The last stop of a busy conference year for DomainTools landed us our nation’s capital. The annual Splunk GovSummit held in Washington, DC brought together industry leaders from the private and public sectors alike. The conference offered a peek behind the curtain into the priorities of Federal and State governments as well as the strategies companies in the private sector are pursuing to meet those priorities and give more bad days to bad actors.
By far the two largest subjects of discussion were Artificial Intelligence (AI) and Zero Trust. I can feel the nervousness of my coworkers in research and data science as I write this. “Is the product marketing guy about to talk about AI and Zero Trust?” I will preface this by saying that unless explicitly stated, the content discussed in this article does not reflect the thoughts of myself or anyone at DomainTools but is instead an observation of how these terms were discussed by industry leaders at the summit.
Navigating Through the AI Terrain
More than half of the general and thought leadership sessions at the Splunk GovSummit had a primary focus on Artificial Intelligence or Machine Learning (ML). These terms are controversial and often carry different interpretations within the infosecurity community. By now, you’ve likely heard claims from every technology vendor that they use AI/ML today to solve a specific problem. It’s certainly generated a lot of hype, but when does it bring any practical value and how will it impact your security framework?
AI vs Machine Learning
Artificial Intelligence is a branch of computer science focused on helping computers learn on their own, adjust to new inputs, and perform tasks – all without human intervention. Made up of several different types of learning (shown below), AI is useful in everything from IT security to robotics, to deepfake videos, to real-time translation of conversations.
Machine Learning is just one family within AI that is most applicable to cybersecurity. This is because of its emphasis on existing behavior patterns to inform decision making. ML can both be weaponized by adversaries by using the predicted behavior of consumers and be leveraged by security teams to predict whether an artifact online is likely to be malicious today, may have malicious intent at some point in the future, or is benign in nature. ML focuses on devising algorithms that allow a computer to improve its understanding of the data presented automatically through continual exposure to data. In essence, you give a ML process some data and it attempts to learn very specific things about the data – whether guided by human input or on its own.
What is the Government Saying About AI?
The first AI-related session of the summit, “How to Harness the Power of AI to Advance Your Mission” offered perspectives from the Federal level and the local level with a panel discussion moderated by Splunk’s Patrick Coughlin getting the perspectives of Jaime Noble, Chief Information Security Officer at the Department of Justice’s Office of Justice Programs (DOJ OJP) and Sathish Ningaiah, Chief Information Security Officer at the New York City Department of Social Services (DSS). The discussion focused on opportunities that AI could bring to agencies but followed the conversation by stressing that this can not be a replacement for human support. The panelists all agreed that it would be best to keep humans in the loop whenever integrating technology that leverages AI into an agency. The panelists also discussed potential risks that this poses, such as an investment in AI for task performing technology taking away from an investment in cybersecurity.
What is Splunk Saying About AI?
To combat a potential conflict of interest between investments in AI technology and cybersecurity, Splunk had a lot of messaging at the GovSummit about how their products are working to incorporate AI and how those products could then be used in a company or agency’s overall technology infrastructure. This was especially evident in Shawn Jones’ presentation “Unlocking the Power of Data with AI and ML: The Splunk Approach.” Here, Jones presented case studies that marked the impact Splunk made using AI and Machine Learning in several scenarios to help public sector organizations harness their data for improved anomaly detection, predictive analytics, and intelligent assistants. Splunk defines AI and sees its application as “a catalyst for driving digital resilience — a way to accelerate human decision making in service of incident detection, investigation and response.”
What Are We Saying About AI?
Our solutions focus on the “machine learning” branch of AI to identify potentially or actively malicious domains. As the name implies, there is a Learning phase that needs to occur before the ML algorithm can be useful. This phase can be supervised, using externally-defined “buckets” of labeled data to help the ML system learn from a human teacher or unsupervised, looking at unlabeled data, learning “on its own,” and determining its patterns and structures. Once the learning process is complete, a testing phase is required to determine if the machine can correctly identify data that are known to have specific features. The goal is to compare the testing results (which establishes what the ML model “thinks” of the test data) to what a human thinks the ML algorithm results should have been. If the accuracy (as determined by the human) is low, the model needs to be readdressed and both the learning and testing must be redone.
DomainTools uses data from domain blocklists, lists of domains that have already exhibited malicious behavior, in both the Learning and Testing phases to develop algorithms that can predict a domain does or will have malicious use with a high degree of accuracy. This is realized in our predictive risk scoring, which draws upon data points from more than 360 million current Internet domains to predict how likely a domain is to be malicious, often before it can be weaponized. Our Threat Profile algorithm models how closely a domain’s intrinsic properties resemble others used for spam, phishing, or malware, in much the same way that a human analyst would assess the domain
Addressing CISA’s Zero Trust Initiative
One session that was not focused on AI and which garnered a lot of attention was “Embracing Zero Trust Architecture and Enabling Your SOC to SOAR.” The foundational objective of Zero Trust is to prevent trouble before it occurs. However, full prevention of incursions or dangerous connections is not achievable in real-world environments. Zero Trust is a far-reaching concept that pervades almost every area within the security practice, as well as information and operational technology in general. This panel took a look at the Zero Trust initiative spearheaded by the Cybersecurity and Infrastructure Security Agency from the perspective of Raventek from the private sector, the Virginia Information Technologies Agency from the public sector, and Splunk as the conference host—with tremendous experience in both sectors. The key takeaway from panel members was that a great way to respond to the several executive mandates, requiring the implementation of a Zero Trust Architecture in Federal agencies and companies that do business with them, is security orchestration, automation and response (SOAR).
The panelists agreed that a SOAR platform takes the approach of addressing steps required in a Zero Trust Architecture and increases visibility across agency networks in the face of cybersecurity attacks and disruptions along the way. Kristi Chiarenza from Splunk discussed how the Splunk SOAR platform has been the primary way that Splunk users in the public sector have been able to address the Zero Trust requirements they faced because the platform emphasizes establishing visibility before orchestration and automation.
The DomainTools App within Splunk SOAR assists with this visibility portion Chiarenza described in the panel by giving users access to the risk scoring previously discussed in this article by predicting how likely a domain is to be malicious. This integration is also useful to users in the orchestration portion through the automated decisions users can make using this data within playbooks to enrich a Splunk event with connected domains and even block them proactively. Together, DomainTools and Splunk SOAR automate and orchestrate the incident response processes with essential domain profile, web crawl, SSL and infrastructure data delivered by the DomainTools Iris Investigate API. This orchestration can also be implemented with the DomainTools Iris Enrich API. SOCs can create custom, automated workflows to trigger Indicator of Compromise (IoC) investigations, block threats based on connected infrastructure, and identify potentially malicious incidents before weaponization.
DomainTools and Zero Trust
In addition to our SOAR Integrations, DomainTools offers a variety of tools and data that help security teams:
- Identify and/or block connections to newly-created domains
- Build context around adversary-controlled infrastructure
- Identify clusters of malicious activity based infrastructure patterns
- Monitor emerging attack campaigns as the adversary develops them
Read our Zero Trust whitepaper to learn more about how DomainTools fits into your Zero Trust initiative.
