Cybersecurity is a constant concern for businesses of all sizes. There are countless threats to organizational data by a growing host of bad actors, and the risks of a cyberattack on your business are only growing. A recent study found that 76 percent of U.S. businesses had experienced a cyberattack last year alone. Given the large number of remote workers logging into company files from unsecured networks with no IT supervision, it’s not a question of “if” but “when” your company will become infiltrated. For most businesses, well-known hacks like ransomware or phishing are top of mind. However, attackers are now utilizing new tools and carrying out more detailed campaigns to breach defenses. This calls for more sophisticated defense mechanisms that make use of Artificial Intelligence (AI) and Machine Learning (ML) to protect your technology assets.
What is Artificial Intelligence?
The term “AI” is often used to refer to a wide range of cybersecurity solutions. It’s important to distinguish which products have capabilities that meet the current definition of the term, versus those that are using it as marketing lingo to brand older technology. Many of the older technologies that were once deemed “artificial intelligence” are now routine solutions that are not included in today’s definition.
One example of this is Optical Character Recognition (OCR). It has been a staple technology in many solutions for 40 years or so now. Other technologies like biometric security devices such as fingerprint and retina scanners have been around for a long while. While once considered a form of AI, they do not qualify with the current meaning. A great way to think of AI in its current definition is that it’s a computer program designed to solve difficult problems that humans routinely solve. However, even with an established definition, there are varying degrees of true AI.
Some of the most powerful AI technologies include neural networks, expert systems, case systems, robotics, natural language processing, and many others. Among those technologies, neural networks are dominating the space as the premiere technology driving many AI solutions. AI neural networks are loosely designed based on how the brain works. In an artificial neural network, a group of compute nodes are connected and share data in such a way as to represent a simplified version of how the neurons in the human brain would function. One type of AI, known as Specific AI, combines neural networks, large data sets and computing power in the cloud to provide a data-driven solution that’s easy and effective for cybersecurity applications.
What is the role of Artificial Intelligence in cybersecurity?
While we have touched on a few of AI's capabilities, what role does AI play in cybersecurity? Organizations today utilizing Security Information Event Management (SIEM) technology to gather data across the enterprise related to user and systems activities may capture security event data terabytes. For a human to parse through this amount of data and find meaningful correlations to pinpoint potential anomalies would be impossible.
However, this task is well-suited for AI that has been “trained” to look for irregularities across systems and user activities. Meaningful data can be buried across terabytes of log files. AI-based tools can effectively search across and correlate various data points to help pinpoint anomalies. These anomalies can be the result of the activities of an attacker that may be secretly moving across an organization’s network or have infiltrated a cloud SaaS environment. Anomaly detection is one of the areas where AI is extremely valuable in cybersecurity defenses for an organization. It can also be used to examine previous attacks in other environments and organizations and look for those same characteristics in an environment to stop similar attacks.
Is Artificial Intelligence a “good guys” technology only?
As mentioned in the outset, attackers also use new and very sophisticated techniques to attack organizations and compromise their data. As cybersecurity defenses are evolving, using new technologies such as AI in cybersecurity attacks is becoming much more common. Unfortunately, extremely beneficial technologies such as AI are not exclusively available to the “good guys” or those defending their networks and data. It’s available to the threat actors as well. How do attackers make use of AI?
Attackers can utilize AI in multiple ways. However, a few of the common ways it is leveraged against organizations include using it to weaponize malicious code, hide malicious code in benign applications, create self-propagating attacks, and to find vulnerabilities.
One of the most intriguing ways that attackers are using AI is to simulate user behavior. If they can hide “in the noise” and make their activities appear to be regular user activity, this can help them avoid detection. AI-based attacks can help profile and simulate legitimate user activity to camouflage attacks from traditional cybersecurity tools.
What Artificial Intelligence is not.
When choosing a cybersecurity solution to defend your organization against today’s sophisticated attacks, you will certainly come in contact with AI used generally as marketing jargon. Most cybersecurity vendors today are tossing around the term to describe features of their product. Before selecting a cybersecurity solution, it’s wise to understand that not all AI is created equal and different vendors apply the term to many different things. In other words, you may not be getting what you are paying for.
Unfortunately, AI is hyped and oversold by marketing professionals. This leads to a great deal of misinformation and confusion. Many cybersecurity solutions tout using big data in their solution, so this must constitute AI. While it may seem obvious, big data is no more than “a lot of data.” It does not in itself constitute AI.
Other solutions may advertise their statistical analysis techniques as constituting AI. However, most of the statistical techniques that are known and used today are from 80-100 years old. Again, this does not in itself make a solution an AI-based solution. What is advertised as an AI-based solution may very well not qualify upon closer examination.
Questions to ask cybersecurity vendors to scrutinize their AI offerings.
You should ask any cybersecurity vendor several questions to understand if what they are marketing is genuinely an AI-based solution. Let's examine a few examples and see how these can help determine the validity of the solution they’re selling.
1. What business goals will AI help me achieve?
When looking at any cybersecurity solution, there should be a clear idea of specific business goals you can achieve with the help of AI. If there is no clear, defined business goal that the solution provides, this will serve as a red flag as to the legitimacy of the AI-based approach.
2. What problems do you solve with the help of AI?
Very similar to the business goals, there should be apparent problems and challenges defined, which the cybersecurity solution allows you to overcome. Having an AI-based solution to say you are using AI is not a good reason to invest.
3. What type of AI is used?
If a particular cybersecurity solution or vendor is pitching a general AI solution, this should serve as a warning. General AI has not been effectively implemented, only specific AI. Specific AI is task-based AI that is designed for a specific task or tasks. This may involve multiple algorithms.
4. How do you train your models?
There are two different types of data that can be used to “train” machine learning models – fake data and real data. Some cybersecurity vendors use fake data to “train” models. The structural models are what loosely mimic basic intelligence operations. While fake data can be used, it is not as effective as using real data from real organizations to train machine learning models to recognize specific behaviors that can constitute malicious behavior. Cybersecurity solutions using real data will be able to produce a much more effective cybersecurity solution.
5. How long is the learning period for your machine learning models?
There will be a "learning" period for the machine learning structural models to develop a baseline of regular activity within your environment. This could take anywhere from a few minutes to several days. The required time interval may depend on the specific type of algorithm and the particular machine learning task.
6. What does the AI development process look like in your company?
Another question to ask a cybersecurity solution vendor concerns the development process. When it relates to the AI and ML components of a cybersecurity solution, what does the solution's development process involve? Specifically, who is included in the development of AI technology?
It is essential to understand who leads the development process, as this can help determine what expertise and skillsets are driving the development of the AI-based solution. This can directly translate into the effectiveness and quality of the product considered.
7. How do you measure the success of your AI algorithms?
What metrics determine the success rate of a vendor's AI algorithms? Various parameters are often used, including:
- FP – False positive
- FN – False negative
- PPV – Positive predictive values
- NPV – Negative predictive values
Does the solution use one or all of these? Understanding how a vendor measures the success rate of their AI-based solution will ultimately help determine the solution's accuracy.
AI can play a key role in the cybersecurity defenses in the future, especially in the age of the cloud. Cloud SaaS can be an especially challenging environment to defend using traditional methodologies and tools. Using a cloud SaaS AI-powered cybersecurity tool can help to level the playing field to protect your cloud environments from attackers. Proper analysis of the available solutions can help you find the solution that will best protect you and your organization from cyber-attack.
Dmitry Dontov, Chief Technology Officer, Spin Technology