To stay ahead in a hyperconnected world with more sophisticated and well-funded threats constantly emerging, financial institutions are exploring how to harness cutting edge technologies for cyber defence. Insights spoke with ING CISO Beate Zwijnenberg about the opportunities and challenges of applying technologies like artificial intelligence and machine learning to cybersecurity.
In the race of financial institutions to digitise products and services, ING believes that applying new technologies enables us to further foster our cybersecurity capabilities, so we can continue to bring business value and improve risk management for the bank.
As it is easy to get distracted by the huge dynamics within the cybersecurity profession, we try to keep focus on exploring the value of new technologies. However, this is a continuous challenge, as:
To keep up with the latest trends, we invest in ING innovation labs, collaborative cybersecurity innovations with industry peers, share knowledge among the ecosystem and look closely at new technology operating platforms that combine e.g. agile approaches, robotics and cloud.
We try to incorporate AI/ML into our cybersecurity programs where possible. We believe there are three important conditions necessary to make AI/ML work well:
AI/ML can potentially solve issues with scalability in human analysis. Though it is working now for e.g. network tracking through cyber defence platforms, we do see challenges with AI/ML models that trigger on wrong assumptions. This results in many false positives in the security detection process, which need to be investigated by humans. We are optimistic about what AI/ML can do, but it will take some time.
In processes where we do understand the models, modus of operation and we have high quality data and processing power we use some forms of AI/ML. For example, this is in network anomaly detection, malware detection, for automating repetitive tasks and some features in the anti-phishing domain e.g. recognition of the ING logo. New threats emerge though, of which the recent SolarWinds hack with the Sunburst malware is an example. In this case, the anti-malware detection was fooled and the hack was executed well within boundaries so that no one noticed it.
Humans will continue to be important for the cybersecurity value chain even with evolving AI/ML technology. The challenge with security and fraud is that AI/ML needs to be extremely precise. This in contrast to, for example, social media companies that facilitate customer recommendations. If, for instance, there is a 50 percent match between their target audience and the recommendations, this is still good in terms of return on their investment. That is one of the issues many vendors still face, as most of the available software can detect almost all positives, but it also detects a lot of false positives. The challenge herein lies in how to fine-tune the level of preciseness.
Cybersecurity AI/ML technologies are not mature enough at deep analysis and therefore the use of humans for this part in the cybersecurity value chain will still be needed. It is interesting to see that large tech companies are employing neural scientists. What can we learn from evolution? Can we ever mimic human thinking and remove the human flaws in behavior related to cybersecurity threats?
Of course, we do build our own specific AI/ML models, but for the underlying technology we - as virtually all organizations - depend on the specialists from the tech sector as well as collaboration with academic researchers. Outside highly specialized boutiques and Big Techs, very few organizations would have the critical mass to develop its full AI/ML stack, let alone with a viable business case.
The intricacies of third-party security are emphasized again in the SolarWinds case. It is extremely difficult to assess the entire supply chain even superficially, which is largely based on trust and legal agreements. It really does not matter if the technology is cutting-edge or not. Ask yourself the question: would anyone in a company understand the full source code of a SIEM or an IPS system line by line? Of course, you can ask for paper evidence and do as many penetration tests as you can afford, but 100% assurance is physically impossible. This is an industry-wide problem for which good answers have yet to be given.
We have for a number of years seen that the modus operandi of the consumer world is seeping into wholesale banking. Criminals usually like to take the path of least resistance when it comes to detection. They do not hesitate to hide for a long period. We do not invest in specific technology for this, however we focus on cross-departmental collaboration and connecting the dots between the organization silos. In doing so, we try to anticipate the structures of potential criminal attacks (kill chain), as criminals do not think in silos.
The promise of artificial intelligence and machine learning in cybersecurity is primarily where there are challenges with scalability of human analysis. While cutting edge, these technologies are also by definition immature; to be deployed successfully, they require lots of high-quality data, a good model which can be time consuming to build, and sufficient processing power. While it is important to use tailored models, most financial firms will depend on specialists in the technology space to implement these technologies rather than build them in-house.
© 2021 FS-ISAC, Inc. All rights reserved.
B.G. (Beate) Zwijnenberg has been the Global Chief Information Security Officer since 1 April 2018. Prior to her appointment as Global CISO she was Director of Fraud & Cybersecurity for ING Belgium...Read More
& Netherlands and lead the (IT) development and management of both identity and access management and anti-fraud services for ING customers and employees. Before that she was instrumental in building and leading the central fraud management division at ING in the Netherlands. Since joining ING in 1998 she has held various management positions and has worked in product development, as well as project & change management within Retail Banking and Insurance. Before joining ING she worked as a consultant Building Physics at the engineering firm Cauberg Huygen.