AI and enough data will let security and network operators use natural language to poll devices and establish automated remediation routines.
You can’t secure an enterprise network without securing the endpoints connected to it. The average federal agency operates thousands of endpoints, so managing and securing them is no trivial task. Endpoint management also presents an obvious and high-payoff opportunity to apply automation backed by artificial intelligence.
In fact, both commercial and governmental executives “are asking questions of their organizations, saying, how do you plan on implementing automation, and how do you make that a robust process and minimize risk,” said Harman Kaur, the vice president of AI at Tanium. “More and more organizations are thinking about how they automate endpoint management?”
Kaur said automated endpoint management aids two requirements, cybersecurity and compliance. In both cases it reduces the manual workload for agencies with large numbers of devices to manage.
“Compliance is always evolving,” Kaur said. “New rules and regulations are coming your way all the time. So how do you actually stay in compliance? Is the biggest battle for an organization.”
Automating compliance, especially for cybersecurity requires correlating multiple sources of data, “being able to have access to all the data that you need when you’re actually trying to figure out if a threat is real,” Kaur said. An alert might light up, “but how do you validate that? You may need to collect information from many different sources in your organization to understand that.”
Complete aggregated data, she added, will let the IT group know the scope of a threat in terms how many endpoints lack the required protections or patches.
“Is it just limited to these four machines, and I just need to address these four machines,” Kaur said, “or is this something that’s across my entire organization, and I need to respond, and then I need to make a fundamental policy change.”
Given that you can’t manage threats you can’t see, visibility into the entirety of the organization’s endpoints is a must.
“Historically,” Kaur said, “endpoints that were not connected to your core network were just not managed. It was like a blind spot for organizations.” The latest versions of tools such as Tanium, she said, give agencies a way to manage devices even when users have connected them to home or public WiFi access points.
“You actually have a way of enforcing some policies on these endpoints” she added. “You have a way of understanding what’s happening on these endpoints.”
Visibility and vulnerability discovery should lead to remediation.
“And sometimes the hardest part is doing the remediation, and doing it in a time frame that makes sense to respond to that threat,” Kaur said. Automation must extend to pushing patches, or whatever remediation the flaw calls for, to the entire population of endpoints, coupled with a reporting function to verify the remediation.
Even having full visibility into your own endpoint population may be insufficient for dealing with today’s threat environment, Kaur said. She said Tanium makes available anonymized data from millions of devices from its customers.
Such data enables trend spotting. For example, an update to a widely used application might cause crashes, memory spikes or user lockouts.
“How do we just proactively tell you that this change in your organization may have negative consequences associated with it,” Kaur said. “Or on the contrary, say, ‘Hey, this is a really safe change because we’ve seen it happen on hundreds of thousands of machines.’” That’s the thinking behind what Tanium calls its confidence index, available to users of its endpoint management tool.
The confidence index, which appears on the Tanium console, is updated every three to five minutes.
“We’re getting data from all these endpoints as they’re making changes,” Kaur said. That means users on the West Coast could potentially learn of a problematic patch or some other threat manifesting itself on the East Coast in time to avoid it.
As the artificial intelligence lead for Tanium, Kaur espoused a step-at-a-time approach to applying AI to cybersecurity, and the detection and automated remediation.
“I don’t think you need to apply AI if we can just do it with simple data analytics,” Kaur said. “We’re doing kind of a crawl, walk, run approach here with a lot of the data collection.”
As data becomes more robust and models more mature, “we are focusing and leveraging AI is the ability to actually interact with your endpoints and ask questions and gather data,” she added. Kaur noted that, “historically, if you wanted to know anything about your enterprise, it required complex queries, structured queries.” These took time and applied to only one question at a time, such as which machines were patched for which application.
AI-enabled automation, coupled with natural language queries, will eventually let users do more thorough discovery of activities on and conditions of their endpoints. It will also allow them to build automations without a lot of coding.
“Maybe what you’re trying to automate is a look at endpoints that have x, y and z, and then you want to apply some sort of fix to them,” Kaur said. Stating the use case to the Tanium tool would result in a “draft of what this automation could look like, so you can go in and tinker and tweak it.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED