Weak cyber defences are threatening GDPR compliance. Does AI offer an answer?

Dr. Anton Grashion, Senior Director Product and Marketing, Cylance EMEA

Sophisticated attack and weak defence makes for a high-risk cybersecurity cocktail. Add General Data Protection Regulation (GDPR) into the mix and it could turn lethal for today’s enterprises.

The angle of the security debate has shifted dramatically in recent months as data protection and privacy priorities evolve. It’s no longer just an IT issue. The high-cost day rates for security consultants, and the operational issues of conventional defense in depth strategies, are giving way to something more fundamental. We’re now in a world where security beaches begin to impact revenue and reputation as never before. The business risks are unprecedented, and boardrooms should be, and many are, deeply concerned.

A recent study by Deloitte1 found over 96% of the cost of a breach comes from “beneath the surface” factors including the value of lost contract revenue; devaluation of trade name, lost value of customer relationships and so on. Add the spectre of GDPR-related 4% of global turn-over fines, and operational costs begin to pale to insignificance.

So, what to do to stay secure and compliant? The logical answer is, of course, meet the cybercriminal head-on: prevent the attack in the first instance and thus eliminate the long-tail commercial damage that would have inevitably followed. Trouble is, security companies have tried this for decades. The attacks keep coming.

If we can’t prevent, conventional wisdom says, then we should stand ready to respond. This is where we are today. Money and resource has flowed from proactive protection towards ‘detect and respond’ solutions. It sounds impressive enough, but the reality is less so: we’re just cleaning up after cybercriminals have partied in our networks, caused chaos and stolen valuable items. It’s clearly not enough, but it’s all we have. Or had.

Enter artificial intelligence (AI) and machine learning (ML). These technologies are beginning to swing the prevent/respond pendulum back into equilibrium. According to recent Cylance-sponsored research, 77% of businesses say they’re preventing more breaches with AI-powered tools. 81% say AI is detecting threats faster than their (human) security teams2.

Not all AI security approaches are the same, of course, and not all are preventative. But those that are can be truly revolutionary. They have succeeded where all other approaches, over the preceding decades, have failed: they really can stop attacks. Cylance’s AI-based platform, for example, is able to stop 99% of known and unknown malware before it executes on the endpoint device or enterprise network.

This ability to ‘proactively prevent’ completely changes the economics of security, and our understanding of the efficacy of all that has gone before. Preventing more means that the necessary detect/respond requirement suddenly looks very different. Not only can we eliminate those long-tail commercial consequences, we can better protect our enterprises from the ungenerous attentions of a newly empowered regulator. Taken together, it’s a business, compliance and reputational win.

Watch the GDPR interview, or go to cylance.com for more proactive prevention.

Video transcript:

Hello, and welcome to Business Reporter's Digital Economy campaign. Companies have, for far too long, had to fall back on detect and respond approaches to malware. It's expensive and inefficient, with a massive risk of reputational damage. But hackers and fraudsters don't wait until we catch up with the rapidly-developing landscape. Authorities are neither patient, and the GDPR regulations which come in May 2018 are merciless when it comes to breaches and personal data loss. Companies who don't comply could face fines of up to 4% of worldwide turnover.

What's the right response? Well, this is what we're against discuss today with Dr. Anton Grashion from Cylance.

Good morning.

Good morning, Alastair.

Now, we've got GDPR coming out in May 2018. And of course, are some massive penalties, up to 4% of worldwide turnover for organisations who don't comply. So why aren't organisations taking more of a preventative approach to all of this?

I think GDPR is used as the big bogeyman at the moment. Now it's right on the doorstep. It's getting a lot of focus, certainly, at sort of board level, as well. People aren't taking a preventative approach to cybersecurity, because historically, prevention hasn't been very good. And that's demonstrable by the number of events that have actually got through our defences.

And so it's very easy for organisations then to not panic, but actually shift their spend to detect and respond. So I can understand it. I don't think it's a good idea, especially with fines like that with GDPR.

And there's an accepted wisdom that, as far as malware and breaches are concerned, it's not a matter of if, it's a matter of when. So what's the problem with that particular approach?

Really, that's come from the sort of historical fact that prevention has been very, very difficult. And so what has happened with organisations is they've found that they can't stop threats coming in, and so have added layer upon layer within the organisation to try and catch what gets through the first defences. This has really significant knock-on economic effects on your budgets because you're actually chasing the problem into your network. And by doing, that you're spending more and more money.

And this is exacerbated by the fact that we have a skills shortage at the moment in cybersecurity. And so how do you scale up the teams that then have to do the threat hunt and respond, rather than actually relying on your defences stopping it coming in the first place?

If there is a breach, if malware gets in, what are the potential consequences for an organisation?

Well, there's a lot of grey areas in there. But let's take a bleak view. Let's look at the worst possible scenario. So one of the recent studies by Deloitte shows that the cost of breaches-- 96% of that cost is actually concentrated in the business implications of that breach. So lost revenue, customer confidence damage, shareholder confidence damage, fines are another part of that. But not in the technology, not in the forensics, and the clean up, and all the pieces there. 96% that's an absolutely huge proportion.

Now, of course, a lot of organisations will claim that they use AI and machine learning. What extra benefit does that actually bring?

AI is a little bit of a bandwagon or a buzzword at the moment. And there are two sort of ways of looking at it. You either take a utopian view or a dystopian view. What a lot of people have done is actually tacked AI into what they already do to make it seem like it's more cutting edge. I think that's probably the wrong approach. If you want to use AI, you've actually got to start from scratch. Design your system with AI and machine learning at the heart of it.

And you at Cylance use AI. So tell us how you make it work for you.

I think the big differentiator is that our founders actually went away and took a clean sheet of paper. It actually also took them two years to build the AI model that we finally deployed. We don't want to have a patient zero. If you don't have a patient zero, i.e., the first one who gets infected, you can't write a signature. So we don't want to use signatures.

Signatures are also ineffective. They're difficult to write. They create a gap between-- when you see the first instance of something, and when you issue the signature, you have a vulnerability window, if you like. And so we don't do that. We don't impact the performance of the machine. We want to be tiny. We don't want to be connected to the internet. So we don't want to use any additional internet resources, because you might not be connected to the internet, or you might have come back after a holiday, or something like this.

If we could satisfy all those pieces, and build an AI machine learning model that then would predictively prevent malware, that's what the founding fathers of Cylance wanted.

And coming back to GDPR for a moment, one of the stipulations is that an organisation should have state-of-the-art security. But let's say I'm in an organisation, and I'm wondering, well, is my security state-of-the-art enough? Am I actually covered to make sure I comply with GDPR?

Yes, it's a great get-out clause, isn't it? And one of the things you could do, actually, you could look towards industry standards. So we have the ISO standards. We have the Cyber Essentials programme for the UK government, for instance. The only problem with standards like this is they tend to lag behind what is state of the art, anyway. So they're always slightly reactive to what the current status was when those standards were written.

What you really have to ask yourself is, do I have state of the art, or do I have lots of the same stuff that I've been putting in year by year, and then stacking it so that I try and catch as much as it drops through different layers? State of the art, it's a very difficult thing to comply with, yes.

One of the challenges with AI and machine learning is that it's not just us using it. The hackers are getting smarter. They're becoming more innovative. And they're going to be starting to use AI and machine learning, too, to attack our AI and machine learning. So what happens then?

Yeah, I think that's probably almost inevitable. Because as you say, the hackers have been very innovative. Up until now, they have quite sophisticated business models. They have malware as a service, for instance. And you've got this sort of leapfrogging trying to try and stay ahead of them. So once we bring AI out as a effective weapon against them, yes, they'll try and utilise that.

However, I think you end up in a self-referential loop, because once you attack AI with AI, the only hope you have of defending against that is with AI. And so it very rapidly becomes non-human understandable when we're talking about millions and millions of features that are trying to move in a particular space or domain. So yes, you've got to use AI to protect against AI.

Now, we've talked a lot about GDPR, which has brought into focus the need to have a more preventative approach about our malware, and to look at our security systems. If you could give people, maybe some three key takeaways of advice that they should be doing right now, what would you say?

I think predictive prevention is absolutely achievable. And if you can do that, it will change the economics of what you will be doing with your cybersecurity in your network as we go forward.

And that's exactly what we want-- to make sure that we are preventing that attack, and we are staying safe. It's been fascinating finding out more. Dr. Anton Grashion from Cylance, thank you very much, indeed.

Thank you.