As the variety, number and creativity of cyberattacks proliferate, one thing is becoming clearer every day for CISOs, business executives and board members: Maintaining the status quo in cybersecurity defense strategies is a losing proposition. Organizations simply can’t hire enough security analysts, expand their Security Operations Centers fast enough or update policies sufficiently to reduce their cyber risks.
The question is now shifting from “how do we keep up?” to “how do we get ahead?” And to do that, organizations need to up their commitment to artificial intelligence and machine learning.
Already, AI and ML have become an essential part of many organizations’ cybersecurity frameworks. Research indicates that investments in AI/ML for cybersecurity use cases will grow by more than 30% on a compound annual basis by 2025, at which time global investments will approach a gaudy $35 billion.
And why not? AI/ML acts as a force-multiplier in an era when data sets are exploding due to the massive growth of unstructured data, particularly driven by tens of billions of connected endpoints embodied in the Internet of Things phenomenon. For cybersecurity applications such as identity and access management, intrusion detection/prevention, network behavior anomaly analysis, and advanced persistent threats, AI/ML algorithms can be extremely effective in detecting, preventing, and remediating problems.
But it’s important not to get carried away with the massive publicity surrounding AI/ML, and to be wary of the potential for misplaced expectations. AI/ML is currently deeply entrenched in what is generally referred to as the “hype cycle” of new technologies–offering great promise but not yet meeting the market’s outsized expectations. Oh, it will get there, but business leaders should be careful not to see AI/ML as their panacea for cybersecurity risk management.
“The No. 1 driver for machine learning is the proliferation of enormous amounts of data, and the need for that data to be cleaned and properly classified,” according to Naveen Zutshi, chief information officer at Palo Alto Networks. “Most machine learning algorithms are useless if they don’t have access to different classifications of data sets. That’s why we built a data lake–to help combine more and more data from telemetry, and to make it easier to build data models.”
Zutshi also noted that ML’s limitations for cybersecurity include the fact that it is “dealing in probabilities; it’s not deterministic, which you really need for cybersecurity. In most cases, ML algorithms, by themselves, don’t have full certainty whether you’re dealing with malware or which kind, only that there’s a high probability of something.”
Still, ML brings some very powerful benefits to cybersecurity process in areas such as phishing. Even organizations with strong anti-phishing defenses are likely to have their employees click on bad links 3% to 6% of the time. ML, however, has shown the ability to get those percentage way down, often very close to zero. “If you tie machine learning algorithms to hardware keys or tokens, you have a very powerful combination to combat phishing,” according to Zutshi.
Another area where ML can really help: Attacks built around evading signature-based controls on endpoints. Using algorithms can buttress those controls with stronger authentication and more reliable user identification.
Still, at the end of the day, AI and machine learning are simply tools—powerful, high-potential tools, to be sure, but tools just the same. C-suite executives and board members really shouldn’t spend a lot of their valuable time inquiring into the types of tools their CISO is employing in the SOC; they just need to ask the fundamental questions that AI/ML is supposed to help answer.
After all, business leaders really want to know if the CISO has an updated, modernized, and reliable insider threat program, or if incidences of phishing attempts are increasing or decreasing. Machine learning can help address those issues.
Just don’t fall victim to the hype around AI and ML. It’s not going to eliminate your need for a smart set of security analysts, a well-resourced SOC, or a visionary CISO. But it will be a great complement to your existing cybersecurity assets.