Until just a few years ago, the U.S. Air Force still relied mostly on signature-based anti-virus tools to protect endpoints. But officials realized that a more advanced approach was needed to keep data and systems safe from hackers and adversaries.
“The tools just weren’t keeping pace,” says Air Force CTO Scott Heitmann. “We wanted to have more ingested signals. We wanted to make sure that we were consolidating all of these inputs, and that we were using artificial intelligence and machine learning for our decision advantage.”
Since then, the Air Force has moved to a platform that replaces signature-based detection with behavior analysis across endpoints, networks and cloud systems. Agencies throughout government have moved in recent years to adopt ML-powered endpoint protection and management tools that use machine learning to detect abnormal behaviors, automate threat response and reduce the burden on human analysts.
Click the banner below to start implementing smarter security.
Matt Hayden, vice president of cyber and emerging threats at General Dynamics Information Technology, previously worked in federal cybersecurity roles — most recently as assistant secretary for cyber, infrastructure, risk and resilience at the Department of Homeland Security — and stresses that endpoints are a critical component in agencies’ overall cybersecurity strategies, especially as attackers use AI to launch more sophisticated phishing campaigns.
“The first thing every agency has to do to be a responsible defender of networks is to take the low-hanging fruit way from attackers,” Hayden says. “That includes monitoring for laptops and mobile devices. It’s those endpoints that the users are putting their credentials into. Effective endpoint detection automatically detects threats and blocks them across your whole enterprise. The backbone of modern defense is to lock down those endpoints from the start.”
ML Is a Must-Have for Detecting Hostile Behavior
Bob Gourley, co-founder and CTO of the cybersecurity consultancy OODA and former CTO at the Defense Intelligence Agency, says that government cybersecurity leaders recognized the need for AI and ML capabilities in endpoint security as early as the 1990s, but the first effective tools didn’t come to the market until about a decade ago.
“Then, over the past five years, there’s just been an explosion, and all of the big players now are leveraging machine learning in endpoint defense,” Gourley says. “Microsoft Defender is great at it. So are Palo Alto Networks, CrowdStrike Falcon and SentinelOne.”
“If you want to have any hope of mitigating malicious code and detecting adversarial actions,” he adds, “you have to have a machine learning solution.”
The advantages of ML tools go beyond mere detection, Hayden says. “There’s not usually a cybersecurity professional looking at every incident that an endpoint detects, at the time it detects it,” he says. “There’s a hold-and-isolate set of rules, and that’s where the ML kicks in to write additional scripting. The tool starts taking actions on your behalf to investigate.”
Heitmann notes that Air Force’s endpoint security tools automatically quarantine and sandbox suspicious email attachments and links. “That’s all being done at the speed of need, before the user ever gets a chance to access the file,” he says.
LEARN MORE: How the military uses multifactor authentication in the field.
ML Catches Threats Other Tools Miss
After adopting ML tools, the Air Force’s cybersecurity team now closes about 1,500 tickets automatically each day, Heitmann says. “That used to be 30 minutes to an hour that our people were spending on each of those tickets,” he notes. “We’re giving time back to the airmen to focus on next-generation capabilities.”
Over the past six months, Heitmann notes, the tools have helped the Air Force catch two instances of boot loaders, which attackers can use to load malicious applications very early in the system startup process, giving them privileged access before security tools are even able to activate.
“You would be hard-pressed to find a bootloader through a signature-based tool, because it’s not malware,” Heitmann says. “But ML tools see files on the system that are outside of the norm, and they can detect the pattern of behavior.”
While some automated cybersecurity tools have gained a reputation for overwhelming organizations with false alarms, Hayden says that’s currently not much of a problem for ML-powered endpoint security tools.
“The more information you have, the better, and even false alarms can refine algorithms used to support orchestration and automation,” he says. “You had a lot of complaining in 2018 and 2019 that people couldn’t filter through the noise to know what was real and what wasn’t; now, tools are designed to receive all of that information and to help organizations prioritize.”
Choosing the Right ML for Your Agency
While there is movement to centralize federal purchasing of cybersecurity solutions, Gourley says agencies today still have a “big voice” in what tools they use.
Trellix, a platform that leverages advanced ML and AI to deliver multilayered endpoint protection across on-premises and cloud environments, boasts that its solutions are in use across all three branches of government, all cabinet-level agencies and all Defense agencies. The U.S. State Department relies on Tanium AEM, autonomous endpoint management that incorporates ML and AI insights. And in March, the Federal Aviation Administration purchased Fusion5 Enterprise Edition, which brings ML, natural language search and virtual assistants to endpoint management.
In addition to price, agency leaders should consider reliability and interoperability when choosing a product, Gourley says. Implementing advanced endpoint protection solutions typically doesn’t require much training, he adds, but notes that employees can become overwhelmed if agencies are using several platforms at once.
Click the banner below for the latest federal IT and cybersecurity insights.
People may not even be aware that certain security tools have been purchased or are included in enterprise licensing agreements. “People change jobs, or sometimes they don’t quite know what was purchased,” he says. “The awareness can be very uneven.”
Heitmann notes that all agencies are in a race to catch threats as soon as attacks are launched, and ML-based endpoint security tools are helping them “close that loop faster and faster.”
“We’re constantly tweaking based on our adversaries’ tactics, and then they tweak their tactics in response,” Heitmann says. “It’s a tug of war, white hat versus black hat. Some days, they’re going to get closer, and some days we’re going to be on top. Machine learning is helping us gain that advantage.”
