Avoiding Overreliance on AI, MLRediff's Venkata Satish Guttula on Effective Incident Response
Although machine learning and artificial intelligence help in an incident response plan, companies must avoid excessive dependence on these highly-touted emerging technologies, says Venkata Satish Guttula, director of security at Rediff.com.
"Industry experts feel artificial intelligence and machine learning can come to the rescue in eliminating false positives and also prioritizing incidents based on the criticality," Guttula says in an interview with Information Security Media Group (see transcript below). "Even though AI and ML drastically reduce false positives, they has also opened up another threat where this same technology is being used by the attackers to identify and evade the defenses. So organizations should not overly depend on artificial intelligence and machine learning but also have a system in place to manually to check logs periodically."
In the interview, Guttula also discusses:
- Why organizations can't ignore the human factor;
- Essential attributes of an incident response plan;
- Examples of a bad incident response plan.
Guttula is director of security at Rediff.com, an Indian news, information, entertainment and shopping web portal. He has more than 18 years of experience in information technology, with 13 years at Rediff.
SUPARNA GOSWAMI: Many experts say automation needs to be a part of an incident response plan. However, attacks are happening and organizations are unable to respond to these attacks in an ideal manner. What mistakes are organizations making?
VENKATA SATISH GUTTULA: An effective incident response plan includes people, process and technology. While many processes and technologies are put in place, there is always a fear of the unknown. A good process includes looking out for zero day vulnerabilities ... and timely patching. This involves the people part, and we have many times seen that the human element is the weakest link in cybersecurity.
Take the example of the Equifax breach. Equifax was using Apache Struts software, and at that time it [had] a remote code execution, or RCE, vulnerability. This was one of the critical vulnerabilities and a patch was available in the form of an upgrade. But it was not done on time, and the attackers took advantage of the RCE vulnerability. It could have been easily detected, and the exfiltrating of the data could have been stopped almost immediately, as Equifax had installed a device to inspect network traffic for evidence of malicious activity. But a misconfiguration allowed encrypted traffic to pass through the network without being inspected. So even though there were many processes in place, Equifax could not prevent the attack and breach of the data due to human factor.
A recent study shows that 80 percent to 90 percent of the cybersecurity-related attacks originate from phishing, which again is a human factor. Failure of imparting proper training to employees on cybersecurity is one of the mistakes organizations are making.
Dependence on AI
GOSWAMI: Artificial intelligence has been one of the hot discussion points. However, some say there is unnecessary dependence on it. Do you feel organizations are being overly dependent on artificial intelligence for cybersecurity purposes?
GUTTULA: The security information and event management system, or SIEM ... alerts a security operations center analyst about the incidents that are tagged in the system. Because SIEMs work on pre-defined rules and patterns, many of [their alerts] are false. As a result, industry experts feel artificial intelligence and machine learning can come to the rescue in eliminating false positives and also prioritizing incidents based on the criticality. Even though AI and ML drastically reduce false positives, they have also opened up another threat, where this same technology is being used by the attackers to identify and evade the defenses.
So organizations should not overly depend on artificial intelligence and machine learning but also have a system in place to manually check logs periodically.
GOSWAMI: I am sure there have been multiple incidents where the incident response plan has not been up to the mark. Can you give an example of a bad incident response plan?
GUTTULA: Coming back to the Equifax breach, what made it more interesting is the way this incident was handled. At least on three points, Equifax handled the incident poorly. (See: Equifax Hit With Maximum UK Privacy Fine After Mega-Breach)
First, they took 40 days to disclose the incident, suggesting they have a very poor incident response plan. Second, in setting up a website (https://www.equifaxsecurity2017.com/) where they asked users to check if they are impacted by the breach and offered free credit monitoring ... they put in a clause that the users could not be part of any claims against Equifax to arbitration, thereby reducing the size for any class action suits against it. Lastly, at least three senior executives are known to have sold stock in the company just three days after Equifax discovered the breach and much before they disclosed the breach.
Lessons learned from this include the need to disclose the breach as early as possible and take necessary steps to protect the users like resetting the passwords etc.; have a proper media response in place ... and involve the C-suite in the incident response plan and make them understand the implications of a potential breach and how to act accordingly.
GOSWAMI: Finally, what are some good attributes of an incident response plan?
GUTTULA: There should be an incident response plan which consists of three phases.
First is "prepare." An organization should be prepared for any incident by performing criticality analysis and risk assessment of the assets, carrying out threat analysis, and performing vulnerability analysis and penetration testing on infrastructure and applications. They also need to get people, process and technology in place and impart regular training.
Organizations should also have a manual or playbook that has list of all possible incidents and notes on how to deal with them and who all to be involved at what point. There should be regular table-top exercises conducted on the basis of the playbook.
The second phase is "respond." When there is a cybersecurity incident, it should be triaged to classify it as critical, significant, minor or negligible. If it's a critical or significant incident, then necessary actions should be taken for containing the incident and identifying the assets and networks that got compromised and recover from the attack by blocking the attackers, changing passwords to the compromised users, reinstalling OS of the compromised systems, etc.
The final phase is "follow-up." After the recovery from the attack, one can file a complaint with the necessary authorities, report the incident to the relevant stakeholders, and, most importantly, build on the lessons learned and update key information controls and processes.