There’s a lot of hype around artificial intelligence (AI). It seems like every technology and cybersecurity vendor these days is claiming to use AI in some way, shape, or form. AI is not a magical solution for every problem, but one area where AI — more specifically machine learning (ML) — can play an essential role is in cybersecurity operations.
What is artificial intelligence and machine learning?
Artificial intelligence refers to the ability of machines to mimic human behaviors. It’s founded on the idea that human intelligence can be reduced to specific abilities that computers can be programmed to replicate. Although “AI” is often used to describe any human-like intelligence exhibited by a machine, it’s actually an umbrella term for a range of different technologies.
AI encompasses a host of sub-fields that employ different techniques to emulate aspects of human intelligence. Such sub-fields include:
- Speech recognition and natural language processing mirror the human ability to speak, hear, read, and write language then deduce meaning from it by converting audio signals into text and processing that text to extract a meaning.
- Computer vision enables machines to see and process visual information.
- Robotics deals with designing and constructing machines to perform physical tasks usually done by humans.
Machine learning is perhaps the most popular sub-field of AI. It enables computers to autonomously process huge volumes of data, learn from it, then make predictions based on it, improving its performance over time.
There are two main types of machine learning models, “supervised” and “unsupervised.”
- Supervised machine learning requires a person, typically a data scientist, to train the model with a set of sample data that includes example inputs and specific desired outcomes for each one. The model is then given test data to analyze and is provided feedback on the accuracy of its predictions.
- Unsupervised learning models are provided with training data that includes only inputs and are then allowed to explore data on their own to learn to predict values for future data.
Each type of machine learning model is best suited to certain applications. Supervised machine learning is generally used to predict the outcome of new data based on existing data. Unsupervised learning is used to identify hidden or unknown patterns in unstructured data and is great for recognizing anomalies and grouping similar data together. Both are used extensively to improve cybersecurity.
How AI and Machine Learning are Helping Cybersecurity
AI and machine learning are transforming cybersecurity operations in a few areas:
1. Malware detection
Malware detection has probably benefitted most from the application of AI. The typical method of identifying malware by its file signature has proven limited as malware has evolved. It can’t, for example, detect fileless malware, as these types of exploits don’t write a file to disk but instead hide in a computer’s memory. Signature-based malware is also unable to detect first-of-a-kind malware or Advanced Persistent Threats, which combine several sophisticated cyber-attacks.
AI addresses these shortfalls in traditional malware detection by identifying malware based on behavior instead of signatures. With years’ worth of malware examples available, organizations can train machine learning models to recognize out-of-the-ordinary and suspicious activity that acts like malware, allowing for detection of these more sophisticated attacks. Using AI and signature-based methods together make malware detection more effective overall.
2. Manually executed tasks
AI can also help detect manually executed tasks that system-focused security tools often can’t, as they’re signaled by anomalous behavior, such as an employee logging into a server they have never accessed before. Human analysts are best suited to spot this kind of activity, but with hundreds of users in a typical organization, that is nearly impossible. Machine learning can aid this type of detection by monitoring user behavior to learn what is typical. That way, it can recognize behavior that deviates from that norm, determine if it likely preludes and attack, and alert human analysts. This AI-driven behavior analysis can help organizations better detect insider threats, brute force attacks, and hacked privileged accounts.
3. Threat hunting
AI is also playing a supportive role in threat hunting. Although this advanced cybersecurity technique relies primarily on human intelligence, it is informed by huge volumes of endpoint and network data that the threat hunter analyzes to connect seemingly isolated events that indicate an attack. But sifting through the amount of data produced by modern IT environments is a complex and time-consuming process that virtually no business has the human resources to undertake. Machine learning can automate much of this process so that threat hunters can devote more time to blocking and resolving attacks.
In general, AI is helping cybersecurity by addressing the exponentially growing volume of data produced by today’s organizations and the increasingly sophisticated threats organizations face. Alongside SIEM applications and human analysts, AI is an essential component of modern cybersecurity.
AI Is an Essential Force Multiplier
Organizations have limited cybersecurity resources. The industry is faced with a dramatic shortage of cybersecurity professionals with the necessary knowledge and skills, but even if that were not the case, there would still be limited resources. Even Fortune 100 corporations with massive budgets and extensive cybersecurity teams still have a limit to how far those resources can go.
Artificial intelligence acts as a force multiplier to extend those resources. Machine learning and artificial intelligence can be applied to automate many of the routine tasks associated with monitoring network traffic and log analysis as well as perform computations too complex for human bandwidth — effectively augmenting the efforts of the cybersecurity team.
Cybersecurity at the Speed of the Cloud
AI also plays a crucial role in the ability to effectively monitor for threats in a complex, hybrid cloud environment while faced with an expanding and evolving threat landscape. AV-Test registers an estimated 350,000 new malicious programs and potentially unwanted applications every day.
Organizations need to be able to detect and defend against these emerging threats across local data centers and cloud platforms. Combined, the complex ecosystem, DevOps culture, and container technologies create a dynamic environment that can expand and contract dramatically as demand rises and falls. It’s virtually impossible for any human cybersecurity professional — no matter how good — to match the pace or scale necessary to effectively monitor such an environment.
How Alert Logic’s Machine Learning Works
It’s important to note that not all machine learning is created equally. Machine learning output is only as good as the volume and quality of data supplied and the algorithms applied to analyze the data.
At Alert Logic, data scientists curate and label the high volume of security data and machine telemetry that we collect from our customers around the world. This provides the training data for our machine learning algorithms to produce high confidence security outcomes. Our product engineering team develops scalable, production-quality detection for the techniques that the data scientists develop, and our application security experts and SOC (security operations center) analysts provide feedback to confirm and improve the findings.
Each part of our supervised machine learning is closely linked. Collecting high-quality, consistent data is critical. If the data is noisy, the system will train incorrectly and produce bad results. Once the algorithm is trained, the real-world data is measured and collected using our own sensors in customer environments.
Focus on What Matters
The net result of using AI in cybersecurity operations is that your IT and cybersecurity teams can provide more value. Leveraging AI for cybersecurity operations frees up security professionals to focus on high priority tasks and proactive measures to improve cybersecurity overall.
For Alert Logic customers, it means more streamlined and effective network security monitoring from our SOC analysts. Machine learning helps us separate the signal from the noise at scale so we can invest our time investigating security events that require human attention rather than chasing down false positives.
There is still a lot of hype and confusion about artificial intelligence and machine learning, but when utilized properly, they make a significant difference in an organization’s ability to keep up with the pace of threats and implement effective cybersecurity.