AI vs. Hackers

– Q –

WPCG: Hi Todd. To start off, let’s talk about the threat landscape. Are cyberattacks becoming more frequent and sophisticated?

Todd Cramer: The threat adversaries are always getting better with their techniques, but so are the defenders in the software and hardware security ecosystem. For example, with ransomware, some of the traditional ways that attackers got in – you clicked on an email and it would drop a malware file to the disk of your computer – that’s easily scannable.

Now, these hackers understand how they’re being detected so they’ll do things to hide better across the computing stack itself. There’s something called fileless or malware-free attacks. What that’s doing is executing straight into memory where it can use that as a beachhead to set up persistence and move laterally across the host PC to achieve its ultimate objective … maybe ransomware or some other attack.

That’s also a technique that gives security vendors a lot of trouble because it takes a lot of compute horsepower to scan that memory and you can’t bog down the user’s compute experience to scan as much as needed. According to the latest CrowdStrike research, 75 percent of all threats now are fileless malware. And they’re constantly spawning new malware variants so they have more chances to get in. It takes time for antivirus and Endpoint Detection and Response (EDR) vendors to tune up new rules and methods to catch fast evolving malware.

The other factor is that everybody’s remote. The most valuable data that they’re going to find is from the soft underbelly that is employees outside of the protections of the traditional firewall. Now you need new security approaches to protect those users, which is why generic endpoint protection technologies like antivirus are no longer enough — this has evolved to sophisticated EDRs or EDR software. This is the new security system of record for IT and SecOps to better protect these remote workers with new AI powered behavioral detection methods.

– Q –

What role can AI play in general across the security ecosystem?

AI security has unique properties that make it extra powerful. AI for security, for example, can autonomously classify malware, make sense of anomalies in code, categorize threats and execute attack simulations. And from the detection itself, you move into AI assistants. For the security analysts, instead of having to type in and create queries and look at what’s happening in the fleet or infrastructure, they can just talk to a digital security assistant that can then go to the subsystems and bring up a view. This adds new scale for analysts to triage and cover more. It helps with the alert fatigue present in previous generations. With assistants there is an ability to cover more of the right alerts across a greater spectrum of the XDR extended detection and response attack surface.

There’s something called a software supply-chain attack, where attackers get in the code as part of the early build process and mass update across unknowing clients. One of the hardest things for security vendors to figure out is, did that app process get infiltrated? Is there malware inside of the valid application code? So another thing that AI can do is scan through code for vulnerabilities in the code itself before it’s distributed, and once again at runtime, to more closely watch its behavior.

– Q –

How is Intel evolving its PC architecture to enhance security via AI?

We have our XPU strategy. You have the CPU (Central Processing Unit), and you have a GPU (Graphics Processing Unit) on the chip. And now with Intel^® Core Ultra™, you have an NPU (Neural Processing Unit). In this latest Intel^® Core Ultra™, there are AI optimizations on all three of those. When you’re a security software vendor and you’re running these new AI workloads, what could you use? Sometimes you will infer and look for things, so you’re leveraging the speed of the CPU — but that may bog down the user experience. There are certain AI algorithms where the best thing that you could run that on is the GPU. For example, traditional machine learning random forest classifier algorithms.

And then the shiny new object is the NPU. I’d classify that as moving from typical machine learning to this new class of deep learning, where you may have longer running batch background security processes that can be run for the first time. These are the heavy horsepower AI algorithms that, prior to this release, only ran in the cloud. Now you can run that locally. You’re going to see ISVs (Independent Software Vendors) use all three, using our toolkits and optimizations to run the right AI workload on the right processor.

– Q –

How are the Intel vPro^® business computing environment and the Intel^® Core Ultra™ processor family optimized to use AI for security?

It’s that XPU story. There are optimizations for AI, whether it’s on the pro class machine or if it’s a regular Intel^® Core Ultra™ that SMBs might use or a consumer might use. All these AI security features apply to all of them. So we just work with the developers: what kind of AI are you running? And they might say they’re running a random forest classifier. We say, here’s the API to run it on the GPU. Or they say they’re running a deep learning use case. Great, we’ve got an NPU for that.

– Q –

What is Intel Threat Detection Technology (TDT), and how is it helping?

It’s a software development kit (SDK), and it’s for antivirus or EDR vendors. It provides AI-assisted monitoring and GPU acceleration to discover advanced attacks that bypass traditional detection methods. Intel determined that AI can fingerprint malware like ransomware and cryptojacking attacks based on our rich, dense CPU telemetry. The malware can obfuscate itself across the OS layer where EDRs are searching them out but it cannot hide from its final execution on the CPU microarchitecture. So EDRs integrate the capability to get this detection assist when they run on Intel CPUs. The ISVs’ same software on competing platforms does not have this detection assist so it’s quite meaningful from a security perspective and in demand as part of our corporate focused Intel vPro^® platform PCs.

– Q –

Do you have data to show how this silicon-based AI approach is positively impacting security?

We went to SC Labs, who run head-to-head security ISV tests, and said, “What if we give you an Intel machine and you pick the EDR you want that’s optimized for Intel? You set up the ransomware tests. You pick the ransomware strains.” And that’s what they did. They chose the top 10 strains and common obfuscation techniques that they see most frequently. They took Intel machines and ran hundreds of tests. They found for ransomware that just the silicon sensor detected 93 percent of those top 10 ransomware strains on its own. Now Intel TDT does not run on its own, as it gets implemented in the EDR software and provides overlap and net new detection coverage.

– Q –

How does the emergence of AI endpoint security impact things in the near term?

85 percent of the data used to catch a threat is found on the endpoint of a PC. So what’s happening on the endpoint is very valuable. If you detect a threat on my laptop, you could go put a proactive policy across the fleet to say that if we see this thing happen again on another user, shut it down. So the endpoint security data is hugely valuable as a forensic item.

The problem is that it’s impractical with the Internet to take every bit of data that comes off that machine and send it to the cloud so that the deep learning can look at it. Now you can have the AI run where the data is. I think the most interesting, innovative thing that’s going to happen is you don’t have to round trip everything to the cloud, wait for a human to write a detection rule, wait for a response. Put the AI there, let it find stuff independently. Let it shut it down right there on the client in real time.

– Q –

How does all this help everyday people live their lives without fear of waking up with their bank accounts gone or their personal information stolen?

There are multiple levels at which you’re going to see AI-based software security, just like we go buy our individual or family versions of antivirus. It’s not as full-featured as an EDR, but there’s a lot of the same goodness in there. Intel TDT is on 500 million global PCs today. So from a consumer to small business to enterprise, there are advances that just help in general across all the security software versions we buy today, consumer and enterprise.

– Q –

It’s still early days for AI. Where do you see things headed three to five years out?

What if AI is able in real-time to connect into multiple machines and code and do changes at scale across your fleet, to your firewall, all from just talking to it and having the ability to put changes that are needed for cyber-protections in place faster and at greater scale across multiple systems? That’s incredibly powerful AI for good. I think that’s where we’re going. We have things that are targeted improvements that help today, but there are going to be very connected AI workflows across systems that nothing other than AI could have done.

Click to learn more about how Intel vPro^® enables AI for cybersecurity.