Jose Varghese, EVP and HEAD – MDR Services at Paladion, explores AI and the role it will continue to play in combating modern cyberthreats.
Artificial Intelligence (AI) in cybersecurity has recently made several headlines. These headlines make seasoned cybersecurity professionals wary. We’ve seen other emerging technologies receive similar attention and we’ve seen many of them fail to live up to their expectations.
In this article, we will build a real-world perspective on AI in cybersecurity. We will explore where skepticism regarding AI in cybersecurity is justified, how the technology can provide tangible value and what to look for in an AI-driven cybersecurity provider.
Why we really do need to bring AI to cybersecurity
Much of the scepticism regarding AI’s application to cybersecurity comes out of a faulty understanding of why we are bringing this technology to our field in the first place. For sceptics, our industry is only discussing AI in cybersecurity because it is a hot tech topic in general and some vendors are bringing it to cybersecurity to simply cash in on the trend.
It’s undeniable that there are some unscrupulous vendors looking to do just that. But we’ve needed to bring a technology like AI to cybersecurity for a long time now due to fundamental changes in the threat landscape.
Over the last five to 10 years, nearly every organisation has undergone digital transformation by adopting cloud, mobile and IoT. These technologies have opened up amazing new organisational capabilities but they have also created new complexities, interconnections and vulnerability points that cybercriminals have quickly learned to exploit. Their new wave of creative, complex, multi-channel attacks flood organisations with thousands of alerts and hundreds of thousands of potentially malicious files to analyse every day.
Traditional perimeter and rules-based approaches to cybersecurity no longer apply to the new digital organisation and human-only cybersecurity teams cannot process the flood of threat data they now contend with every day. Artificial Intelligence’s speed, accuracy and computational power offers our only chance to protect a perimeter-less organisation and to continuously process the overwhelming volume of threat data every organisation now faces daily.
What value AI does and does not offer to cybersecurity
Now, even though AI is necessary to protect the new digital organisation against next-generation threats, that does not mean AI is a ‘magic bullet solution to modern cybersecurity problems. AI offers a necessary – but limited – element of modern cybersecurity.
These limitations of AI’s application to cybersecurity are not discussed often enough, contributing to the sense that AI is simply hype. Many discussions of AI technology describe it as a kind of generalised human intelligence that can handle every single aspect of cybersecurity on its own, rendering human cybersecurity expertise obsolete.
This is not true. In the real world, AI primarily focuses on deploying Machine Learning (i.e. the automation of data science activities) to process massive quantities of threat data. AI’s ability to perform these activities at near-unlimited scale, with near real-time speeds, makes it an invaluable ally within a modern, effective cybersecurity program.
And these activities can be performed at every stage of cybersecurity, allowing AI to offer value before, during and after an organisation suffers an attack. But they do not replicate human insight. They do not obviate the need for human cybersecurity experts. And they limit the areas where AI offers the most real-world value to cyberdefence.
Where AI offers the most real-world value to cyberdefence
At the moment, AI’s data-processing capabilities offer the most value to the following areas of cyberdefence:
- Threat anticipation: AI can process over 100 TB of global threat data daily, from hundreds of threat intelligence feeds, to determine which emerging threats are most likely to attack your organisation, allowing you to then proactively adapt your defences against them – before they strike
- Threat hunting: AI can constantly monitor and comb through all of your organisation’s data – not just your security data – to detect patterns, anomalies and outliers that indicate a likely compromise (even if that compromise does not conform to known attack patterns)
- Alert triaging: AI can deploy Machine Learning methods – such as historical patterning, clustering, association rules and data visualization – to quickly filter out false positives, reducing the burden on your security team
- Incident analysis and investigation: AI can provide data-based answers to threats, in order to quickly determine the identity of the attacker’s identity, map the attack chain and define the attack’s spread and impact
- Incident response: AI can centralise and quickly orchestrate a comprehensive response that automates playbooks and includes containment, recovery, mitigation and defensive improvements to get you back to business ASAP
While these activities are impressive – and now essential – it’s important to note they can only be brought to your organisation through the correct AI deployment – which is harder to get right than you might think.