Behavioral AI: An Unbounded Approach to Enterprise Security

A CISO wakes up to headlines with the company’s name in them.

Not the good kind of headlines. The kind of headlines that, say, talk about a company’s data winding up on Pastebin: a nightmare that’s happened to scads of entities. Singapore was one: 1.5 million citizens’ health records—including those of Prime Minister Lee Hsien Loong—were stolen by hackers in 2018.

…or then again, maybe the company’s systems didn’t actually come under attack by hackers or a nation state threat group. Maybe the headlines are about an employee who’s a jerk: what’s known in PR speak as “an ill-intentioned employee who acted illegally and betrayed the trust of their employer.” Say, the IT admin contractor from Hell who seized his client’s domain, demanded a $10,000 ransom and then redirected the site to teen[sexual orientation][bodypart].com when the company refused to pay.

There are myriad permutations of storylines that all lead to this kind of cybersecurity misery, when a company’s name gets into (bad) headlines that often lead to, or follow, a call from the FBI. The who’s, what’s and how’s are good fodder for journalists and for district attorneys, but what’s of far greater import to the company’s security operations center (SOC) are the storylines about how the attacks happened, who to blame and how to fix it if the problem hasn’t already been mitigated. Those are the stories that, too often, don’t get told because they’re difficult to pull out of a flood of data that includes system activity both suspicious and banal: the kind of data that turn out to be harmless system anomalies that nonetheless lead teams on wild goose chases.

Those complicated storylines often start at the endpoints in a company’s system. Endpoints are where an employee might have plugged in a USB device he found in the parking lot, curious to know what’s on it. Or maybe an employee opened a malicious PDF attachment she got in an email.

It makes sense to look to endpoints, where so many attacks happen, to gain visibility. According to a 2018 survey by the SANS Institute, 42% of respondents reported at least one endpoint exploitation that led to exposure, exfiltration, or business disruption. What’s more, encryption doesn’t get in the way at endpoints. Endpoints are where network and process activity are available, and where you can even do external device monitoring. Like, say, who was it that plugged in that USB? … and when, and where?

Too Many Data Points, Not Enough Answers

It’s not as if we don’t already have endpoint monitoring that will give us answers, though. We’ve got a lot more visibility into attacks than we had in the years with EPPs (Endpoint Protection Platforms): products that relied on virus signatures but were utterly blind to memory-based malware, lateral movement, fileless malware or zero day attacks.

But here’s the problem: EPP may protect endpoints, but it doesn’t give organizations visibility into the threats. First-generation EDR (Endpoint Detection and Response) tools were a byproduct of the need for the visibility that EPPs simply didn’t offer. This generation of EDR – let’s call it Passive EDR  – on the other hand, provides us with data but no context. We have the pieces of the puzzle, but no overall picture to pull them all together.

If you were to look at an example of built-in, passive endpoint monitoring, you might see that Windows Event Logs picked up on that USB compromise having led to a PowerShell launch from a virtual keyboard, that the attack may have used advanced techniques such as clearing logs, that it installed a backdoor to attain persistence, that it went on to steal credentials and use them to successfully login, that oops, at one point it failed to login, that it escalated privileges, that it cleared logs, that it successfully added a new local user and then admitted that user to an Admin group, and on and on and on. Good luck trying to figure it out.

It might have looked great in the demo, but what about everyday use? Who can make sense of it all? A small set of seasoned, skilled security analysts, perhaps. Unfortunately, there are too few of them to go around. Plus, bless their hearts, they need to do things like sleep. That means that when an attack hits in the midnight hours, those attackers are going to enjoy that much more dwell time before analysts get to work and untangle all the what’s, where’s, who’s and how’s.

What runs through a CISO’s mind isn’t a hunger for each and every scrap of disconnected data from an attack. Rather, it’s more like a game of Clue: Was it Colonel Mustard in the drawing room, a contractor with a  USB drive, a state-sponsored threat group? Has the threat been mitigated yet, and if so, how long was it active? Which of the SOC’s all-too-few analysts are analyzing that tsunami of data flooding in from their passive EDR?

What is Behavioral AI, and How Can It Help?

What happens after an attack? The story can go two ways, and most likely you’re familiar with the first, seriously problematic way: namely, security analysts have to sift through all of the alerts and anomalies produced by passive EDR. Those investigations take time and skill: a rare commodity, given how hard it is to find, train and retain personnel who have the expertise to operate the security platforms and the know-how to separate the wheat from the chaff, the real exploits from the random bugs.

There is another way the story can go, and, fittingly enough, it involves storylines: the contextualization of all the disparate data points into a succinct narrative. SentinelOne calls it ActiveEDR, a behavioral AI model that not only frees an organization from relying solely on difficult-to-source analyst skills, but which also does so around the clock, constantly recording and putting context around everything that happens on every device that touches the network.

SentinelOne’s behavioral AI engine creates what SentinelOne calls Storylines: a set of footprints that enable an organization to trace incidents back to find out who’s to blame for an indicator of compromise (IOC). It’s EDR, but it’s not the passive EDR you might already know about. Old-school EDR is about searching for an isolated activity and then trying to correlate it to another, and then another, and another, in a long-drawn-out, skills-intensive, after-the-fact attempt to understand the full picture.

SentinelOne’s ActiveEDR technology makes the machine do the work instead of the analyst, by tracking and contextualizing everything on a device and identifying malicious acts in real-time, automating the required responses. If and when the analyst does want to get involved, ActiveEDR enables easy threat hunting by allowing full searches from a single IOC.

Unlike other EDR solutions, ActiveEDR doesn’t rely on cloud connectivity to make a detection, effectively reducing the threat’s dwell time to run time. The AI agent on each device doesn’t need cloud connectivity to make a decision. It constantly draws stories of what’s happening on the endpoint, and if it detects malicious behavior, it can mitigate not only malicious files and processes; it can shut down – and even automatically reverse – the entire Storyline.

Why Is ActiveEDR Better At Stopping File And Fileless Attacks?

Modern adversaries have figured out a way to cut out their former reliance on files and instead leave no footprint, using in-memory, fileless malware to evade all but the most sophisticated security solutions. But because ActiveEDR tracks it all, it gives you a way to detect attackers who may already have credentials in your environment and who may be doing things like living off the land (LotL): a term that describes fileless, malware-less attacks that use a system’s own, perfectly legitimate, native tools to do their dirty work, thereby blending into the network and hiding among the legitimate processes to pull off a stealthy exploit.

Behavioral AI – A Real-World Scenario

Here’s a real-world scenario of how it works: the FBI calls to let you know your credentials are on Pastebin. You want to know how they got there, so you search the Deep Visibility Threat Hunting module. Deep Visibility is an output of SentinelOne’s Storylines that delivers rapid threat hunting by enabling users to search for references—in this example, references to Pastebin.

With Storyline, each autonomous endpoint AI agent builds a model of its endpoint infrastructure and real-time running behavior and assigns it a Storyline ID: an ID given to a group of related events. By searching on “Pastebin,” you’ll find a Storyline ID that can quickly lead you to all related processes, files, threads, events and other data that match that single query. Deep Visibility returns full, contextualized data that lets you swiftly understand the root cause behind a threat, including all of its context, relationships and activities.

Each device agent can clean up from an attack, either automatically or manually, can roll back the system, can disconnect it from the network, or can do a remote shell into the system. It can be done automatically, as in, one-click simple. It takes place in seconds, isn’t cloud reliant, and doesn’t require data to be uploaded so that humans can pore over it. There’s no need for cloud analytics, because it’s all done on the agent.

Automating as much as possible solves multiple problems: first, by recognizing bad behavior, it easily convicts file-based attacks without the need to use signatures. As well, it can prevent and predict fileless attacks.

SentinenlOne’s endpoint protection works at the pre-execution stage to stop an attack before it runs, be it in the form of a rigged PDF, a Word doc or what have you. The first step is to analyze it, to figure out if it’s odd in some way. If it is, it will be quarantined. Next, if the code passes the first test and begins to run, that’s where ActiveEDR, the autonomous, automated threat hunting mechanism that includes detection and response in the agent, looks for odd anomalous behaviors. For example, it looks for things like somebody opening Word, which spawned a PowerShell and reached out to the internet to fetch something. In most cases, that’s not good, normal behavior. ActiveEDR will view the behavior as it’s running, and it will track everything that’s happening in the operating system as a set of stories, from inception to termination, be it 1 second long, a month or more. The technology constantly weighs the behavior to see if it’s “gone evil” in some way.

The Human Touch, with Behavioral AI Assistance

That’s good, but it’s not enough, because nobody will ever catch everything. That’s where the threat hunting capabilities of ActiveEDR—the feature that makes SentinelOne a superior approach for file and fileless attacks—come in.

Let’s say that you found one device that talked to Pastebin multiple times. Clicking on the Storyline ID in the SentinelOne console will lead you to the full attack story, with all the relevant context, drawing a high-level diagram of the origin of the attack and a process tree timeline showing the processes it spawned: a Microsoft Word document was opened, it spawned a Windows PowerShell, and that shell went on to spawn seven other processes. Storyline even includes full command-line arguments, which is what researchers need to fully understand the attack. It provides the full context of the attack, with context, all of it having been produced not with a full incidence response team but, rather, with a single query.

SentinelOne ActiveEDR Demo
Theat Hunting Redefined.

Clearly, having an AI assistant on hand—in fact, an AI agent resident on every device that touches the network—saves a lot of time. It relieves an organization of having to rely solely on people to analyze things that sometimes amount to nothing at all.

Go Back To Sleep: We Got You

Isn’t it time to stop scrambling? Now, you can.

Behavioral AI can be set to mitigate automatically—a seriously powerful gamechanger. The technology is capable of making a decision on the device, without relying on the cloud, or on humans, to tell it what to do. If ActiveEDR is set to Detect, you’ll get contextualized warnings. But switch it to Protect, and that boobytrapped Word document will simply be blocked. No human intervention needed. When a user tries to open the Word file, the threat is detected, blocked, and swiftly deleted. With ActiveEDR set to Protect, the attack Storyline will show that the attack didn’t get far: it was blocked before it managed to communicate externally.

Given that Behavioral AI agents are baked into every endpoint device, bad behavior can be stopped—immediately. Later, if you decide that something shouldn’t be blocked after all, it’s simple to initiate a roll-back. And, unlike humans, SentinelOne’s Behavioral AI – ActiveEDR – doesn’t need sleep, and it doesn’t clock out at 5:00.

The reality of automatic mitigation with Behavioral AI: no data exfiltration, no headlines, and no call from the FBI.

If you’d like to learn more about SentinelOne’s Behavioral AI and how it can help protect your organization, contact us or request a free demo.