Smarter information and access security with AI
Artificial Intelligence (AI) is one of the key innovations of this decade. Virtually every sector and discipline now uses AI tools, from education and healthcare to manufacturing and transportation. Organizations use AI to optimize planning, assemble documentation, and monitor management costs. This applies especially to information management. AI systems are not only IT systems; we increasingly use AI tools to build, manage, and secure IT systems.
Especially for information security, we can no longer do without artificial intelligence. Security teams face cybercriminals and state actors every day. Both sides deploy artificial intelligence. Hackers use AI algorithms to discover weaknesses in infrastructures, and the development of new malware is partly driven by AI tools. It is an arms race, and the only way to win is to deploy artificial intelligence even more intelligently ourselves, which makes AI one of the most important information security trends.
The importance of AI in cybersecurity?
Thanks to the enormous processing power of modern computer systems, we can develop advanced machine learning systems. With the internet and cloud technology we also have virtually unlimited training data. These capabilities enable us to find complex patterns and relationships within terabytes of unstructured data and to develop intelligent algorithms.
That makes them essential tools for managing and securing modern IT environments. Cyber threats constantly evolve and often consist of several links that can be difficult to identify individually. This is especially true as the IT landscape becomes more complex and every organization uses hundreds of applications that often run in the cloud and are interconnected. Traditional firewalls and antivirus programs largely worked with predefined rules, which means we often react too late; disruptions are detected too late or threats are not recognized at all.
With modern AI solutions we can process and analyze billions of data points from both the internal IT environment and external sources, which allows us to recognize dangerous patterns and respond immediately. In this blog we share some practical examples. We keep it close to home. Many of our customers use Microsoft 365 as the core suite for their digitalization. They also use an IAM platform such as HelloID for issuing and managing all user accounts and access rights. Both Microsoft 365 and IAM environments increasingly use artificial intelligence to prevent and resolve cyber threats.
AI for prediction, detection, and remediation
Let us start with predicting, discovering, and handling cyber threats. In Microsoft environments you do this with Defender and Sentinel. Defender is a security suite with several components, each focused on a specific domain. For example, there is Defender for Identity, Defender for Cloud Apps, and Defender for Endpoint. The Defender eXtended Detection & Response (XDR) functionality integrates all events from these modules into one coordinated security platform and can also share the data with the Sentinel platform. In turn, Sentinel is a SIEM[1] and SOAR[2] environment that allows you to predict, identify, and remediate overarching threats. Sentinel also uses data from other IT systems and external threat intelligence sources. Here are some capabilities:
By training AI models with data on known threats, malicious scripts, and typical user patterns, you can detect anomalies more effectively. If an application suddenly starts encrypting many files, this can be recognized much faster as a possible ransomware attack, and such an attack can be automatically blocked immediately.
This is not limited to individual events; the systems can recognize multiple links in complex kill chains. Phishing campaigns often start with reconnaissance activities within the infrastructure, which you can detect faster with AI. You can also identify the network behavior of an active campaign as well as the specific characteristics of phishing emails, for example with text and sentiment analysis. Infected attachments can also be detected and isolated automatically. Together, this creates a complete defensive line that is set up almost automatically.
AI is also essential for filtering and prioritizing alerts and automating processing. Sentinel can use AI models to group alarms, prioritize them, and reduce the number of false positives. With Fusion analysis you can correlate different alerts so that your analysts can focus on the most important threats. You can automate routine actions such as blocking an IP or locking a user account, and you can also automate the handling of larger incidents with playbooks.
The Microsoft Threat Intelligence service uses machine learning to translate both internal and external data into a comprehensive threat picture. This includes data from its global sensor network combined with external threat intelligence from partners and public sources such as hacker forums, darknet marketplaces, and malware samples. It often concerns literally trillions of signals, including suspicious IP addresses, domains, and malware indicators.
AI support for IAM, data classification, and data loss prevention
The examples above focused on preventing, detecting, and handling cyberattacks. In addition, you need to organize access management to your IT environment properly and ensure that users cannot view, edit, and distribute data without authorization. Here are several examples of how to reduce these risks and how AI can help:
AI in IAM environments
Let us start by preventing people from gaining unwanted access to applications and data. A key security requirement is the Principle of Least Privilege: every user may only have the minimum necessary access rights at any moment, depending on role, department, and work location. A modern IAM platform such as HelloID enforces this by automating account and rights management for all users in the organization based on an RBAC[3] model. In HelloID we implement this with business rules. These rules determine which access rights employees receive, and the platform also sends instructions to the target systems to set those accounts and permissions. Your IAM platform is the literal hub that is connected to numerous source and target systems. There is increasing potential to enrich this functionality with artificial intelligence. Two examples:
An RBAC model must stay in sync with your current organization and policies. HelloID offers role mining to translate day-to-day operations into usable business rules. A fully developed RBAC model can be quite complex, so AI will be used more and more to help build, maintain, and further optimize the model.
Your IAM system functions as the central system of record for access rights. With reconciliation you can check for mismatches between the IAM data and the settings in the target systems. For example, a local test account may have been created somewhere, or IAM data may not have been processed correctly in a target system. Determining the cause of such mismatches and a solution is often complex. We are working to use artificial intelligence to provide administrators with increasingly better suggestions.
AI for data classification and data loss prevention
This is a strong complement to access security if you can also control the subsequent use of your data as effectively as possible. Microsoft Purview is a widely used data governance solution for this, and we highlight two capabilities here:
With Purview you can classify sensitive data with labels such as 'confidential' or 'medical data'. Depending on the label, the system can determine who has access. It can also determine which actions may be taken and to what extent the data may be further distributed.
The platform also provides Data Loss Prevention (DLP), which actively scans documents for privacy sensitive data such as credit card numbers, social security numbers, and similar data. If someone tries to send such data, the system can warn the user or block the action immediately.
Artificial intelligence can further automate document classification. Where possible, the platform provides a suggestion that the document owner only needs to confirm or adjust. The system can also suggest DLP policies and corresponding data filters. Which types of personal data appear in documents and how can you recognize them automatically? AI can help with this more and more.
Want to learn more?
AI plays an increasingly important role in information security, and AI usage ranks high on the agenda within the IAM trends of 2024. If you want to learn more about how we apply artificial intelligence within the HelloID platform, then contact us.