It’s human nature to embrace new technologies that offer distinct advantages over the old way of doing things. Likewise, it’s almost inevitable to later discover that adopting the new technology required making tradeoffs that were not obvious at the outset. For example, embracing the automobile over the horse revolutionized personal transportation, but it also affected everything from the environment to the energy sector. More recently, switching from landline telephones to wireless smartphones put extraordinary amounts of information at people’s fingertips, but again, there have been tradeoffs. Accepting tradeoffs is part of embracing change, which is why organizations considering cloud-dependent cybersecurity solutions should understand the associated risks.
Two Types of Cloud-Dependent Security
For the sake of simplicity, we’ll explore two popular cloud-dependent cybersecurity approaches. The first example will cover solutions that store malware signatures (and other identifiable threat data) in the cloud and then distribute it to endpoints. The second example will describe cloud solutions that collect threat data from endpoints and then analyze it in the cloud.
Pushing Threat Information from the Cloud
The first cloud-dependent approach requires endpoints to remain connected to the cloud so their threat databases are updated with the latest malware indicators. The cloud functions as a system for centralized distribution of threat data, keeping endpoints informed of the latest known viruses, remote access Trojans (RATs), and worms. This approach offers advantages over older strategies that used IT staff to manually initiate updates or asked end-users to keep their systems current. However, like all innovations, switching to cloud-dependent security comes with certain tradeoffs that may not be immediately obvious.
One big change in adopting this approach is an organization’s endpoints become totally reliant on the cloud for protection from newer threats. Under ideal circumstances, every computer, tablet, and protected device will continuously maintain its cloud connection and never miss an update. In reality, however, organizations often have technology that does not update regularly or connect to the cloud for a variety of reasons.
Some technology is only used occasionally and not powered on when new updates are pushed to devices. Other endpoints may encounter problems during updates and fail to integrate the latest threat information until their technical issues are addressed. Some devices may not be able to accept certain updates because doing so interferes with other software required for their core mission. Furthermore, when zero-day attacks are unleashed, it can take time for providers to update the cloud with new threat indicators. During this time, all cloud-dependent endpoints remain vulnerable to the new threat.
Pulling Threat Information into the Cloud
Another approach to cloud-dependent security is having endpoints send their threat information to the cloud for analysis. This method frees endpoints from the burden of having to use their own resources to crunch threat data. Organizations may also feel a sense of security, believing the cloud vendor is using the power of big data to uncover cyberthreats. However, there are security tradeoffs with taking this approach as well.
For example, allowing a cloud provider to process threat data sends information owned by the organization outside its secure network. It entrusts whatever data the vendor collects to cloud resources controlled by a third party. This can be especially troubling when one considers that cloud misconfigurations have caused security breaches totaling nearly $5 trillion (USD). Data control issues have led the government of the U.K. to restrict some agencies from using security providers that move information out of the country. Once data leaves the organization, it is no longer fully controlled, and this may create regulatory or security problems.
As with the first, this second method of cloud-dependent security also requires a consistent connection to keep endpoints safe. Endpoints not connecting with the cloud, or having issues uploading information, will not have their threat data processed.
The Advantage of Cloud-Enabled Cybersecurity
Innovative vendors, aware of the issues with cloud-dependent security, have created alternative ways to use the power of the cloud. One approach that shows great promise is deploying artificial intelligence (AI) security agents directly on the endpoint to provide continuous protection. The cloud is used to manage enterprise security, provide updates, and offer a big-picture view of the environment. With cloud-enabled security, every protected device can defend against cyberthreats, even when they lose connectivity. In fact, endpoints using AI-driven cybersecurity maintain their protected status in air-gapped environments, with no Internet or cloud connectivity whatsoever.
Continuous protection is possible because AI models train upon billions of file features until they can reliably differentiate between safe and malicious files. Since the AI detects threats through advanced pattern recognition, it can predict the safety of any file without additional context or signatures. AI’s ability to detect malicious files long before they are formally identified by researchers is called Predictive Advantage. To understand Predictive Advantage, imagine zero-day malware, released this morning, is analyzed by a two-year-old AI model. If the older AI correctly identifies the malware as dangerous, the model is said to have a predictive advantage score of two years. This means users who installed the cybersecurity AI agent two years ago, and never updated, were protected from a zero-day threat appearing today.
Many zero-day malware attacks are based on known threats that are slightly modified to fool signature-based detection. However, these changes are generally not significant enough to escape the detection of advanced AI. In fact, AI’s capabilities extend far beyond file-based attacks. The techniques that train AI to identify malicious files can also apply to network traffic, user access, resource utilization, and other enterprise data. Using the cloud to manage an AI-driven cybersecurity platform allows organizations robust control over their environment while ensuring each endpoint remains protected regardless of connectivity.
Cloud-enabled security using AI-driven endpoint protection avoids many of the drawbacks caused by cloud-dependency, while offering several advantages. The cloud can push updated AI models to endpoints, yet missing an update will not leave devices defenseless against new threats. When an endpoint detects a threat using its local AI model, it can double-check the result with the larger cloud infrastructure. This offers devices a fast and simple way to use the cloud for a second opinion on threat analysis. The cloud can also aggregate relevant threat data from each endpoint, monitor for network threats, and simplify the complex task of managing enterprise security.
BlackBerry solutions, CylancePROTECT® and CylanceOPTICS® place AI-driven cybersecurity agents directly on endpoints to protect them from cyber risks, but also to reduce alert fatigue. This allows each endpoint to act as a mini security operations center (SOC), insofar as they detect and respond to threats while collecting relevant data. When these endpoints connect to the cloud, their individual threat telemetry is aggregated to give analysts greater insight into an attack. Threat data is correlated across the environment to create a big-picture view of an attack, rather than bombarding analysts with countless separate alerts.
For more information on how cloud-enabled cybersecurity and AI can improve your organization’s security posture, visit BlackBerry.com.