Demystifying AI in Cybersecurity
It goes without saying that Artificial Intelligence (AI) or machine intelligence, is at the forefront of technological discourse and its impact on DevOps and particularly in IT automation cannot be understated. Even though AI has come of age and crossed the threshold of symbolic meaning to achieve practical implementations, in most cases the term reflects nothing more than an abstract notion. For many in the IT industry and cybersecurity domain, embracing AI without clearly understanding what it can and cannot offer is akin to flying blind in the ever-expanding computing skies. AI will have a particularly important role to play in cybersecurity and next-gen data center, however that merits a closer look at its present state first.
AI has a long way to go before surpassing human-level performance in security decision making. Better said, presently we have deep learning tools available that allow for efficient number crunching and anomaly detection based on the trove of data collected from endpoints, applications, networks and the cloud. Scaling the complex level of metadata correlation by merely using human capital is unrealistic; today’s IT teams are overwhelmed by the volume of reported real and potential vulnerabilities. We are not simply looking for anomalies; we are in search of very narrow set of anomalies in the overall data subset that is SecOps-actionable. To achieve that through AI, computers (without being specifically programmed) must look at available data, self-learn and deterministically predict potential future breaches. The problem is that AI today lacks accuracy; machines simply cannot avoid making wrong decisions while reporting false positives and false negatives: false positives can lead to denial of legitimate service and false negatives leave digital assets exposed to attacks.
Security AI has reached a similar dilemma that autonomous vehicles face: it is unrealistic to give up full control to machines when stakes are high; we still need backup drivers at the wheel. For SecOps, the prudent approach is to look at existing security tools, past occurrences, and the future to define use cases for the deployment of AI. These use cases can be as specific as DDoS, privilege escalation, data exfiltration, micro-segmentation exploits and so forth.
A platform ripe for AI integration is security information and event management (SIEM). SIEM has become a tool for both operational efficiency and compliance management. However, without additional techniques to provide better contextualization of data, SIEM can fall into irrelevance in the future. SIEM has begun to adopt threat intelligence in its data presentation models, and yet both lack of inference and brief shelf life of threat intelligence highlights the need for better machine intelligence. A successful implementation of threat intelligence into SIEM will drastically reduce the proliferation of zero-day malware. There are ominous signs pointing to more future regulations mandating tighter security controls and as such broader integration of enterprise security tools is necessary to meet regulators’ demands. A richer, smarter SIEM can go a long way in addressing that requirement by providing evidence-based predictions.
Let’s not forget that AI tools are democratized and therefore available to good and bad actors alike. It is reasonable to expect the battle against cyber criminals be extended to machine intelligence. Bad guys with AI will not be using attrition but rather scan, discover and exploit weaknesses inside enterprise AI to lead it to faulty decisions or circumvent it entirely. One can imagine the deployment of botnets that intercept AI data and learn “on the job” how to defeat the smart enterprise security shields. AI needs hardening to overcome such potential security compromises.
What about applications? Continuing to build old-style applications without architected embedded security will blunt the impact of security AI. In not too distant future, apps will have means of direct communications with the enterprise AI which will help IT teams automate near real-time response to security attacks. Thus, AI will begin to operate as an overlay across applications and infrastructure and reduce human decision-making burden. AI is also armed with the mechanism to augment human intelligence. We have the ability today to use AI as a validation tool in SecOps to avoid looking for “needles in the haystack.” The combination of AI and human decision-making simply yields better intelligence and the end-result is smaller enterprise attack surface.
AI’s role in SecOps is overpromised. Its hype creates coercive pressure which might lead to unnecessary deployment of tools that further complicate rather simply the lives of CIOs and CSOs. Today’s IT teams are well-advised to identify use cases where AI brings more assurance to SecOps and reduces repetitive tasks undertaken by humans.