Xdtm Mark Made Easy

Xdtm mark

and before we get into the actual artificial intelligence and machine learning let me explain what are the problems that the industry is facing today so as you know for the past six months all our lives have been changed in in a very dramatic way as of now remote work is becoming more and more common what we are observing in our cloud is compared to six months ago the number of people using uh all services remote is very high right now it's around 64 it used to be around 20 of the traffic that we see we're originating from remote workers but now it's more like 64 and it's probably going to stay that way for a long time now what that does is it increases the risk associated with data of corporations and what we also found that it departments in order to be effective during this period of pandemic they're embracing cloud applications more and more applications are being used in the cloud like sas applications es applications pass applications and what that leads to is also increases the risk and let's take a quick look at some of those risks so when you start using the cloud what happens is uh cloud is another way in which malware can be delivered to endpoints right and what we are finding is many organizations have adopted office 365 or they have adopted google suite right now all of these applications as you know is also available to consumers like you and me we can have our own accounts uh where we can store data now when you have legacy security solutions like you know a secure web gateway and you allow office 365 it does not differentiate between like is this the company's instance of office 365 or a personal instance so what we're finding is more and more of the bad actors the hackers and uh the organized crime what they're using they're using cloud applications to deliver malware so the top five applications from where we are seeing malware coming is onedrive sharepoint both of these are from office 365 box google drive and s3 amazon s3 so as you know amazon azure and gcp are the most common public cloud platforms and hackers are abusing those platforms to deliver malware the next thing so that is threats coming from the outside now what about insiders uh there are many ways in which insiders have tried to take data out and currently what we are observing is instead of using usb drives many companies try to block usb drives or encrypt usb drives and so on but instead of using those usb drives or printing what uh what we're finding insiders do is they're again using the cloud they're uploading files to onedrive or to google drive so the top five applications that we dc where personal instances that is not the company's instance but somebody's personal instance being used is one drive google drive gmail box and dropbox so what what this means is as we go remote and as we start embracing cloud applications uh we have to be aware that these are the ways in which threats can come in and these are the ways also in which data can be exfiltrated out so overall if you look at the cyber terrain map right uh probably if you go back and look at what you're doing you're probably covering web very well using secure web gateway you have email like email security solutions that look for phishing spam and so on and also on the network side you probably have a firewall next-gen firewall and on endpoints you have some form of anti-virus or you're using edr you have vendors like crowdstrike carbon black sentinel one and so on right but what you have to start looking at is this new vector called the cloud and when you look at cloud uh you also have to be aware that as it department you may know about some managed applications but what we are finding is there's a lot of unmanaged applications this is called shadow i.t right many organizations individual groups like finance group hr group or marketing group they go and acquire cloud applications without the security knowing about it so those are unmanaged apps of course you have custom apps these are apps that you are running in your own data centers or in the public cloud right so all of this becomes important to consider when you're looking at the overall picture of your cyber security terrain and a few things to note from based on our experience right the average number of apps for a small organization is around 500 and it keeps going up for a larger extra large organization the number of cloud applications that we are finding so these are sas applications es applications and pass applications is in the thousands right and all these applications are not created equal some of them are more risky like for example if you upload data to some cloud storage applications the terms and conditions say that they own the data so you've got to be very careful where your users are putting the data because in some cases the data may escape from your control similarly as i said earlier we are also seeing more and more cloud enabled threats phishing is coming through the cloud so people are using onedrive links google drive links box links uh to deliver phishing uh messages right so when you look at the link it says box or it says onedrive but you should not trust it because it may not be your company's box instance it could be the hackers box instance or onedrive instance so delivering uh threats to cloud is becoming more and more common um and so what we are finding is 60 of the threats that we are detecting is on the cloud apps and not on web as i said many organizations have covered web very well but today the trend is that attacks are not coming through the web but they're more so coming on the cloud right and so and the reason they do that is most of the cloud domains are trusted domains like drive.google.com or office.portal.office.com or all those our portal.azure.com those are all like trusted domains but then those domains are the ones from which you're getting your phishing emails and people are uploading uh sensitive data so i want to frame that because it's a very very important aspect of how you modernize your security so overall based on the trends that we are observing what we need to do as security professionals in order to be more modern uh is we want to make sure that your security policies are risk-based and data centric right do not say that oh i have a secured gateway i have email protection that's not enough i think you need to look at the security from three places users apps and data right and so with users users can be working from anywhere so how do you protect them right you want to have direct internet access especially in these days when the majority of your workforce is working remote you do not want them to open vpn so that they can come back to on premises where you can run it through your secure web gateway your next gen firewall and so on what that does is it makes it very very inefficient the user experience of users using the cloud becomes very poor so what you want to do is you want direct internet access and when you do that you also want to apply granular controls which i'm going to talk about and consolidate and modernize your security and that is where the rest of the talk i'm going to talk about how you can modernize your security so overall when you look at your security program uh especially from a network security point of view where users can be working from anywhere they can be in offices they can be at home they can be in the park or in a coffee shop and they are accessing sas applications yes applications web or the internet or even your private applications in your data center you want them to efficiently deliver the security in the cloud so that's what we call the security cloud and the security services that you see in a good security cloud are casb cloud access security broker cloud dlp threat protection csvm which stands for posture management and then the next gen security gateway which is for access to all the um the internet right overall these are the services that you want to deliver in the cloud you do not want your users to no longer come to your data center to deliver these services now as you do these services you also want to integrate with identity right important aspects are like single sign-on more and more organizations as they adopt the cloud are also adopting single sign-on solutions like octa paying uh and so on right and or even azure ad similarly user behavior how do you integrate user behavior edr endpoint detection and response all of this gets integrated into the cloud and i will try to cover some of that in the rest of my talk but overall when you look at your network security and how you want to modernize it you want to move it to the cloud and provide a set of services in the future the services will grow even the firewall we predict will come to the cloud so overall there should be no reason for your users to open a vpn and go back to your premises except for maybe a few private applications that you still run in your data center so this is the new way in which we are observing the industry moving and more and more organizations adopting this blueprint for network security so in the context of that let's talk about how do you modernize your security controls right so when you look at a typical security solution you'll see many different techniques that are being used to address security so you will hear about pattern matching regular expression matching static analysis sandboxing fingerprinting and so on right so all of these are good but as you know right threats are constantly evolving threats are not stopping we still continue to see ransomware attacks we could still continue to see phishing attacks and and data breaches right and there's more and more desire uh to cover these because you have many many uh regulations like gdpr uh and so on which want to protect the privacy of citizens right so what we have found is ai and ml artificial intelligence and machine learning algorithms are very well suited to augment to add to these techniques that we already have so you would see these techniques in blue in many of the security solutions that you already have like a next-gen firewall or a or a secure web gateway or email security system or even an edr but where you want to take your security program when you look at products and evaluate products you want to see how much of artificial intelligence and machine learning they have incorporated to address security because as i said threats are evolving and you want to have a modern way of addressing those threats so with that what i'm going to do is i'm going to take different topics i'm going to talk about data protection first and then threat protection next and see how what are the problems in data protection and how artificial intelligence and machine learning can help protect us so when we talk about data protection the first thing that comes to mind is dlp right data loss prevention and uh if you look at anybody's dlp program today it will have a bunch of things that they address they uh dlp is very good in email uh removable media people have dlp running on endpoints to make sure that usb drives are protected people don't copy sensitive data printing web surfing make sure that people are not uploading sensitive data and then definitely on-prem file shares you know like nfs sips file share and so on all of those are very well protected but as you heard from my previous slides right the way in which data is moving today is much more the more common ways in which data is lost today is file sharing applications things like dropbox box onedrive google drive collaboration applications like slack facebook for workplace twitter and linkedin and so on right those are the applications through which and social media applications through which people are exfiltrating data right similarly corporate sas applications as i said there's a variety of sas applications that are not managed shadow i.t public cloud storage right and then of course your personal email and other things that were here still continue to be vectors through which data can be lost but what i want to emphasize here is the new set of vectors that you have to cover and most of these vectors are sitting in the cloud right so as you look at your data loss prevention i would highly recommend that you look at some of the more modern ways in which data is being exfiltrated out so just to give you an example of that right what we are finding is many cases where in organizations that users are exfiltrating data through different instances of applications so for example let's uh let's talk about google drive right and this applies to box or to onedrive as well if you look at the urls drive.google.com so your company may have your google drive your partners obviously if you're in business you're working with some other partners your partners have their own google drive that's also drive.google.com and of course you may have your own gmail.com address which is also drive.google.com so if you have a security solution that is allowing or denying based on url which is what a secure web gateway does you're going to allow all these three whereas in your particular security program you may want to allow your obviously you want to love your company you want to allow your partners uh access to google drive but if somebody tries to upload to their personal instance you want to block it right so you want to look at security solutions that can allow you to do that similarly if somebody is coming from their own device like bring your own device like personal devices and if google drive if they go to your company's google drive you want to allow them to view the content but not download it because if they download the content uh it you lose the you lose the data so overall uh this is just one example if as you start adopting cloud you will find that there are more and more cases where instance awareness becomes very important because many of the cloud applications have a personal instance and a corporate instance and you cannot determine whether somebody is going to their personal instance or to the corporate instance just by looking at the url and i gave the example of google drive here but this applies to onedrive to box to dropbox and so on so overall when you look at addressing these types of problems what is very important is granular visibility right so what do i mean by granular visibility when i say granular visibility you want to know who the user is and in many cases most organizations use active directory for um for storing their users so some way of identifying the user and what groups they belong to are they part of accounting department are they part of finance or hr and so on right then you also want to know what device they're coming from uh is this user coming from a managed device given by the corporation or from a personal device similarly what app are they going to are they going to a collaboration app are they going to a storage app or are they going to crm app like salesforce right and is that app managed or unmanaged what i mean by managed or unmanaged is managed apps are the ones that i t security knows about they have admin controls they can go and configure the application from a security point of view unmanaged apps are the apps that i t security does not know about this is shadow i.t and so they cannot go and control those applications then you also want to know the instance is the person is pat here going to the company instance are they going to her personal instance similarly as i said there are many many cloud applications uh so we at netscope have about 33 000 cloud application sas applications all these applications are not created equally some of them are more risky as i said earlier if you upload your data some applications say that they own the data right so obviously they're more risky so you want to factor risk we have something called cci which is cloud confidence index it's a risk rating from 0 to 100 100 meaning application is good so if you look at a google drive or a one drive their score will be in the 90 but if you look at something like v transfer uh it'll be like 10 or 15 because it's a very poor app so incorporating some risk rating into your securities very also is also very important then when users are going to the web you want to know what category of websites they're going to because inherently some categories are more risky right and so you want to block those if they're going to very risky categories and this becomes very very important right the activity what is the user trying to do and this is something that many security solutions do not have right what is the activity that the user is performing are they uploading a file are they downloading are they sharing are they on a slack channel posting some data that becomes very important because what action you take or policy reinforce depends on what activity somebody is doing right so that is very important and then finally you also want to do threat you want to make sure that malware is not coming in because users are using cloud applications or going to the internet you do not want to have malware or ransomware come so being able to identify threats is important and then of course what we are going to talk about which is data protection content how do you know that the data is sensitive is this sensitive data or is this some benign data right so being able to classify the content is also important and once you do that you also want to take policy action and policy action is not a lower block but you also want the capability to coach your users right so uh for example if somebody is trying to upload a file to dropbox and dropbox is not a sanctioned application you can coach the user right so this is the concept of continuous education or training where you're continuously telling the user you're performing an activity that is not permissive please do use some other application so that type of coaching is becoming more and more common rather than send users to training on they should not be clicking on suspicious links if you detect them doing something suspicious or something that is out of policy right when they perform that activity you coach them and tell them the activity that you're doing is not uh allowed by policy so try doing something else right try some other some other application so that is very important so let me give you some examples of this right so in this case if pat in the user is on a desktop uh which is uh in the office and using personal ms teams right she's going to her personal uh microsoft teams and uploading a file you want to do a dlp check uh if you're in the financial services you want to make sure it's not pci or pii data right you want to make sure that any company data is not being uploaded but if pat is uploading the the football schedule for our kids that is okay uh because in these days people do work and home together at the same time so it's perfectly all right to upload the football schedule for her kids but if she's uploading pci data then you want to block it right similarly if pat was going to the company's steams instance then you can allow her to upload any file pci file because it's a company's team's instance right and but you may want to check if there's malware right because what if pat is a disgruntled employee and she's just trying to upload malware and then somebody else downloads and gets infected so that is something that you can do using a a a very granular policy enforcement that i have shown here similarly if pat was using her mobile phone and going to the company's schemes instance you want to make sure that she does not download files because if she downloads files uh that data will go away right so when peop when users are using their own devices give them a read only or view-only mode and do not allow them to uh to download content similarly if if pad is browsing from her desktop browsing a gambling site we know gambling sites are highly risky in terms of malware delivery so you want to block it and then coach pat with a message that says that on the work machine you're not allowed to go to risky websites because you can get infected right so this is just a few examples but this can be done for all types of application slack outlook onedrive sharepoint and so on right so overall when you start looking at security policy enforcement the days where you are setting policies based on application allow application block application is gone where people who are taking their security policies is more fine grain control like what i'm showing here where they can get better control of what the users are doing and reduce the risk so here security becomes an enabler we are allowing you are allowing your users to use the web to use cloud but then use it responsibly such that your corporate's data is not put at risk so that is very very important aspect of security policy enforcement that you should consider now moving along when you look at data protection right overall as i said many people when you talk about data protection think about dlp right but actually you want to look at it one level higher than dlp we call it this 360 degrees data protection so what we mean by here is there are many policies that you can put without even looking at the content for example like i said before if if somebody's going to a very risky application right cloud storage application you don't need to look at whether they're uploading pci data or a football schedule you can just block it because it's not safe right or if somebody is trying to download data to their mobile phone you can just block it because you don't want to do that you don't want to allow any data from your application to be downloaded uh to their mobile device so for all of this you're not doing dlp right so first use policies that do not have to look at the content now once you've set all those policies the next step when you come to the lower right here is where you want to open files if somebody is uploading a file you want to open the file for example the example i gave before if pat is uploading a file to her personal ms teams and you want to make sure it's not pci data you want to open the file and look for sensitive data and you can do that in many ways right these days more and more organizations are using data classification systems like many of you may have adopted office 365 aip azure information protection so aip allows you to label documents so what you can do is you can look at labels and then enforce policies now if the file does not have labels then you can start looking at the content of the file and see is this pci data is this health data and and classify the data and that is where that is a tough problem and that is where artificial intelligence and machine learning can help so let's look at that so if you have data dlp system today i'm sure you're very familiar with rules based regex keyword fingerprint matching and so on exact data matching i'm sure and even some of the uh modern dlp systems have optical character recognition so all of this is kind of common but where you want to look from a data classification point of view is how can i use machine learning to uh to help with data classification how can i use natural language processing these are the more modern ways in which you can protect your data so let's look at how that can be done so before i get that i just want to share with you a statistics that we gathered in our cloud in the netscope cloud right when overall on a per day we are scanning over 100 million pieces of content this is this could be files this could be slack course ms team post and so on right and i did an analysis of what are the types of files that users are sharing right and the interesting thing is a vast majority of it 34 is plain text right so this could be like slack post or twitter post and things like that um 26 is images right i want you to fix on that like 26 percent are images so these are jpeg files this could be like gif files png files right these are pictures that are being uploaded right similarly other things which are common are you know word documents spreadsheets and so on but overall if you look at it right the majority of the content over 90 of the content are either images or some form of text content so this could be plain text it could be word documents excel spreadsheets and so on so i want you to to remember this because what i'm going to share with you is dependent on this so now let's look at images right what can dlp systems do for images right images are very difficult right the only thing that i know that dlp systems allow you to do is ocr which stands for optical character recognition so with the optical character recognition what you can do is you can take a picture and then you can try to extract the text out of the picture is there any text content and you can do that right and many times ocr is not deterministic it fails right because many of the pictures have background images that kind of blur the text content the only place where ocr is effective is when you scan pages if you have a printed page and use a scanner then ocr is good but anytime you take a picture so let's take some examples passports right in many places uh p people scan your passport as a form of identity check right so when you look at the passport right it's very difficult to uh to look at the content of the passport because there's a lot of images in the back and so what we have done here at netscope is used artificial intelligence and machine learning to identify passport images from 55 countries drivers licenses national id cards and also pictures of credit cards right so here what we'll be able to do is when we look at a picture we can say it's a picture of a passport we will not be able to say if it's edgar's passport or daniel's passport but we will tell you that it's a picture of a passport and by knowing it's a picture of a passport and if the user is uploading it to their personal uh uh instance of ms teams or they are uploading it to a risky cloud application you can take an action to block now the way we do that is um when you look at machine learning uh there are two common ways in which ai and machine learning is applied one is called supervised machine learning and another one is unsupervised machine learning this is an example of supervised machine learning with supervised machine learning we pre-train so we train the model so we build a model using convolutional neural network and we take a lot of data of passports let's say the example of passports take a like thousands of images of passports right feed it to the training machine and then it builds out the model that model says that when you give it a picture it'll tell you is this a passport is this a driver's license and so on so this is called supervised machine learning and what we have done is we have built models for passports drivers licenses national id cards credit cards and so on right and so this is a very very good example of how you can use machine learning uh to solve a data classification problem which today if you use ocr you're probably going to miss majority of images sensitive images that are being uploaded to uh to locations where they should not be going so that is ids now another common thing that people do these days is to take pictures of screenshots like i'm sitting on a machine it's very easy for me to take a screenshot right on a mac machine or on a windows machine and if you're using a company's laptop or a desktop and you take a screenshot the probability that that screen has sensitive data is very high so what we have done again just like the passports and drivers licenses we have trained a convolutional neural network to identify screenshots we will not be able to tell you what is inside the screenshot but we will be able to tell you that this jpeg image that is going to a personal gmail is a screenshot so if somebody is logged into their personal gmail from their work laptop or desktop and they are uploading a screenshot you can put a policy which says that any screenshots from a from a company device cannot be uploaded to personal email right so again it helps you cover your risk because otherwise all these images and going back to that data that i shared with you 26 of files that are uploaded are images jpegs pmgs gif files so having some extra mechanisms or methods uh to detect sensitive data uh helps you in reducing your risk so i've talked about like images so let's move to uh documents right so many of the organizations many businesses right have sensitive documents uh this could be like nba documents um some intellectual property or it could be some business agreements uh purchase orders and so on right today the best way to uh to detect the sensitive documents is to create keywords or to create regular expressions right and when you do that you get a lot of false positives right and this is very common one of the reasons why dlp failed so dlp has been around since 2007 2008 right but if you ask anybody i'm sure if i ask you if i were there in front of you and asked to lift your hands i'm sure i'll see many hands which say that hey i tried dlp and i see a lot of false positives and this is where again ai and ml can help so document classification using what is called nlp natural language processing is another set of algorithms that is part of the aiml suite of algorithms can be applied to documents uh to detect so automatically you can detect sensitive documents so you don't have to create regular expressions you don't have to create keywords automatically by having a model you can detect like in our case in our cloud we can detect resumes patent documents mergers and acquisition documents tax documents source code for example we can detect using this technique so again we are using the machine to automatically identify these documents and not have humans create keywords and regular expressions so another great example of how artificial intelligence and machine learning can help you now you may have the question okay i give you examples of like id cards and some general documents that i have access to that vs netskope have access to but what about your own data in your own business you may have very sensitive documents so this is where the concept of train your own classifier comes in right so what you can do is if you have your own set of data that you want to train a machine machine model we provide a docker container where we can process that data and then what what happens when you process the data is we extract some numbers out of them right and you can be assured that these numbers we call them features machine learning features are irreversible meaning that with these i cannot go back to the images it's a one-way transformation you cannot go back so you can be assured that your data is not leaking but what we're doing is building a model and then we take that model to the cloud so that subsequently if your users are uploading any data that resembles this sensitive data we can detect it and take policy action so this is how we extend we bring machine learning to you so we build models in our cloud for our own for for the data that we have access to like passports drivers licenses and so on but for data that we don't have access to which is very business critical for you we have this concept of train your own classifier where you can build your own classifier and so extend machine learning for your data so it's a very very uh interesting concept and we're seeing a lot of interest in this right so this is all on data classification and data protection so let's uh talk a little bit about insider threats one of the other ways in which data gets exfiltrated is because of insiders this is not hackers coming from outside but this is more your own insiders right so as an insider people are accessing and sending data to sanctioned applications like onedrive sharepoint google drive they may be going to unsanctioned applications like box dropbox and so on to private applications in your own data center or in um in the public cloud like aws azure or your users are also going to the internet right like going to various websites right now as they send data to all these different clouds one of the things that uh the best way to identify insider threads is to look at what kind of transactions are being performed and then correlating them for user behavior how much ever you set policies for dlp right you use machine learning and all that sometimes very easy for users to evade that right and so the next best way in which you can detect users abusing your data is by doing what i call user behavioral analytics so this is where you want to profile your users you want to see how users are behaving and machine learning is very good for that so as users are using these clouds you gather data and then you can apply machine learning models right human beings are very predictable and this is very commonly used even in in the financial industry for uh um for detecting fraud right uh so users generally when they use applications they use it in a particular way so if you start building machine learning models so this is where this is unsupervised machine learning the example i gave you before is supervised machine learning where you provide data and build train a model but here you're letting the machine automatically learn about users okay this user edgar goes to onedrive he usually does few uploads uh he does a few downloads and so on right you let the machine learn how edgar behaves so all of a sudden if you detect edgar performing an activity that is not normal then you know that that is an anomalous activity and you can take action now you can do machine you can do insider threads using machine learning and rule based but more and more uh um strong cases for insider threats are detected using machine learning because this is where you let the machine automatically learn about the user uh you can also do peer group learning so for example you can see for accounting group or for hr group how are they what kind of applications you're using and what kind of data they're uploading so that if you see something that is different then you can raise an alert and take action so examples of insider threats are things like data exfiltration uh bulk upload right so somebody or bulk download like somebody leaving an organization uh can download all sensitive data and then upload it elsewhere right or somebody who's not happy with the employer can go and delete a lot of files which will hurt the business right all of this can be done using unsupervised machine learning where the machine is automatically learning the behavior similarly proximity with cloud applications is very compromised credentials become very common right people lose their passwords and then hackers are coming in so you may see normally you see users coming from colombia but all of a sudden if you see users coming from the us or from uh from europe or asia you know that that is anomalous right and you may want to take some action so this is where the machine automatically learns using unsupervised machine learning techniques and then detects anomalous behavior now by doing so one example is this is something that happened in one of our customers a contractor when he was finished with this contract he downloaded all the he was a software contractor he downloaded all the code he worked on from github and then uploaded to dropbox now here what happens is we are observing both these activities these activities happened at different times he downloaded like a few hours before he uploaded right but we are able to correlate the two and say that this is anomalous behavior for this much data to be downloaded from github which is a sensitive application and uploaded same data being uploaded to dropbox so this is a data exfiltration and so you can take some action and by using machine learning and observing this behavior you can also start building a risk rating for users because in a large organization there's always going to be some users who are more risky compared to other users right so the concept of a user confidence index how confident are you about this user being behaving regularly right can be done using machine learning so obviously the higher the score the more confident the user is good but if the lower the score that means the user is risky and then you can start taking some actions around that so you can start putting policies which say that if a user is risky i want them to i want to step up the authentication if they're trying to upload a file i want to step up the authentication because i want to make sure it is who they are and they are it's not a compromise credential for example so this is examples again i give you some examples of insider threats and how you can address that using machine learning the last part of this presentation is on external threats right what about hackers what about malicious external parties who are coming for your data so early on in my presentation i talked about how cloud is becoming more and more the vector through which threats are uh being uh sent right so all the way if you look when you look at a typical um threat campaign there are many stages to the threat campaign there's a reconnaissance there's a weaponize there's a delivery exploit install call back and persist right these are all stages of a typical malware attack right and today what you're finding that each one of these stages that i show here is using the cloud as a way to expose their data right so for example uh you can use reconnaissance by uh by using cloud service apis right so if your cloud is uh misconfigured you can use that information to gain knowledge about an organization we are finding cloud phishing as i talked about very very common you get a phishing email and the link says it's hosted in one drive right so very common similarly you're also finding that um hackers are using facebook youtube twitter slack as applications through which they send data back right so for example if they are exfiltrating sensitive data from somebody's endpoint uh what they're doing is they're using a common cloud application uh to exfiltrate the data out so overall more and more of the malware kill chain uh is using the cloud uh as as a as a vehicle to perform their activities so along those lines what can artificial intelligence and machine learning do right first thing is when you look at malware right malware can come in many forms uh pe stands for portable executable so these are executable files right so many times what you will do is you will see phishing campaigns where you have an executable file that is uh as an attachment right normally the best way to detect these threats today is to do a virus scan which is not very effective but still quite effective it will not catch any zero day threats and so on the next best thing you can do is sandbox but as you know sandbox is not real time right with sandbox what you have to do is you have to detonate the file you have to observe the behavior and so it takes in the order of minutes to detect malware but what we can do with machine learning again supervised machine learning because we have millions of malware samples we can train the machine to automatically detect uh automatically detect malware right so what we are finding is by using machine learning we can get 99 accuracy of detecting malware and you can do it in real time as opposed to using uh sandboxing which is not real time right similarly a more common way of malware is ms office files right so people use excel spreadsheets or office documents or even pdf documents right and they have macros in them and the macros are once you click on the file and the macros execute they take advantage of some vulnerabilities for example if your endpoint is not patched they they take advantage of that and take over your system so again that is a good example of how artificial intelligence and machine learning again because we have millions of example samples of office malware we can train a machine learning model so that when a new office file comes we present it to the model and it gives a decision is this a malware not a malware or maybe suspicious right and we can take some action right so very very uh good use of artificial intelligence and machine learning for detecting malware now let's move to the right hand side here what is dga dga stands for domain generation algorithm so many malware uh sites right uh they automatically generate domain names right the domain names are not fixed so when you look at security solutions like secure web gateways they have a list of domains they will block basically it's a risky domain right but if these domains are automatically generated those lists cannot keep up because these happen like in the order of seconds right but automatically generated domain names are different from human generated domain names and again that is an example of how ai and ml can help detect given a domain name it can tell you if this domain was domain name was generated by human or if it was generated by a machine right and if you know that a domain name was generated by a machine uh you can take some action against that because you may not want to allow that right so again a very good use of of machine learning where the machine is able to detect is this a pattern that a human generates or a machine is generated similarly url grouping as well so again a common way in which uh if you look at urls you uh especially some of these malicious urls they're very long right and they will have a lot of characters that are not common right and um so how do you then keep up with threats where these urls are constantly changing these are like polymorphic attacks right you keep changing and that is again a good use case for machine learning where you can uh use machine learning to automatically detect is this uh url a malicious url or is this a benign url okay so at a very high level there are different techniques that can be used to detect external threats uh using machine learning and artificial intelligence and um a modern security solution uh would definitely address that right so what i've done so far and the last one that i will talk about is webcon categorization so again uh very common use case for security solutions is to categorize websites uh to figure out is this website uh a shopping website is somebody going to an educational website and so on right so many times what happens is there are new domains that come up and the website may not be categorized another good example of ai and ml is uh to use uh when the content comes back you run it through uh ml algorithm uh in this particular case the universal sentence encoder and that can detect what type is this a dating site is this a gambling site or is this site talking about weapons and violence and so on right and we have this covered for 16 languages most popular languages in the world and again you don't so a good example of how ai and ml can be used for dynamically delivering security otherwise the only way to get categorization is to have static list right you put a database that says this url is a dating site this url is a gambling site and so on whereas here you're automatically looking at the content that's coming back from the website and telling that what type of site it is right another very good use case for ai and ml so i hope i mean in in in the presentation i've given you different examples of artificial intelligence and machine learning being used for data protection and threat protection so i just want to summarize my talk here again going back to the challenges that we are all facing uh the future security architecture if you were to ask me consists of some important aspects right we talked about the secure access cloud where you are monitoring users going to web sas yes pass and data centers and applying policies but at the same time endpoint is again a very important aspect of of of your threat protection so you want to make sure that you have a modern endpoint solution identity is another important part more and more organizations are adopting single sign-on so that is another important component of your security program and finally having a security event management system that is able to take events out of all these different security solutions correlate them and give you some response actions is also important so overall when you look at a future security architecture these are the four big building blocks right that you should consider now all of these should not act in isolation so one of the things that we at netskope have done is also created a free tool called cloud threat exchange so with the cloud threat exchange what you can do is you can share threat information between these different uh solutions so we have given some examples of like uh edr vendors like crouch like carbon blacks internal one email vendors like mimecast and then cloud vendors like microsoft and then servicenow and then another common way in which threat information is being shared in the government and financial institutions is sticks and taxi so we have uh created a free tool netskope has created a free tool called cloud thread exchange that is available in docker hub if you go to docker hub and look for netscope you will find cloud thread exchange and you can use cloud threat exchange to exchange threat information between all these solutions and net scope right and if you have some other solution uh that can be plugged in as well it's an open architecture it's a free tool uh that is available uh to help with your um with your cloud uh with your threat protection right i just want to finally end the talk by telling that when you look at the security cloud another important aspect of the security cloud is also the points of presence uh you want to make sure that your users are as close to uh where the security is delivered for example uh we are the only security vendor in latin america we have four presents in latin america including bogota santiago buenos aires and sao paulo and so you can be assured that your traffic is is handled locally and also what's more important is not only that your security is handled locally but also the peering being able to directly connect you to all these important providers like microsoft amazon box in our own network is also important so overall when you look at cloud security it's very important not only on what controls are provided but also where they are deployed and how efficient they are right the closer the cloud security services to your users the better performance and user experience they get so overall that's another important aspect