Cyber AI can be a force multiplier that enables organizations to respond faster than attackers can move, and to anticipate and react in advance.
Despite making significant investments in security technologies, organizations in many industries continue to struggle with security breaches. Their adversaries are quick to evolve tactics and stay ahead of the technology curve. Humans may soon be overwhelmed by the sheer volume, sophistication, and difficulty of detecting cyberattacks.
Companies are already challenged to efficiently analyze the data flowing into the security operations center (SOC) from across the security tech stack. This doesn’t include the information feeds from network devices, application data, and other inputs across the broader technology stack that are often targeted by advanced attackers looking for new vectors, old misconfigurations, or using new malware. As the enterprise increasingly expands beyond its firewalls, security analysts are charged with protecting a constantly growing attack surface.
Meanwhile, the cost of cybercrime continues to climb and is expected to increase from US$3 trillion in 2015 to $10.5 trillion by 2025.[i] The average cost of a single data breach in 2021 was $4.24 million,[ii] a 10% increase from 2019. According to insurer AIG, ransomware claims alone have grown 150% since 2018.[iii]
“The adoption of 5G networks and an increase in network connections, together with a more distributed workforce and a broadening partner ecosystem, present new risks.”
It’s time to call for AI backup. Cyber AI can be a force multiplier that enables organizations not only to respond faster than attackers can move, but also to anticipate these moves and react to them in advance. Cyber AI technology and tools are in the early stages of adoption with new advances frequently occurring. The global market for these tools is expected to grow by $19 billion between 2021 and 2025.[iv]
AI’s ability to adaptively learn and detect novel patterns can accelerate detection, containment, and response, easing the burden on SOC analysts and allowing them to be more proactive. The bonus is that it can also help organizations prepare for the eventual development of AI-driven cybercrimes.
Expanding Enterprise Attack Surfaces
Organizations’ attack surfaces are expanding exponentially. The adoption of 5G networks and an increase in network connections, together with a more distributed workforce and a broadening partner ecosystem, present new risks. They’re exposing the enterprise outside of its firewalls and pushing into customer devices, employee homes, and partner networks. Here are a few of the ways manufacturers have seen their attack surfaces increase:
Increase in connected devices: 5G, IoT, Wi-Fi 6, and other networking advances are driving an increase in network-connected devices. When seeking a soft attack vector, cybercriminals will be able to choose from a growing number of network-connected physical assets—29.3 billion by 2023, according to one estimate.[v]
The unprecedented number of devices connected to these networks produce data that needs to be processed and secured, contributing to the data logjam in the SOC. It can be challenging to keep track of and manage active assets, their purpose, and their expected behavior, especially when they’re managed by service orchestrators.
Broader ecosystem of partners: As the enterprise continues to extend with an increasingly global supply chain, hosted data, infrastructure, and services have long contributed to third-party risk. And as more and more organizations integrate data with third-party applications, APIs are a growing security concern.
Third-party breaches are also growing in complexity. Five years ago, an intruder might use widely available malware to target specific computer systems, gain contractor credentials, and steal customer data—messy, to be sure, but with a clear source and the ability to monitor and remediate the damage.
“AI will be increasingly important for many manufacturing clients as they undergo the digital transformation of their factories with Industry 4.0 technologies.”
Such an attack pales in comparison to today’s sophisticated intrusions, in which information stolen from one company can be used to compromise thousands of its customers and suppliers. Supply chain attacks can do the same by exploiting the least-secure embedded components of complex supply networks. A breach with no boundaries can be nearly impossible to monitor and remediate, with active theft potentially continuing for many years.
Adoption of 5G networks: 5G is expected to completely transform enterprise networks with new connections, capabilities, and services. But the shift to 5G’s mix of hardware and distributed, software-defined networks, open architectures, and virtualized infrastructure creates new vulnerabilities and a larger attack surface, which will require more dynamic cyber protection.
As public 5G networks expand, many manufacturing organizations have also begun to invest in private and hybrid 5G networks that meet enterprise requirements for lower latency, data privacy, and secure wireless connectivity. From autonomous vehicles and drones to smart factory devices and mobile phones, an entire ecosystem of public and private 5G networks—connected devices, applications, and services—will create additional potential entry points for hackers. Each asset will need to be configured to meet specific security requirements. And with the increasing variety of devices, the network becomes more heterogenous and more challenging to monitor and protect.
AI Defense Against Cyberthreats
Expanding attack surfaces and the escalating severity and complexity of cyberthreats are exacerbated by a chronic shortage of cybersecurity talent. Employment in the field would have to grow by approximately 89% to eliminate the estimated global shortage of more than 3 million cybersecurity professionals.[vi] AI can help fill this gap.
Accelerated threat detection: Advanced analytics and machine learning platforms can efficiently sift through the high volume of data generated by security tools, identify deviations from the norm, evaluate the data from the thousands of new connected assets that are flooding the network, and be trained to distinguish between legitimate and malicious files, connections, devices, and users.
Force multiplier in containment and response: AI can also serve as a force multiplier that helps security teams automate time-consuming activities and streamline containment and response. Consider machine learning, deep learning, natural language processing, reinforcement learning, knowledge representation, and other AI approaches. When paired with automated evaluation and decision-making, AI can help analysts manage an escalating number of increasingly complex security threats and achieve scale.
“Expanding attack surfaces and the escalating severity and complexity of cyberthreats are exacerbated by a chronic shortage of cybersecurity talent. AI can help fill this gap.”
Proactive security posture: Properly trained AI can enable a more proactive security posture and promote cyber resilience, potentially allowing organizations to stay in operation even when under attack and reducing the amount of time an adversary is in the environment. For example, context-rich user behavior analytics can be combined with unsupervised machine learning algorithms to automatically test user activities; recognize typical patterns in network activity or data access; identify, evaluate, and flag anomalies (and disregard false alarms); and decide if response or intervention is intended. And by feeding intelligence to human security specialists and enabling them to actively engage in adversary pursuit, AI enables proactive threat hunting.
Building an AI Security Roadmap
AI will be increasingly important for many manufacturing clients as they undergo the digital transformation of their factories with Industry 4.0 technologies (e.g., smart factories). With the expectation that 175 Zetabytes of data will be generated by 2025[vii], manufacturing clients should begin preparing for AI as it simply cannot just occur overnight. Protecting client data is vital to keeping manufacturing lines operational and the quality of the product intact.
As companies have visited The Smart Factory @ Wichita and discussed their visions for digital transformation, common threads have emerged around security gaps that need to be filled as part of their roadmaps towards achieving an AI-enabled cyber security strategy.
Network segmentation: Data from a company’s Operational Technology (OT) environment (e.g., manufacturing network) will likely need to flow into their enterprise cloud environment as part of their advanced analytics solution to measure various Key Performance Objectives (KPOs) and Key Performance Indicators (KPIs). In many circumstances, little to no network segmentation is in place between a company’s IT environment and their OT environment. A lack of segmentation exposes the manufacturing environment to nefarious actors who could manipulate, deny, or destroy or steal critical data/processes.
“AI’s ability to identify patterns and adaptively learn in real time as events warrant can accelerate detection, containment, and response, help reduce the heavy load on SOC analysts, and enable them to be more proactive.”
Identity access & authentication: It’s integral that all users, not just individuals but also devices and services, have proper controls in place so that only the approved users can authenticate and communicate within the manufacturing environment. Additional controls such as Multi-Factor Authentication (MFA) serve to further enhance security as entities prepare for enabling AI. Authentication can further enable AI as the controls help answer key questions for faster decision making: Is the access originating from a known location? Is a user switching from a private to a public network? Is the time and data pattern for the access during expected hours of work? Is the access from a known device or services that are known to communicate?
Security monitoring: A security monitoring solution helps further enable securing the manufacturing environment by passively sensing the data on the network. As the environment is baselined, the solution continues to listen to the dataflows in the environment to provide visibility in the network, identify vulnerabilities, detect anomalous activity, and report back on it. A security monitoring solution can help further prepare the environment by further understanding OT asset behaviors to detect potential threats. As organizations continue to prepare for an AI-based approach, data from sensors that understand OT communications and protocols become critical for understanding threats in process control environments.
The Way Forward
On its own, AI (or any other technology, for that matter) isn’t going to solve today’s or tomorrow’s complex security challenges. AI’s ability to identify patterns and adaptively learn in real time as events warrant can accelerate detection, containment, and response, help reduce the heavy load on SOC analysts, and enable them to be more proactive. These professionals will likely remain in high demand, but AI will change their roles. Organizations will need to reskill and retrain analysts to help change their focus from triaging alerts and other lower-level skills to more strategic, proactive activities. Finally, as the elements of AI- and machine learning-driven security threats begin to emerge, AI can help security teams prepare for the eventual development of AI-driven cybercrimes in the years ahead. M
[i] Steve Morgan, “Cybercrime to cost the world $10.5 trillion annually by 2025 ,” Cybersecurity Ventures, November 13, 2020.
[ii] Steve Morgan, “Cybercrime to cost the world $10.5 trillion annually by 2025 ,” Cybersecurity Ventures, November 13, 2020.
[iii] CNBC, “Cybercrime could cost $10.5 trillion dollars by 2025, according to Cybersecurity Ventures ,” March 9, 2021.
[iv] PR Newswire, “Artificial intelligence-based cybersecurity market grows by $19 billion during 2021-2025 ,” June 21, 2021.
[v] Cisco, Cisco annual internet report (2018–2023) white paper
[vi] (ISC)², “(ISC)² study reveals the cybersecurity workforce has grown to 3.5 million professionals globally.”
[vii] Tom Coughlin, “175 Zettabytes by 2025,” Forbes, November 27, 2018.
About the authors:
Sharon Chand is a principal at Deloitte & Touche LLP and the Cyber Risk Secure Supply Chain leader for the Cyber Risk Services practice of Deloitte Risk & Financial Advisory.
Ryan Moore is a Deloitte & Touche LLP Senior Manager in the Cyber Risk Services practice.
This article contains general information only, does not constitute professional advice or services, and should not be used as a basis for any decision or action that may affect your business. The authors shall not be responsible for any loss sustained by any person who relies on this article.