IT SECURITY

Behavioural AI: the way to protect your business network

Because so many attacks start at the endpoint, it is essential to gain proper insight into those endpoints. A 2018 survey by the SANS Institute shows that 42% of respondents experienced at least one case of endpoint misuse that led to data leakage or theft, or disrupted business operations. Moreover, encryption does not get in the way on endpoints. Endpoints are places where network and process activity is visible and where you can even monitor devices remotely. That way you can, for example, find out who plugged in that USB stick — and when and where.

Our EDR solution (Endpoint Detection & Response) continuously scans for unusual behaviour across all your devices, including mobile endpoints. Proactively and in real time!

Traditional antivirus software (AV) is no longer enough.
Endpoint Detection and Response (EDR) is a security solution that continuously and in real time responds to zero-day attacks.

Special offer: Switch from AV to EDR now at a reduced rate.

Too many data points, not enough answers

It is not that we lack endpoint monitoring that can give us answers. Today we have far more insight into cyberattacks than we had in the days of EPPs (Endpoint Protection Platforms). Those products relied on signatures and were blind to memory-based malware, lateral movement, fileless malware or zero-day attacks.

The problem is this: EPP offers protection for endpoints, but it does not give organisations insight into the threats. First-generation EDR tools (endpoint detection and response) emerged from the need for the visibility that EPPs could not provide. That generation of EDR, so-called passive EDR, gives us data but no context. We get the pieces of the puzzle, but not the picture that shows how to put them together.

If you look at a typical example of built-in passive endpoint monitoring, you might see that Windows event logs recorded how a PowerShell session was launched via a virtual keyboard after someone plugged in a USB stick. You might see that the attack used advanced techniques such as clearing logs. That a backdoor was installed to maintain access. That login credentials were stolen and used to log in. That — oops — a login attempt failed at some point. That privileges were escalated. That more logs were deleted. That a new local user was created and added to an admin group, and so on and so on. Now try to untangle all that.

In the demo it might have looked impressive, but what happens in day-to-day practice? Who can really make sense of all this? Maybe a few seasoned and highly trained security analysts. But unfortunately, there are not enough of them. And they also need to sleep from time to time. So if an attack takes place in the middle of the night, the attackers gain extra time before the analysts come back to work and start figuring out the what, where, how and when.

A CISO is not interested in all the individual data points that make up an attack. It is more like a game of Cluedo. Who did it: colonel van Geelen, a temp with a USB stick, or a nation-state sponsored group? Has the threat already been stopped and if so, how long was it active? Which of the few SOC analysts is going to analyse that overwhelming stream of data coming from the passive EDR system?

What is behavioural AI and how can it help?

What happens after an attack? The story can go in two directions. The first direction, the problematic one, you probably know. Security analysts have to sift through every alert, notification and anomaly generated by passive EDR. Such investigations take a lot of time and require a high level of skill. Those skills are scarce. You know how hard it is to find, train and retain the right people. Too few people have the expertise to operate security platforms and separate the wheat from the chaff, or in other words the harmless glitches from the real breaches.

But the story can also take a different turn. The turn towards storylines: the contextualisation of all loose data points into a concise narrative. SentinelOne calls this ActiveEDR, a behavioural AI model that not only prevents an organisation from being fully dependent on scarce analysts but also works 24/7. This model constantly records what is happening on every device that touches the network and places these events in context.

The behavioural AI engine from SentinelOne creates what we call Storylines. A Storyline is a set of footprints that allows organisations to trace incidents and identify who is responsible for an IOC, an Indicator of Compromise. That is still EDR, but not the passive EDR you may be familiar with. In classic EDR, you look for one isolated activity and then try to link it to another, and then another, and so on. This is a time-consuming, labour-intensive and highly specialised exercise that happens after the fact in order to reconstruct the full picture.

With SentinelOne’s ActiveEDR technology, the computer does the work instead of the analyst. The technology follows and contextualises everything that happens on a device, identifies malicious activity in real time and automatically carries out the required responses. If and when the analyst wants to get involved, they can use ActiveEDR to hunt for threats by running a deep search based on a single indicator of compromise.

Unlike other EDR solutions, ActiveEDR does not depend on cloud connectivity to detect threats. As a result, dwell time is effectively reduced to execution time. The AI agent on each device does not need cloud connectivity to make a decision. The agent constantly builds stories about what is happening on the endpoint and, when it detects malicious behaviour, it can not only stop malicious files and processes but also kill the entire Storyline and even automatically roll it back.

Why is ActiveEDR better at stopping file-based and fileless attacks?

Modern cybercriminals have found ways to no longer depend on files. They leave no trace and use fileless, in-memory malware to stay invisible to most security tools. Only the most advanced solutions can detect this type of attack. Because ActiveEDR tracks everything, you can still detect attackers who already have credentials in your environment and perform so-called Living off the Land (LotL) activity. This term refers to attacks without files or malware, where criminals abuse the system’s own, fully legitimate tools to carry out malicious actions. They blend into the network and hide among legitimate processes while they do their work unnoticed.

Behavioural AI: a real-life scenario

The following real-life scenario shows how this works. The police call you to inform you that your credentials are listed on Pastebin. You want to know how they got there, so you start searching in the Deep Visibility threat hunting module. Deep Visibility shows the Storylines generated by SentinelOne. Because users can search for any reference, in this example references to Pastebin, threats can be found quickly.

With Storyline, every autonomous endpoint AI agent builds a model of its endpoint infrastructure and behaviour during real-time execution. This is assigned a Storyline ID. That is an identifier for a group of related events. If you search for “Pastebin”, you will find a Storyline ID that takes you straight to all related processes, files, threads, events and other data that match that one query. Deep Visibility returns complete, contextualised data that gives you fast insight into the root cause of a threat, including all context, relationships and activities.

Each agent can then automatically or manually clean up after an attack, roll back the system, disconnect the device from the network or launch a remote shell on the system. All of this can be done automatically or with a single click. It takes only seconds, does not depend on the cloud and does not require any data to be uploaded for human review. Cloud analysis is unnecessary because everything happens on the agent.

By automating as much as possible, several problems are solved at once. First, file-based attacks can be identified without signatures because malicious behaviour is recognised. Second, fileless attacks can be prevented and predicted.

SentinelOne’s endpoint protection starts working before execution. An attack is stopped before it can run through a weaponised pdf, Word document or any other file. The first step is to analyse the situation and check if anything looks suspicious. If so, the file is quarantined. If the code passes the first test and starts to execute, ActiveEDR comes into play. This autonomous, automated threat-hunting mechanism – with detection and response on the agent – looks for strange, abnormal behaviour. For example, someone opens Word, which in turn triggers PowerShell to download something from the internet. That is usually not benign, normal behaviour. ActiveEDR watches the behaviour during code execution and records everything that happens in the operating system as a chain of stories, from beginning to end, whether it takes one second, a month or even longer. The technology continuously evaluates the behaviour to check whether anything is going wrong.

The human factor, supported by behavioural AI

All of this is powerful, but it is still not enough, because no system catches everything. That is why ActiveEDR includes threat hunting capabilities. This is one of the features that makes SentinelOne a superior solution for both file-based and fileless attacks.

Imagine you have found a device that has communicated with Pastebin several times. When you click the Storyline ID in the SentinelOne console, you are taken to the full story of the attack. You see all relevant context, a high-level diagram of the attack’s origin and a timeline of the process tree with all relevant processes. A Microsoft Word document was opened. This triggered a Windows PowerShell session. That, in turn, launched seven other processes. Storylines even contain full command-line arguments, which investigators need to fully understand the attack. They provide the complete context of the attack, not assembled by a full incident response team, but with a single query.

An AI assistant, especially an AI agent that runs on every device connected to the network, saves a lot of time. Your organisation is no longer fully dependent on people analysing events that may turn out to be irrelevant.

You can keep sleeping, we take over from here

Isn’t it time to handle things differently? Now you can.

Behavioural AI can be configured to handle threats automatically, and that is a very powerful approach. The technology can take decisions on the device itself, independently of the cloud and without human input. If ActiveEDR is set to Detect, you receive contextualised alerts. If you set it to Protect, that booby-trapped Word document is simply blocked. No human needs to intervene. When a user tries to open the Word file, the threat is detected, blocked and removed at high speed. If ActiveEDR is configured in Protect mode, the Storyline of the attack shows that it did not get far. The attack was blocked before it could communicate externally.

Because behavioural AI agents are embedded in every endpoint device, malicious behaviour can be stopped immediately. If you later decide that a block was not necessary after all, you can simply roll it back. And unlike people, ActiveEDR with SentinelOne’s behavioural AI does not need sleep and does not walk out the door at five o’clock.

With the automated, threat-focused power of behavioural AI, you no longer have to worry about stolen data, sensational headlines or calls from the police.

Contact us or request a free demo if you want to learn more about SentinelOne’s behavioural AI and how it can help protect your organisation.

Looking for an IT partner for your SME?

Let us know what could be improved within your organisation. Whether you are a small or a large company, we will be pleased to work with you to examine the most suitable solutions, and are able to offer standard plans as well as custom-made options. The choice is yours.

“At Office-IT, we rely on award-winning security software from our partners. Time and again, these solutions prove to be the very best.”

Office-IT