Artificial intelligence (AI) and machine learning (ML) are familiar terms for anybody working in IT or cybersecurity, and AI as a product category in the sector has become big business. This year, the cybersecurity AI market has been projected to be worth more than £50bn by 2029, but companies need to carefully consider what value AI and ML technologies can actually bring to their business’s cybersecurity function. Technology for technology’s sake is not the answer to the best cyber defence possible, so picking the most appropriate technologies for your use case is fundamental.
However, the competition is rapidly catching up. Malicious actors are increasingly harnessing these technologies, prioritising their applications for defence penetration and rapid vulnerability identification. To meet the issues and velocity of today’s threats, holistic security solutions which incorporate AI and ML are vital and must be aimed at the ultimate battle of preventing every attack possible, while responding as quickly as possible to the ones you cannot.
Understanding Cybersecurity AI and its Applications
Artificial intelligence itself is not a differentiator for security. In fact, there are multiple AI frameworks and models used today which are predominantly open-source and typically stem from academia. The differentiator is how the AI is used and what data is at hand for AI to learn from. Regardless of the purpose, AI that learns how to act via machine learning needs high-quality data, and to be effective, it needs as much data as possible.
Think about this from a cybersecurity professional’s vantage point. Learning from one deployment or threat vector isn’t enough. You need a solution that learns from all deployments, as well as one that leverages information from all users – not just a single company. You also need a system that can process both large volumes – and different kinds – of data, and that can integrate easily with existing operational processes to add value immediately.
To comprehensively manage most cybersecurity threats, effective AI approaches are typically those that incorporate ML-driven large-scale statistical pattern matching and domain knowledge to deliver a hybrid system. On the whole, statistical techniques derived solely from machine learning cannot adapt to newly developed, previously unseen cyberthreats with limited baseline statistics. Combining whatever statistical data is available with domain experience allows cybersecurity professionals to tackle this problem by facilitating logic-driven processes (often partly derived from large-scale data analysis) that can effectively prevent and detect specific attacker tactics and techniques.
However, aggregating these insights with expert systems – computer programs that utilise AI to imitate the judgement and behaviour of a human or an organisation that has expertise and experience in a particular field – can often lead to unbalanced and skewed error rates across deployments. To perform effectively, AI systems need statistical insights from ML together with domain-driven insights from other areas of the system that can generalise insight from the attacks, while keeping consistent and low-error rates for everyone.
How AI and ML Can Improve Security Outcomes
Effective use of AI and ML by security operations centre (SOC) teams undoubtedly enables a more efficient use of human resources and time, allowing a company to do more with less and yet more effectively at the same time. Every SOC today needs to deal with more threats that are more advanced, with less people, which makes AI and ML vital to scalability.
For example, AI and ML are often used to develop a baseline for routine operations against which irregularities can quickly be compared. They can also be used to strengthen operational effectiveness by highlighting the more mundane tasks that people are consistently doing. As a result, the technology can advise on and then facilitate automation playbooks that save resources and time by removing the need for certain tasks to be carried out manually. Analysts can subsequently be directed to focus more on work that fits their experience to strengthen the organisation’s capacity overall in combination with the efficiency gains AI provides.
The nature of cybersecurity operations means that there will never be just one problem that needs to be fixed at one time, but rather multiple issues that can arise concurrently. For cybersecurity decision-makers, the value of AI and ML in cybersecurity contexts lies in their potential to reduce the proliferation of both risks and exploits by saving employee time through automation and removing manual processes across security operations. Creating and maintaining such a technological edge will in turn help organisations beat cybercriminals at their own game, ultimately helping the bottom line.