PART 3 of 3
Artificial Intelligence is finding many uses in problem solving and pattern recognition. AI can help diagnose a medical problem, and it can help determine if an email attachment has been infected with a zero-day virus. AI can tell if a network is safe or under attack, and it might even be able to predict the next move of the attackers.
In this 3rd part of the article series, we’ll discuss how you can tell if an AI solution is real, and what it does – and that means going beyond the marketing materials. For a backgrounder on AI in cybersecurity, see “It’s a Marketing Mess! Artificial Intelligence vs Machine Learning,” and then “TBD.”
One of the security industry’s experts on AI is Scott Scheferman, Director of Consulting for Cylance. Let’s start by seeing what he says about artificial intelligence as a general solution to today’s problems:
“InfoSec aside for a moment, my favorite problem space that machine intelligence is being applied towards is further research into sensorimotor inference, and how it actually works, such that eventually androids will be able to move much like humans, using similar brain processes to do so, but via machine intelligence instead of the brain. It’s basically asking machines to be able to learn what a Monster Drink is by running its fingers over it, and understanding it in the context of time and space and other sensory inputs. This also has implications in the prosthetics area such that machines might interpret brain signals in order to move a mechanical prosthetic through space in the same way the patient might have moved their own appendage prior.”
Once you have processed the sensorimotor inferences and mechanical appendages, let’s come back to the main topic at hand here – InfoSec. Scheferman offers a guide for thinking about AI-related technologies like machine learning, at least as they are marketed and promoted by cybersecurity companies:
Learn to evaluate and test these solutions for yourself, in your own environment.
Press your vendor for actual use case examples of why, how, and why ML/AI (Machine Learning and Artificial Intelligence) is used to solve a problem that either couldn’t be solved before, or couldn’t be solved as quickly or accurately as before. Have them demonstrate this feature/use-case.
A true sign of ML/AI being implemented properly and effectively by a vendor is whether the same security function can be thus achieved for exponentially less cost, resources and time with at least the same or better efficacy and reduction in security risk to the organization.
Simple measure of any ML/AI system: Is it Predictive? Yes? Then prove it.
A way to do that proof: Grab the most recent SHA256 hashes from the most recent APT report (say, Sauron/Strider: which was discovered in early August this year), and then see if those same files would have been blocked PRIOR to the date the Sauron/Strider report was released. This is the difference between the industry terms “Prevention” and “Prediction.” Even legacy signature-based A/V’s are still “prevention” if they have a matching file or heuristic/behavioral signature. But that is not Predictive, in that it cannot prevent what it has never seen.
Scheferman explains that the ultimate expression of whether an AI system is optimized, is whether it yields sufficient confidence to allow a prediction to translate into an autonomous, real-time decision the machine can make independently of any humans. Contrast that with the heavy work load that traditional antivirus requires: thousands of analysts performing semi-automated analysis of hundreds of thousands of files, and spinning up thousands of virtual sandboxes to assist in that process.
Meanwhile, AI is able to predict, identify, classify, and prevent execution of seven files in the time it takes one of those humans to blink their eye, while using ~1/10th of the CPU required by the legacy antivirus we’ve been relying on for decades.
Final Words of Caution
During the recent Structure Security event at the Presidio’s Golden Gate Club in San Francisco, Alex Doll, Founder and Managing Member of Ten Eleven Ventures, advised the attendees to “be careful of the terms machine learning and artificial intelligence; they're being overused and used interchangeably.”
The bottom line on AI-based technologies in the security world: Whether it’s called machine learning or some flavor of analytics, look beyond the terminology – and the oooh, ahhh hype of artificial intelligence – to see what the technology does. As the saying goes, pay for the steak – not the artificial intelligent marketing sizzle.
Now that you've read parts 1, 2, and 3, perhaps you'd like to subscribe to our newsletter to continue getting more articles about security technologies and how they fit into and/or impact society? To reward you, we'll also give you access to this three-part series as a single article - it will be much easier to bookmark that way!