With digitalization, the explosion of connected devices, and the Internet of Things, cyber security experts have a lot on their plate. More connected devices equate to more traffic, more attack vectors, more attempts at security breaches, and a lot more data that needs to be analyzed. The future will only magnify the situation. Cyber security experts will need all the help they can get to prevent security incidents and respond to threats.
Artificial intelligence and machine learning are being applied more broadly across different industries and applications than ever before, and cyber security is no exception. When we talk about artificial intelligence (AI), we refer to a broad concept of machines being able to mimic cognitive functions and carry out tasks such as classification, anomaly detection or grouping of samples to effectively perform problem solving in a way similar to how humans would. Machine learning, on the other hand, could be considered an application or materialization of AI that’s based on the idea that we can give machines access to data and use algorithms that allow machines to learn the solutions to problems from the data by themselves.
Already for decades a huge amount of machine learning algorithms have been presented in scientific literature and are being utilized also in applications all around us. While most current AI solutions are narrow in scope, focusing on a specific problem (the “what”) instead of looking to mimic the breadth of human cognitive functionality (the “how”), there’s evidence of the effectiveness of such solutions. From the recent AlphaGo victory to self-driving cars and movie recommendation engines, applications of AI are already more efficient than humans in several scenarios when set to focus on a task and given enough data.
AI is nothing new in cyber security. In fact, we’ve been using machine learning techniques since 2005 for things like sample analysis and categorization, URL reputation and categorization, and client-side detection logic. AI helps us in quickly identifying and analyzing new exploits and weaknesses to help mitigate further attacks and is an integral part of our solutions.
In addition to improving preventative measures, AI techniques are key to breach detection and make it possible to react even to previously unknown threats. In many cases, people have been too slow to stop cyber attacks in time. AI systems that are designed to learn and adapt, and are capable of recognizing even the smallest of changes in the environments, have the potential to act much quicker – and based on much more data – than humans when it comes to catching also new types of cyber attacks.
Machine learning algorithms can be used to create profiles of normal behavior, and these profiles can be either more global, or alternatively either user or host based. Based on these, it is possible to differentiate normal and abnormal behavior practically in real time. In the case of our Rapid Detection Service, for example, we constantly collect data with our endpoint sensors, and model it to find user or host based discrepancies to identify suspicious behavior on networks. All alarming signals are then sent to security experts who investigate incidents 24/7 and alert customers if the alarm is valid. With AI, we can cut through the noise and prioritize our experts’ time for investigating and responding to real threats.
But just using profiles alone is not the optimal solution, especially if we let the machines learn totally in an unsupervised fashion, as that would allow potential attackers to exploit the fact that the algorithms learn behavior patterns. Thus, we need to aim at modeling a higher level of cognitive function, combining the knowledge of experts, such as known attack models, with the self-learning profiles and ensure our system is resilient to also attacks against its own adaptive nature.”
Combining man and machine
Investing in artificial intelligence certainly doesn’t mean humans are totally out of the game. Human insight and knowledge is vital to determining the depth of an identified threat and establishing how to react to a specific scenario, and being able to provide the higher-level picture and work together with AI to find the optimal solution. And we should not forget the other aspect of the value of automation, in addition to working as a part of the actual detection system. AI definitely has the ability to take some of the pressure off human experts on other fronts, too. AI can also be used to power data-based tools to make our experts’ work much more efficient. Instead of highly talented people spending time on mundane tasks, the machine takes away this burden and allows them to work on the most important and challenging endeavors.
The human element is essential to the development of viable AI solutions in cyber security. AI needs human interaction and “training” to continue to learn and improve, correcting for false positives, and detecting cyber criminal innovations, as well as tailoring learning algorithms to our own problem domain. Man and machine working together. While we employ artificial intelligence in several production systems already, we’re working against skilled counterparts who are doing their best to not get detected. This means our approach needs to evolve over time, and we need to also keep evolving our AI-powered systems to become ever better at preventing and detecting threats in time.
We call this approach Live Security.
There is great potential in the market for the creation of technology to ensure solutions are contextual, and more proactive than reactive. Traditional, rule-based security is no longer enough, but companies must protect their networks against also the unknown, as opposed to only the known threats. We believe that the best approach for companies to thrive is to bring together the best of both worlds. Combining human expertise and a machine learning system provides better results than either human or machine alone.