Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Endpoint Online Security. Show all posts

Three Ways AI-Powered Patch Management is Influencing Cybersecurity's Future

 

Approaches to patch management that aren't data-driven are breaches just waiting to happen. Security teams delay prioritising patch management until a breach occurs, which allows attackers to weaponize CVEs that are several years old.

More contextual knowledge about which CVEs are most vulnerable is now a part of the evolving cyber attacker tradecraft. As a result, unsecured attack surfaces with exploitable memory conflicts are left behind when patch management is done manually or endpoints are overloaded with agents. 

Attackers continue to hone their skills while weaponizing vulnerabilities with cutting-edge methods and tools that can elude detection and undermine manual patch management systems.

Up to 71% of all detections indexed by the CrowdStrike Threat Graph, according to CrowdStrike's 2023 Global Threat Report, are caused by intrusive activities without the use of malware. Security flaws that had not yet been patched were at blame for 47% of breaches. Remediating security vulnerabilities manually is done by 56% of organisations. 

Consider this if you need any additional evidence that relying on manual patching techniques is ineffective: 20% of endpoints are still not up to date on all patches after remediation, making them vulnerable to breaches once more.

A prime example of how AI can be used in cybersecurity is to automate patch management while utilising various datasets and integrating it into an RBVM platform. The most advanced AI-based patch management systems can translate vulnerability assessment telemetry and rank risks according to patch type, system, and endpoint. Nearly every vendor in this sector is advancing AI and machine learning quickly due to risk-based scoring.

When prioritising and automating patching operations, vulnerability risk rating and scoring based on AI and machine learning provide the knowledge security teams need. The following three examples highlight how AI-driven patch management is revolutionising cybersecurity: 

Real time detection 

To overpower endpoint perimeter-based protection, attackers rely on machine-based exploitation of patch vulnerabilities and flaws. Attack patterns are identified and added to the algorithms' knowledge base via supervised machine learning techniques that have been trained on data. As a result of the fact that machine identities now outweigh human identities by a factor of 45, attackers look for vulnerable endpoints, systems, and other assets that are not patched up to date.

In a recent interview, Ivanti's Mukkamala described how he sees patch management evolving into a more automated process with AI copilots supplying more contextual intelligence and forecast accuracy. 

“With more than 160,000 vulnerabilities currently identified, it is no wonder that IT and security professionals overwhelmingly find patching overly complex and time-consuming,” Mukkamala explained. “This is why organizations need to utilize AI solutions … to assist teams in prioritizing, validating and applying patches. The future of security is offloading mundane and repetitive tasks suited for a machine to AI copilots so that IT and security teams can focus on strategic initiatives for the business.” 

Automating remediation decisions 

Machine learning algorithms continuously analyse and learn from telemetry data to increase prediction accuracy and automate remediation decisions. The quick evolution of the Exploit Prediction Scoring System (EPSS) machine learning model, developed with the combined knowledge of 170 professionals, is one of the most exciting aspects of this breakthrough field.

The EPSS is designed to aid security teams in managing the rising tide of software vulnerabilities and spotting the most perilous ones. The model now in its third iteration outperforms earlier iterations by 82%. 

“Remediating vulnerabilities by faster patching is costly and can lead astray the most active threats,” writes Gartner in its report Tracking the Right Vulnerability Management Metrics (client access required). “Remediating vulnerabilities via risk-based patching is more cost-effective and targets the most exploitable, business-critical threats.” 

Contextual understanding of endpoint assets 

Another noteworthy aspect of AI-based patch management innovation is the speed with which providers are enhancing their usage of AI and machine learning to discover, inventory, and patch endpoints that require updates. Each vendor's approach is unique, but they all strive to replace the outmoded, error-prone, manual inventory-based method. Patch management and RBVM platform suppliers are rushing out new updates that improve prediction accuracy and the capacity to determine which endpoints, machines, and systems need to be patched.

Bottom line

The first step is to automate patch management updates. Following that, patch management systems and RBVM platforms are integrated to improve application-level version control and change management. Organisations will acquire more contextual information as supervised and unsupervised machine learning algorithms assist models discover potential abnormalities early and fine-tune their risk-scoring accuracy. Many organisations are still playing catch-up when it comes to patch management. To realise their full potential, organisations must leverage these technologies to manage whole lifecycles.

Experts Warn of Advanced Evasion Techniques as Rorschach Ransomware Emerges

 

Security researchers are concerned about a new ransomware strain that they characterise as a hybrid of the most potent ransomwares currently in use. 

Researchers from the Israeli cybersecurity company Check Point named the new ransomware "Rorschach" and claimed their incident response team came across it while looking into an attack on a U.S.-based corporation.

Rorschach is "the fastest and one of the most sophisticated ransomware we've seen so far," according to Sergey Shykevich, threat intelligence group manager at Check Point Research. Each person who looked at it saw something slightly different, similar to the renowned psychological test, which is why the researchers termed it Rorschach. 

“Just as a psychological Rorschach test looks different to each person, this new type of ransomware has technically distinct features taken from different ransomware families – making it special and different from other ransomware families,” Shykevich stated.

The company stated in a research released on Tuesday that Rorschach looks to be unique, sharing no overlaps that might easily attribute it to any known ransomware strain and does not have the kind of branding common of most ransomware groups. 

Researchers were taken aback by a number of characteristics in addition to how quickly it encrypted data on average, which was several minutes faster than other regularly used ransomware like LockBit. They tested LockBit through five different encryption performance tests in controlled settings, claiming that the ransomware was the "new speed demon in town." 

Because a portion of the ransomware is autonomous, attackers can complete operations that would normally need manual labour. Due to the ransomware's high degree of adaptability, attackers can use a broad variety of methods when handling situations. In the incident that Check Point handled, the attackers used a signed component of a commercial security product to distribute the ransomware, which is unusual for ransomware attacks. 

But the responders found the attack odd. The hackers had no affiliations with any other groups and did not use aliases to conceal their identities. Automatically spreading throughout a system and erasing compromised devices' event logs were two features of the ransomware. 

Similarities and distinctions 

The malware was unique in several ways, but it also borrowed ideas from a number of earlier ransomware variants. The ransom note that was issued to victims mirrored those from the Yanluowang and DarkSide organisations and borrowed some of its code from the Babuk and LockBit ransomware strains' exposed source code.

In order to make recovery more challenging, the ransomware has the ability to erase backups and disable some services, such as firewalls. The fact that the ransomware not only encrypts an environment but also employs novel strategies to get beyond security measures shocked the researchers. 

Additionally, the ransomware's creators made sure to include two system checks that, depending on the victim's chosen language, can block its operations. The ransomware will not function if the language is one from a member of the Commonwealth of Independent States (CIS), such as Armenia, Azerbaijan, Kazakhstan, Russia, Ukraine, Belarus, Tajikistan, Georgia, Kyrgyzstan, Turkmenistan, Uzbekistan, or Moldova.

The ransomware also uses a special encryption method that makes it more challenging to decode files by just encrypting a piece of them rather than the whole item. This helps it operate more quickly than previous malware encryption techniques. 

“Our analysis of Rorschach reveals the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects,” the researchers explained. "The operators and developers of the Rorschach ransomware remain unknown. They do not use branding, which is relatively rare in ransomware operations."