AI in Cyber Security: From Hype to Reality

Jose Varghese, executive vice president & Head for MDR Services at Paladion discusses a real-world perspective on AI in cyber security and also explores where skepticism regarding AI in cyber security is justified, how the technology can provide tangible value, and what to look for in an AI-driven cyber security provider.

Why We Really Do Need to Bring AI to Cyber Security
Much of the skepticism regarding AI’s application to cyber security comes out of a faulty understanding of why we are bringing this technology to our field in the first place. For skeptics, our industry is only discussing AI in cyber security because Artificial Intelligence is a hot tech topic in general, and some vendors are bringing it to cyber security to simply cash in on the trend.

It’s undeniable that there are some unscrupulous vendors looking to do just that. But we’ve needed to bring a technology like AI to cyber security for a long time now due to fundamental changes in the threat landscape.

Over the last 5-10 years, nearly every organization has undergone digital transformation by adopting Cloud, Mobile, and IoT. These technologies have opened up amazing new organizational capabilities, but they have also created new complexities, interconnections, and vulnerability points that cyber criminals have quickly learned to exploit. Their new wave of creative, complex, multi-channel attacks flood organizations with thousands of alerts, and hundreds of thousands of potentially malicious files to analyze every day.

Traditional perimeter and rules-based approaches to cyber security no longer apply to the new digital organization, and human-only cyber security teams cannot process the flood of threat data they now contend with every day. Artificial Intelligence’s speed, accuracy, and computational power offers our only chance to protect a perimeter-less organization, and to continuously process the overwhelming volume of threat data every organization now faces daily.

What Value AI Does and Does Not Offer to Cyber Security
Now, even though AI is necessary to protect the new digital organization against next-generation threats, that does not mean AI is a “magic bullet” solution to modern cyber security problems. AI offers a necessary—but limited—element of modern cyber security.

These limitations of AI’s application to cyber security are not discussed often enough, contributing to the sense that AI is simply hype. Many discussions of AI technology describe it as a kind of generalized human intelligence that can handle every single aspect of cyber security on its own, rendering human cyber security expertise obsolete.

This is not true. In the real world, AI primarily focuses on deploying Machine Learning (i.e. the automation of data science activities) to process massive quantities of threat data. AI’s ability to perform these activities at near-unlimited scale, with near real-time speeds, makes it an invaluable ally within a modern, effective cyber security program. And these activities can be performed at every stage of cyber security, allowing AI to offer value before, during, and after an organization suffers an attack. But they do not replicate human insight. They do not obviate the need for human cyber security experts. And they limit the areas where AI offers the most real-world value to cyber defense.

Where AI Offers the Most Real-World Value to Cyber Defense
At the moment, AI’s data-processing capabilities offer the most value to the following areas of cyber defense:

Threat Anticipation: AI can process over 100 TB of global threat data daily, from hundreds of threat intelligence feeds, to determine which emerging threats are most likely to attack your organization, allowing you to then proactively adapt your defenses against them—before they strike.

Threat Hunting: AI can constantly monitor and comb through all of your organization’s data—not just your security data—to detect patterns, anomalies, and outliers that indicate a likely compromise (even if that compromise does not conform to known attack patterns).

Alert Triaging: AI can deploy Machine Learning methods—such as historical patterning, clustering, association rules, and data visualization—to quickly filter out false positives, reducing the burden on your security team.

Incident Analysis and Investigation: AI can provide data-based answers to threats, in order to quickly determine the identity of the attacker’s identity, map the attack chain, and define the attack’s spread and impact.

Incident Response: AI can centralize and quickly orchestrate a comprehensive response that automates playbooks and includes containment, recovery, mitigation, and defensive improvements, to get you back to business ASAP.

While these activities are impressive—and now essential—it’s important to note they can only be brought to your organization through the correct AI deployment… which is harder to get right than you might think.