The phrase ‘artificial intelligence’ (AI) has become very fashionable in the cybersecurity world. The idea that independent, hyper-intelligent algorithms can solve all our security woes has taken off. We’ve seen a massive uptick in mentions of AI in media pieces, earnings calls, advertisements, and beyond. Everywhere you look, there’s a vendor excitedly telling you their AI capabilities are second to none. Often, their software can not only stop hackers, but also tell you the meaning of life, the universe, and everything. It’s getting hard to tell the facts from science fiction.
The need for AI has been deep in the psyche of IT leaders. According to research by Capgemini from a few years back, ‘two thirds (69%) of organisations said that they would not be able to respond to critical threats without AI, with 61% believing they need AI to identify critical threats’.
It all sounds very impressive, but the reality may be somewhat different. A report by venture capital firm MMC Ventures that looked at 2,830 European startups classified as ‘AI companies’ concluded that 40% of them didn’t use AI in any material way. And although AI can improve the speed, accuracy, and capacity of a whole range of security functions, it’s not omniscient – it can’t predict unforeseeable ‘Black Swan’ events, as so many think-pieces quietly imply.
Clearly, there’s a gap between what’s being said and what can possibly be done. So let’s cut through the noise. What can AI actually do? What can’t it do? And how do you get the best out of it?
What can AI actually do?
First off, it’s worth stating that when we talk about AI in the context of cybersecurity, we almost always mean machine learning (ML), which is a sub-discipline of artificial intelligence. Broadly speaking, that means algorithms that learn to do a task or set of tasks more efficiently over time. That can happen through supervised learning (training using a labelled dataset), unsupervised learning (drawing out patterns from within an unlabelled dataset), reinforcement learning (like riding a bike – doing it wrong until you learn to do it right), or deep learning (combining multiple layers of data analysis – not just focusing on one set of criteria).
There are plenty of highly useful jobs these forms of machine learning algorithms can do for and with security teams. They’ve been used to detect spam and malware since the 1990s, and in recent years more advanced ML has incorporated behaviour analysis to improve accuracy and close loopholes. They enable image content analysis, both for stills and video, ensuring NSFW content is blocked effectively. They provide fraud detection capabilities, identifying anomalies in very specific transaction data to spot unusual spending patterns and block suspicious payments. They can even be used in app development to spot mistakes and weaknesses in the base code, removing backdoors and vulnerabilities before the software goes out the door.
As machine learning develops, it can also perform more complex tasks like user and entity behavioural analysis. An entity could be a laptop, smartphone or tablet. It could also be a mailbox, where ML would look at the behaviour associated with that mailbox. Or ML could watch the traffic that is requested from or uploaded to a website from an organisation in a set time period. It could also monitor a cloud object, such as a folder within a cloud storage application, and see how often users interact with the folder and how much data is transferred to and from it. By compiling and analysing that data, over time the algorithm can determine ‘normal’ behaviour – and quickly intervene when potentially dangerous anomalies occur.
Overall, then, machine learning is far from meaningless hype – this branch of AI can deliver a huge amount of value for security teams and improve security for their organisations.
What can’t AI actually do?
What AI and/or ML can’t do, as mentioned earlier, is predict the future from cold. No matter how good the past data it has access to, it can’t read the mind of Johnny Hacker and develop defences against his latest attack without prior information. Don’t invest in AI expecting to get a crystal ball.
Similarly, AI shouldn’t work alone. Sooner or later, even the most advanced algorithms will slip up. Your cybersecurity system should comprise a spread of solutions to provide you with failsafes. Belt and braces is still the best approach when it comes to data security. Don’t invest in AI expecting to be able to bin your other solutions and save a few pennies.
And finally, AI isn’t unbeatable. Training datasets can be poisoned, image files can be corrupted with noise, and rules can be abused. For example, some hacker groups have made consistent efforts to disarm Gmail’s spam filters by misreporting massive numbers of emails as spam – throwing the algorithm off course. Don’t invest in AI expecting an untrickable genie.
Getting the best out of AI
So there you have it – there’s a lot to be excited about, but also a fair amount of hype and misunderstanding to be wary of. If you take the right steps, though, your organisation can get the best out of the technology that is out there.
Make sure you use as much test data as possible to train your algorithms, don’t rely on public datasets that could be poisoned by attackers, and keep an eye out for suspicious new additions to your dataset. Don’t iron out anomalies – then your algorithm will be able to spot attacks that stand out from the norm. Make sure you check what your new models are doing against what your old models did – if it’s wildly off base, go back to the drawing board. Measure bias and variance, and error rates to keep them to a minimum.
And above all, stay ahead of the curve. AI is an ever-evolving discipline, and likely to accelerate. Do your research – and expect to keep evolving as defence and attack capabilities continue to change.