May 11, 2023|5 min|Technology

AI/ML-driven ransomware protection and recovery

How AI protects against the magnitude of threats and accelerates the scale of recovery.

Can we withstand and recover? Can we withstand new and advanced ransomware malware that morphs continually? And can we recover before our business suffers financial losses, customer defection, and brand damage?

CISOs must answer these difficult questions to boards and management teams who want assurance that their organization is prepared and resilient for the worst-case scenarios.

To battle ransomware, which can equate to organizational survival, CISOs need every advantage possible—the best defenses, the best recovery, and the best processes for incident response and for cyber recovery.

Artificial Intelligence (AI) has emerged as the force multiplier that significantly helps CISOs withstand and recover from attacks. AI can help organizations withstand attacks by leveraging large data sets to derive intelligence and automate risk management and security controls, practices, and processes. Likewise, AI can help organizations recover with confidence by automating recovery, identifying critical data, and ensuring that data does not reintroduce risks and vulnerabilities.

How AI can help to withstand ransomware attacks

AI is used today to provide highly-effective ransomware defense. While not exhaustive, these are examples of technologies that are using AI to help organizations defend against the growing complexity and frequency of ransomware attacks:

  • AI-enabled multifactor authentication (MFA): MFA is an extremely important control to battle ransomware. By using MFA, ransomware gangs can’t simply guess passwords or use brute-force methods for password cracking. And, MFA can be enhanced with AI to further strengthen its protection by using behavior (such as typing speed), adaptive (requiring multiple authentication based on data risk), or fraud detection (automatically blocking a user if their access strays beyond normal boundaries).
  • AI-enabled ransomware detection: AI can analyze network traffic or file access to identify activity that could indicate a ransomware attack is imminent or in progress. Threat intelligence organizations continuously identify and detonate malware to document vast indicators of compromise that provide early warning of ransomware activity.
  • AI-enabled activity and behavior monitoring: AI can look at access and user behavior and determine if the activity is suspicious and could signal a ransomware attack: failed login attempts, excessive file access, or other activity that is out-of-band of established norms by indications of ransomware activity. The activity monitoring can establish norms for both user and application behavior based on continuously analyzing activity logs with AI.

How AI can help recover from ransomware attacks

Regardless of extensive defenses, organizations must deal with the reality of incurring a ransomware attack. Given the complexity of enterprise information systems, growing attack sophistication, and simple human error, ransomware infection is inevitable. The key is to limit the impact of the attack and recover any affected data and applications as rapidly as possible.

Looking ahead, AI can improve recovery platform security, provide operational intelligence and automation to enable rapid and confident recovery—while providing decision support to streamline the recovery process. A rapid recovery is when data and processes can be restored in hours versus days. And a confident recovery means the recovery data will not reintroduce vulnerabilities and threats that could lead to reinfection. Additionally, AI will streamline and ease the administration and management of the platform for optimal efficiency and security.

The following AI capabilities can help organizations achieve a confident and rapid recovery and improve efficiencies and security.

  • AI system behavior tracking: Near real-time monitoring of privileged and administrative users to indicators of anomalous activity.
  • AI-driven healing: Using AI to monitor the platform and anticipate problems, and suggest remediations.
  • AI-enabled optimized scheduling: Based on the critical need and usage of data, seasonality, and other variables, AI can adjust and optimize backup schedules to ensure RPOs are always met.
  • AI retirement of inactive data: As part of the backup process, AI can help organizations determine what data has become dormant for archival. This helps reduce recovery time by eliminating the unnecessary recovery of unused data as well as creating efficiency and cost reduction in storage.

But, for the longer term, your backup data, representing the majority of your critical enterprise data, can serve as the secure platform and the time-lapsed data source for retrieval augmented generation (RAG) to support AI-driven search and discovery of operational, transactional, and other enterprise data.

This is a unique capability in that no other enterprise repository provides the hyperscale foundation, secured access, analytics, and a time-lapsed view of data that is provided by modern data security and management platform.

Ransomware will continue to grow in frequency and sophistication

Ransomware will not subside in the near future. In fact, it’s probable that ransomware gangs will use AI at some point in the future to increase the effectiveness of their attacks. As of today, no credible reference exists for AI use by these threat actors, but they may incorporate the following tactics use AI:

  • Use AI to automate attack targeting: Threat actors could use AI to automate the identification of vulnerable organizations. ML could be used to quickly sweep an organization’s networks and endpoints, and potentially employees to identify weak points and targets.
  • Attack creation: Ransomware gangs could use AI to analyze large amounts of data on attacks to craft new attacks that would have a higher probability of being undetected.

Withstand and recover with an AL/ML foundation

Cybersecurity solutions using AI/ML emerged over the last few years to help battle the growing sophistication and destructiveness of ransomware and other malicious activity. These solutions have proven effective in helping organizations withstand the onslaught of thousands of attacks each year.

Data security and management, which provides critical enterprise backup and cyber recovery, began the AI/ML journey years ago with anomaly detection, scheduling, and optimization. As ransomware attacks now threaten the ability of organizations to leverage their backup data for recovery, AI/ML will plan an ever-increasing role to ensure organizations can recover with reliability and confidence.

Cohesity uses certain AI insights today to help organizations recover with speed and confidence. With ML backup, snapshots are analyzed for unusual changes. Baselines are established for a number of variables including the times series of data written, entropy (randomness of data), the number of file changes, and file extension changes. When these variables drift too far from learned baselines, then this is an indication that ransomware or other malicious activity is occurring.

For threat protection, Cohesity uses AI/ML-driven threat intelligence to analyze backup snapshots for indicators of compromise (IOCs). These IOCs provide early warning that changes are happening to the data that are related to malware activity. And for data classification, Cohesity uses AI/ML to find elusive patterns in sensitive data and/or data elements that are sensitive and are fragmented across files. Without this, many sensitive data elements can be missed.

Cohesity will feature topics and new content on the Data Security Alliance at our data security and management virtual summit, Cohesity Catalyst on May 23-25. Sessions will reveal key considerations and integrations for achieving and sustaining cyber resilience.

Learn more about Cohesity products using AI insights:

Cohesity DataProtect
Cohesity DataHawk

Written by

Robert Shields

Robert Shields

Director Product Marketing, Data Security and Governance

Greg Statton headshot

Greg Statton

Office of the CTO - Data & AI

Greg Statton headshot

Greg Statton

Office of the CTO - Data & AI

You may also like

resource
Blog

How generative AI can help you get ahead of data security threats

resource
Blog

The power of AI-ready data and Cohesity

resource
Blog

Cohesity DataHawk: Continuing the AI/ML transformation of data security and management

X image
Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again

Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again