How viable is machine learning for cybersecurity?
Business professionals who have been riding the ML high may be in store for a "hangover."
NATIONAL HARBOR, Md. — Technology and security industries have turned to artificial intelligence and machine learning with a fervor once reserved for the latest iPhone release. On the expo floor at a cybersecurity show, professionals are hard pressed to collect a vendor flier without AI or ML mentioned at least once.
Can the hype deliver — let alone last?
Machine learning is reaching the end of its peak of inflated expectations, poised for an imminent descent to the trough of disillusionment on Gartner's hype cycle. Business professionals who have been riding the ML high may be in store for a "hangover" when that trough hits, according to TK Keanini, distinguished engineer and product line CTO for analytics at Cisco, speaking at the Gartner Security & Risk Management Summit in Maryland on Monday.
Vendors are a big source of the problem, providing insufficient explanation and discussion, limited guidance and silver bullet marketing — filled with "empty calories" that taste good but offer little benefit, Keanini said. But the market for ML in cybersecurity is critical in today's landscape of evolving security, and businesses only focusing on static problems will be left behind.
Tech leadership is challenged with navigating an overloaded vendor landscape, especially in security, and finding the right combination of third party offerings to build out a comprehensive security plan.
With 95% of CIOs expecting cybersecurity threats to increase and affect their business, stronger tools rooted in AI are needed. ML is a key solution for cybersecurity because it can recognize novelties and outliers, aggregate events to find relationships and detect attackers logging into networks — instead of attackers just breaking in, Keanini said.
"In reality, the state of AI is currently capable of solving for only very narrow problem domains and is not capable of imitating the generalized, higher reasoning strength of human beings," according to Gene Stevens, co-founder and CTO of ProtectWise, a provider of cloud-based network detection and response solutions, in an email statement provided to CIO Dive. "Sophisticated and advanced attacks cross many attack surfaces and require a lot of context to understand; AI is not there yet."
Around 70% of an analytics pipeline is dedicated to weeding out the "weird" activity on a network, like that employee who always keeps dozens of browser tabs open, Keanini said. Actually threatening activity is a much smaller slice of the pie, but to wade through all the abnormal activity, businesses need machine learning. Already, AI and ML are proving more effective at detecting malware.
Choosing the right solution
CIOs and CISOs have to cut through marketing and find ML solutions that best fit their business needs. When assessing vendors, it is important to remember that ML success is domain specific, said Keanini. Having the best algorithm for image detection does not mean a vendor is the best choice for malware detection.
An algorithm benefits the business if it is useful and helpful, whereas mathematical accuracy may not be what security needs. If a vendor cannot provide a clear answer about what the algorithm offers, launching instead into discussions of overfitting or underfitting solutions, then leadership may need to rethink onboarding the solution.
"Choose technologies that make you fast and effective and which leave no mystery in their wake," said Stevens. "Systems which claim to imitate human intelligence should similarly be capable of explaining themselves, how they work and how results are produced."
Before settling on a solution, technology leaders should clarify a few parts of the product, according to Keanini, including:
- How ML is applied and how effectiveness is measured
- What non-ML components are part of the solutions
- Transparency of the solution, especially in open-source components or published papers
Businesses are best served by combining the AI technology with other tried and true analytics tools, such as simple pattern matching, statistical methods, and rules and first order logic.
Before pointing ML to the problem, CIOs and CISOs need to ask if ML is really going to deliver a result that can't be reached by other means, Keanini said. AI technology is ultimately just another solution in the analytics toolkit — albeit one of the strongest and most promising ones — but not the silver bullet of cybersecurity.
Cybersecurity professionals should "feel justified in being skeptical of technology which touts its AI capabilities" and maintain a scientific approach to AI tools with an emphasis on high quality data, clean output and transparency, Stevens said. AI solutions should be human focused, combining the strengths of the technology with the skills of experts, according to Stevens.
"Security teams can create 'machine-accelerated' humans — cybersecurity professionals who work in conjunction with AI and machine learning to proactively identify and mitigate threats faster and more reliably," said Stevens. This is accomplished by freeing up human workers for strategic initiatives.
For vendors, having AI or ML capabilities is often necessary to remain competitive and get a foot in the door. Executives expect more AI solutions than ever — as evidenced by the skyrocketing of mentions of the technology in earnings reports — and ML capabilities are a straightforward box to check off in preliminary vendor assessments.
AI and ML are not the only technologies suffering these symptoms. Blockchain, another solution surrounded by hype and high expectation, is often implemented in projects and POCs in which a more established, familiar tech could accomplish just as much. This can lead to disappointing or less-than-spectacular results for a promising solution.
Yet even when pushes for these technologies drive some offerings with empty promises, overall investment in the field by vendors and security companies moves the industry forward and brings better products to market. AI and ML will remain important tools in the struggle to offset and protect against the increasingly sophisticated and dangerous cybercriminal population.
Follow Alex Hickey on Twitter