Much of the scepticism regarding AI's application to cybersecurity comes out of a faulty understanding of why we are bringing this technology to our field in the first place. For sceptics, our industry is only discussing AI in cybersecurity because AI is a hot tech topic in general, and some vendors are bringing it to cybersecurity to simply cash in on the trend.
It's undeniable that there are some unscrupulous vendors looking to do just that. But we've needed to bring a technology like AI to cybersecurity for a long time now due to fundamental changes in the threat landscape.
Over the last five to 10 years, nearly every organisation has undergone digital transformation by adopting the cloud, mobile and the Internet of Things. These technologies have opened up amazing new organisational capabilities, but they have also created new complexities, interconnections and vulnerability points that cybercriminals have quickly learned to exploit. Their new wave of creative, complex, multi-channel attacks flood organisations with thousands of alerts, and hundreds of thousands of potentially malicious files to analyse every day.
Traditional perimeter and rules-based approaches to cybersecurity no longer apply to the new digital organisation, and human-only cybersecurity teams cannot process the flood of threat data they now contend with every day. AI speed, accuracy, and computational power offers our only chance to protect a perimeter-less organisation, and to continuously process the overwhelming volume of threat data every organisation now faces daily.
Now, even though AI is necessary to protect the new digital organisation against next-generation threats, that does not mean AI is a "magic bullet" solution to modern cyber security problems. AI offers a necessary - but limited - element of modern cybersecurity.
These limitations of AI's application to cybersecurity are not discussed often enough, contributing to the sense that AI is simply hype. Many discussions of AI technology describe it as a kind of generalised human intelligence that can handle every single aspect of cybersecurity on its own, rendering human cybersecurity expertise obsolete.
This is not true. In the real world, AI primarily focuses on deploying machine learning to process massive quantities of threat data. AI's ability to perform these activities at near-unlimited scale, with near real-time speeds, makes it an invaluable ally within a modern, effective cybersecurity program. And these activities can be performed at every stage of cyber security, allowing AI to offer value before, during and after an organization suffers an attack. But they do not replicate human insight. They do not obviate the need for human cybersecurity experts. And they limit the areas where AI offers the most real-world value to cyberdefence.
At the moment, AI's data-processing capabilities offer the most value to the following areas of cyberdefence:
Threat anticipation:AI can process over 100TB of global threat data daily, from hundreds of threat intelligence feeds, to determine which emerging threats are most likely to attack your organisation, allowing you to then proactively adapt your defences against them - before they strike.
Threat hunting:AI can constantly monitor and comb through all of your organisation's data - not just your security data - to detect patterns, anomalies and outliers that indicate a likely compromise (even if that compromise does not conform to known attack patterns).
Alert triaging:AI can deploy machine learning methods - such as historical patterning, clustering, association rules and data visualisation - to quickly filter out false positives, reducing the burden on your security team.
Incident analysis and investigation:AI can provide data-based answers to threats, in order to quickly determine the identity of the attacker's identity, map the attack chain, and define the attack's spread and impact.
Incident response:AI can centralise and quickly orchestrate a comprehensive response that automates playbooks and includes containment, recovery, mitigation and defensive improvements, to get you back to business ASAP.
While these activities are impressive - and now essential - it's important to note they can only be brought to your organisation through the correct AI deployment - which is harder to get right than you might think.