These days artificial intelligence (machine learning/self-learning technology) seems to be a ubiquitous term used by journalists and product vendors. However, it can be very misleading if you think it will solve all your cyber problems.
If we were to go back a few decades artificial intelligence then was a spell checker or calculator. Nowadays though, for cyber security we expect AI to deliver the near impossible. Crunch and organise data at a speed and order not achievable by human beings, assist finding needles in haystacks and spot unusual or undesirable activity.
Implemented well it can enable an organisation to really exploit human-machine teaming. Resulting in early warning of suspicious behaviour or events not picked up by other systems, enabling faster remediation and stopping breaches occurring or continuing. We’ve installed such systems ourselves and have assisted others in many companies with really impressive results.
However, AI alone won’t solve all your problems. You can’t just simply plug a system in and expect it to do everything for you. Here’s a simple example:
Joe Smith uploads a bunch of documents to an external site in another country late at night. Was this part of his role on a particular job he was working on, or, has his PC been breached and a hacker is uploading the data? Or, is this an insider threat example and he is planning to steal the data and use it at his next job or business? The AI machine can’t help you there because, bizarrely, it’s not that ‘intelligent’! But may report on the incident as ‘unusual behaviour’ (because its late at night and to a new external site no none in the company has connected to before). So, only a careful internal investigation by an ‘intelligent’ human being will uncover the true reason for the incident.
Looking for breaches or unusual activity is great, but a large amount could also be false positives creating significant work. I’ve also known of companies that have invested huge sums into systems only for the trained staff to then leave and not be replaced, then a machine is left beavering away spewing out alerts that no-one else then reviews, or reviews belatedly.
As with many other cyber products, selecting an AI system for cyber security is often based on the marketing and sales ability of the technology partner. This can be worrying as an organisation can rely heavily on what the machine is meant to do vs what it actually does.
It should also be seen as a ‘complimentary’ technology not a replacement for the more traditional security products and services, which you will still need. You ask anyone that has purchased an AI system and they will tell you that they regularly find some ‘interesting’ things, especially at first, but over a longer period there are diminishing returns, and a lot of times these things can also be picked up on other systems they have.
The trouble is though, if you have very large customers or clients spending large amounts of money with you as a business, they will audit you and expect you to have the latest security products installed to protect the data you hold for them.
So, the three things that you should really be aware of with AI for cyber security are as follows: Firstly, unless you have a large Security Operations Centre with highly skilled staff, you are going to need a 24×7 Managed Security Service Provider to get real value from the AI system, to interpret the data delivered and then understand how the alert or incident is, or has, affected the organisations environment. Secondly, you need to act very quickly when the alerts come in, otherwise it could already be too late. And lastly, AI products need to be able to ‘block’, not just report on suspicious activity. Some of them can do this but they are very expensive. Ideally you want to stop hackers getting in in the first place, not finding them once they are in! Oh, and they do not find ‘blind-spots’. So, they are not a replacement for sloppy system configuration!
For most SME’s AI for security is currently very expensive to embrace.
Effort and significantly less cost could be better focused on what you can do better with what you currently have, such as making sure that you regularly patch your systems, have regular penetration tests carried out and remind and train staff repeatedly that they should be cyber-aware at all times. After all, most cyber incidents still involve a human being opening an email attachment or simply clicking on a link!
What the market really needs though is an affordable low-cost entry point that attracts SME’s delivering the combined AI benefits with a managed SOC. But prices would need to reduce by 75% to make AI cyber security truly ubiquitous…