Artificial intelligence (AI) and machine learning (ML) play an increasingly important role in cybersecurity, transforming how organizations can identify and prevent attacks, while processing data at an incredible speed and scale. While many organizations are readily adopting AI and ML to improve cybersecurity efficiency and effectiveness, it can be challenging to implement these tools and unlock their full potential.
In episode four of our six-part podcast series, Get IT: Cybersecurity insights for the foreseeable future, Theo van Wyk, head of cybersecurity at CDW Canada and TK Keanini, distinguished engineer in Cisco’s Security Business Group, share insights into the use and benefits of AI and ML for organizations and vendors, the ethical use of these tools and their impact on the future of cybersecurity.
Here are some topics they tackle in Episode four:
AI and ML: more than the hype
AI and ML have had a significant impact on cybersecurity in recent years, and these tools are becoming increasingly embedded and valued. Organizations are already using AI and ML to identify and prevent cyberattacks, while analytics and operational teams are working to better understand how to employ this technology.
There is tangible evidence that indicates the role of AI and ML will become increasingly important in cybersecurity. Organizations want to operate on machine scale and enlisting intelligent machines is necessary to achieve this. Humans will never be able to process data at the same speed as machines or identify complex patterns within large data sets. As AI and ML continue to evolve and permeate, we expect to see significant impact and change within the industry.
Detecting behaviours
At CDW, the use of AI and ML in cybersecurity has focused on analytics and data science. As humans, our ability to process and detect patterns, behaviours and correlation points in vast amounts of data are limited when compared to a machine. AI and ML allow us to quickly and efficiently cull through enormous data sets and distill the most important information.
An example of the use of AI and ML is detecting intrusions on laptops. Malware has very specific behaviours, but these behaviours change regularly. Signature-based detection will look for specific malware traits but won’t be able to detect changes in behaviour. AI and ML can go beyond signature-based detection, through the creation of an algorithm to detect these behavioural changes. This can be used to better detect existing threats, as well as identify malicious programs or elements that would have previously gone undetected.
The benefits for organizations
Identifying key patterns and distilling relevant information from large data sets remains a challenge for many organizations. Compounding this challenge is the ability to detect something that an organization has not yet encountered. With many detection-based and signature tools, organizations are only able to respond or react once they have experienced the problem. Attackers can use this to their advantage by only exploiting a technique or behaviour once.
A significant benefit of using AL and ML is the ability to detect and review behaviours and patterns that organizations have not yet encountered. The machine can effectively mine data for trends and behaviours, identify the ones that need the most attention and discard the rest. While the machine may not be able to flag whether the behaviour or pattern is good or bad, it is able to detect trends that would otherwise be overlooked by human analysts.
Ultimately, the real magic happens when people and machines work together. Organizations benefit when workers can express their intent in a model and use it to program the machine, while the machine relies on people to further dissect the findings and insights.
How vendors are using AI and ML
AI and ML employment within the vendor community should be thoughtfully and carefully considered, as using AI or ML just for the sake of using it will not achieve the desired results. Vendors should use AI and ML only when it adds value and improves customer outcomes. As working with AI and ML tools will become more embedded, it is going to allow all sorts of organizations, including cybercrime business, to work on a bigger scale.
There are a few ways that the vendor community can leverage AI and ML. The first application is embedding it in features for customers to use, for example, being able to detect threats based on actual behaviours. Another application is pinpointing key information within large data sets. Vendors are often privy to information from different customers and verticals that can be correlated. This vast dataset offers a distinct advantage when training the AI and ML, allowing for the use of better models and outcomes. The machine will also be able to pick up on trends that would otherwise be missed by the human eye, effectively using the AI and ML to find key information.
This type of application is especially important for organizations looking to dissect a large dataset but are not sure what questions to ask to help uncover key insights and trends. For example, a retailer could review sales transactions across all the stores, and the machines could identify that men over 25 who purchased a six-pack of beer also bought a package of diapers. This is referred to as a machine-scale insight and brings incredible value to the retailer.
Effective implementation
When looking at security orchestration and automation and response (SOAR) tools, orchestration remains a key challenge. Organizations tend to focus on automation, however, they must first understand what actions they are willing to take based on information inputs.
Working with security analysts, it is important to map out and capture processes in a workflow. For example, an analyst might remove a device from a network after a series of suspicious activity. However, once the machine is removed, what are the next steps? If the machine is being quarantined, how is it being quarantined? These processes are encountered daily by security analysts but are often not captured within a workflow.
Once organizations understand those processes and what impacts and dependencies they want to orchestrate, they can automate with a much greater amount of confidence and accuracy to accomplish them.
Balancing ethics
Ethics should be carefully considered when implementing AI and ML, because machines think in a binary way and cannot understand ethics. All the machine thinks is, “Can I do it, or can’t I?” And if it can do it, it probably will. This can lead to uncovering things without taking privacy or personal barriers into account.
Organizations need to promote responsible and ethical use of these tools. Just because you can do something with the tool, does not mean you should. AI or ML in video surveillance, for example, can track where people are going, who they are meeting, and might even give you information beyond that, but could provide data that might be unethical.
AI and ML tools should only be used only for what it is intended, wrapped with the proper controls and restrictions to ensure the tools are being used for the right reasons.
Where do we go from here?
Navigating AI and ML can be challenging, especially if you are new to the space. The best approach is to start by reading and speaking with experts. In the beginning, the terminology might be a bit confusing, but it is important to not get overwhelmed or get caught up in technical language. It’s important to keep an open mind and think about how to deploy and use these tools to advance the organization’s business objectives.
While some people speculate that AI and ML will eventually replace IT teams, these tools will not eradicate the need for human ability. However, AI and ML will certainly become more embedded into our everyday lives and enable organizations to operate at an unprecedented scale. The barrier between machine and human may shift over time and between different industries or sectors, but there will always be both sides of the coin.
For further insights on the use and benefits of AI and ML, tune into to Episode four here.