Redefining Cyber Threat Detection with AI

May 1, 2024
Mark Wojtasiak
Vice President of Product Marketing
Redefining Cyber Threat Detection with AI

The following article is a transcript from a recent interview where Ed Amoroso, founder and CEO of TAG Infosphere and Mark Wojtasiak, VP of Product at Vectra AI discuss how organizations can use the right AI approach to successfully defend against today’s hybrid attacks.

Ed: Few cybersecurity companies have the depth of experience in applying artificial intelligence (AI) to cybersecurity as Vectra AI. They have developed a strong capability in using AI to accurately detect cyberattacks, investigate and initiate response — and this clearly matches the needs of most modern organizations seeking to improve their defenses and thus resilience to attacks.

We recently spent time with the Vectra AI team to better understand how they are using AI to speed up cybersecurity detection and mitigation as well as how their customers are coming to depend increasingly on AI as a critically important component of their defense against automated attacks.

Ed: How does Vectra AI’s AI-driven platform enhance organizations’ ability to detect and respond to cyber threats in real-time?

Mark: We think about this in the most basic terms. At the core, an organization’s ability to detect and respond to cyber threats in real-time comes down to three questions: Can we see it? Can we stop it? How fast can we see it and stop it? With attack surfaces constantly expanding, attacker methods evolving, new threats emerging, and a barrage of alerts, traditional methods of threat detection and response are overly manual, complex, and latency ridden. On top of that, the shortfall of SOC resources and skills has only made matters worse and when it comes to the question of how fast can we see it and stop it? The answer is not nearly fast enough.

We have a premise that serves as the basis for our AI platform  — modern enterprises are hybrid, thus all attacks are hybrid attacks. We argue in the modern hybrid enterprise, hybrid attacks are rendering traditional approaches to threat detection and response inefficient and ineffective. For SOC teams, detecting a hybrid attack is like finding the needle in a stack of needles. The only way to find the needle is to think like a hybrid attacker. Today, we think we have individual attack surfaces to manage — endpoints, networks, identities, clouds, email applications, etc., but hybrid attackers see one giant integrated attack surface. Integrated being the key word and our platform is designed to give defenders a real-time integrated view of attacks across the entire hybrid attack surface. This removes complexity and latency in detection, investigation and response processes and dramatically reduces SOC analyst workload.

Ed: Can you elaborate on the specific AI techniques and methodologies employed by Vectra AI to analyze network behaviors and identify malicious activities?

Mark: The Vectra AI approach to threat detection blends human expertise with a broad set of data science and advanced machine learning techniques. This model delivers a continuous cycle of attack intelligence based on security research, global and local learning models, deep learning, and neural networks. Using behavioral detection algorithms to analyze metadata from captured packets, our cybersecurity AI detects hidden and unknown attacks in real time, whether traffic is encrypted or not. Our AI only analyzes metadata captured from packets, rather than performing deep-packet inspection, to protect user privacy without prying into sensitive payloads.

Global learning begins with the Vectra AI Threat Labs, a full-time group of cybersecurity experts and threat researchers who continually analyze malware, attack tools, techniques, and procedures to identify new and shifting trends in the threat landscape. Their work informs the data science models used by our Attack Signal Intelligence, including supervised machine learning. It is used to analyze very large volumes of attack traffic and distill it down to the key characteristics that make malicious traffic unique.

Local learning identifies what’s normal and abnormal in an enterprise’s network to reveal attack patterns. The key techniques used are unsupervised machine learning and anomaly detection. Vectra AI uses unsupervised machine learning models to learn about a specific customer environment, with no direct oversight by a data scientist. Instead of concentrating on finding and reporting anomalies, Vectra AI looks for indicators of important phases of an attack or attack techniques, including signs that an attacker is exploring the network, evaluating hosts for attack, and using stolen credentials.

Our AI-driven Prioritization engine combines thousands of events and network traits into a single detection. Using techniques such as event correlation and host scoring, our AI correlates all detection events to specific hosts that show signs of threat behaviors. We then automatically score every detection and host in terms of the threat severity and certainty using our own threat certainty index.

Finally, we track each event over time and through every phrase of the cyberattack lifecycle putting special focus on entities that are strategic value to an attacker.

Ed: What sets Vectra AI apart in AI-driven cybersecurity, particularly in terms of scalability and adaptability to evolving threats?

Mark: I would say it’s our approach. A decade ago, we created a methodology built on five core principles of applied AI for cyber security:  

1. Start with the right problem statement.  

2. The right data.  

3. Build an ML engineering competency.  

4. Unlock ML innovation with platform.  

5. Continually validate and improve.

Our methodology is rooted in integrating security research, ML engineering — the combination of data science and engineering — and UX focused on one mission: use AI to find attack signal inside data at speed and scale. We have over 150 models spanning neural networks, supervised ML, unsupervised ML, and novelty detection, 12 references for MITRE D3FEND — more than any other vendor — and a network effect made up of over 1500 customers continuously validating and improving our AI detections for both existing attacker techniques and new ones we discover. There are cases where we’ve identified new attacker techniques and developed detections before they are published in MITRE ATT&CK which means our customers get continuous coverage for new attack techniques without any detection engineering work.

Ed: How does Vectra AI ensure minimal false positives and false negatives in its AI-powered threat detection algorithms?

Mark: We believe detecting and responding to what we call hybrid attacks in real-time can only be done with AI. AI is the only way to deliver SOC teams what they need — integrated accurate hybrid attack signal at speed and scale. We call it our Attack Signal Intelligence and it uses AI to analyze, triage and correlate thousands of detection events a day spanning networks, identities, clouds, and SaaS applications. Instead of delivering thousands of alerts on individual threat events, our AI platform delivers single digit alerts per day on prioritized entities — both hosts and accounts — under attack.

In the most basic terms, our AI answers the three questions SOC analysts need answered every day they sit in front of their monitors: Is this threat real? Do I care? And how urgent is it? In other words, is it worth my time and talent. One of our customers put it best by saying, “the Vectra AI Platform helps our engineers and analysts take ambiguity out of their day and focus on what matters.”  

How we do it is simple. We leverage our prebuilt, behavior-based, domain specific AI detections to make unknown attacks known. We use AI to integrate and automate threat event correlation to remove detection engineering latency. And most importantly, we use AI to shift the analyst experience from event-centric threat detection to entity-centric signal prioritization, thus reducing noise and workload, thus maximizing the value of existing SOC talent.

Ed: Looking ahead, what role do you envision AI playing in the future of cybersecurity defense, and how is Vectra AI positioned to lead in this ongoing evolution?

Mark: Like I said before, today, detecting and responding to hybrid attacks in real-time can only be done with AI. We see the future as a fully AI-driven SOC. The first phase of evolution is all about the use of applied AI for proactive defense — from identifying emerging attacker behaviors to detecting and prioritizing entities early in an attack campaign. We believe our AI/ML approach — our Attack Signal Intelligence and our entity-centric prioritization engine is at the forefront of this movement.

I see phase two of the AI-driven SOC come in the use of generative AI for prescriptive defense related to threat investigations and response. We see this happening already with vendor adoption and the use of LLMs to help SOC analysts reduce investigation workload and speed investigation times. Potentially, AI could be taken a step further and prescribe, even take the appropriate response action to contain or isolate the attack. Vectra AI has chosen to focus first and foremost on delivering the most integrated and accurate attack signal. We contend the more accurate the attack signal, the more compelling the application of LLMs for effective investigation and response.

I see phase three of the evolution of the SOC as AI for predictive defense. Given our understanding of attacker behaviors — our Attack Signal Intelligence combined with our approach and the network effect we enjoy from our 1500 plus enterprise customers, Vectra AI is well positioned to lead and innovate in predictive AI-driven defense.

You can get more insights from TAG and Vectra AI by downloading the complimentary report: Tag Security Annual 2023: Special Reprint Edition