a sobering reality: “If a well-funded and sophisticated foreign government wanted to initiate a full-scale cyber war against the United States, they likely have the ability to simultaneously and significantly disrupt transportation, electrical infrastructure, and the financial sector in a way that brings the entire country grinding to a halt.”