You likely have noticed how prevalent artificial intelligence (AI) and its related terms such as machine learning, neural networks, and big data analytics have become in the last several years in the world of cybersecurity. Doesn’t it make sense for the security industry to be searching for the next big thing given the distressing rate of incidents and breaches the world is currently experiencing? Maybe you - like I - have gone to big security events like the RSA Conference or Black Hat and come away confused as to how these analytic concepts relate to the everyday job of keeping an organization safe. What is the proper role of AI in cybersecurity and when will it assume that role in force?
One way to answer that question is to figure out where AI in cybersecurity is in its technology adoption lifecycle generally. And probably the best-known technology adoption lifecycle framework in the IT and security industry is Gartner’s Hype Cycle. Where do you think AI in cybersecurity is on this framework? I will give you my opinion at the end of this blog.
Figure 1 – Graphic of Gartner’s Hype Cycle
Enterprises Don’t Consistently Apply Security Basics
A fact to keep in mind when considering the next big thing in security is that we are in an industry where so many enterprises don’t consistently apply security basics and best practices such as regular patching, multi-factor authentication, security awareness training, email phishing protection, and regular system backups in their security programs. How important is the next big thing when the current basic things aren’t well implemented?
Let me very briefly define AI. AI is a form of computing where, as my colleague Herb Roitblat, one of Mimecast’s resident data scientists, defines as “a form of computerized problem solving with the means to solve a problem, but without the rules to do it.” Herb also often retorts, “If you can write the rules down to solve the problem, do it! If you can’t, consider AI.”
And as Dr. Jim Davis, Professor of Computer Science and Engineering at Ohio State University explained, “Modern machine learning is data-driven and with the data you can do auto-discovery of categories and classification, such as types of malicious or unwanted emails.”
Using AI to Differentiate Between Good and Bad
Are AI algorithms smarter than your average security researcher? Not even close. But with certain tasks they can be cheaper, better, and faster than traditional analytic techniques and manual processes. As Herb explains, “AI replaces people performing specific tasks. It does not replace people doing jobs.” And, this is what drives the allure of AI to cybersecurity. Like no other industry we need faster, better and cheaper and less people-dependence to get through the tidal waves of security relevant data, particularly from the perspective of a cloud-based security provider that has so much data to get through.
To give a sense of the massive size of data that can be in play, at Mimecast, we process hundreds of billions of emails every few months, roughly 50% of which are bad or unwanted. The trick, of course, is to find and block the bad and unwanted emails quickly, while not blocking the legitimate ones. And in some cases, it is very challenging to write the explicit rules that differentiate between good and bad, while in other cases we can. But we certainly have the data to give AI a serious go.
Examples of Artificial Intelligence at Mimecast
One straightforward way for me to assess where AI in cybersecurity is on the Hype Cycle in general is to look at its use inside Mimecast. Is it delivering value in our part of the security domain? Digging into how AI is used at Mimecast - listed below - it is interesting to note how applicable AI techniques are to specific aspects of the email and web security problem spaces. But note how relatively narrowly scoped the problems are, implying that AI techniques are an excellent complement, but in no way a replacement for more traditional analytic and detection techniques. What follows is a sample of AI-related implementations and projects at Mimecast:
- Image checking and filtering - Deep learning is used to identify not-safe-for-work and other images, such as logos, to improve filtering and phishing detection.
- Detecting outbound attacks in customers’ email - Machine learning models are used to detect anomalous and potentially risky patterns in sending email frequency, indicating the use of an organization’s email for outbound attacks.
- Malicious URL detection – Using URL structure and content to contribute to the detection of malicious URLs.
- Detecting the leakage of private information - Finite automata are used to identify private information which can be germane under GDPR or other privacy regulations.
- Website categorization - Supervised learning is used to categorize websites, to detect high-risk sites and enforce policy. Useful for both email and web security controls which use site categorization as part of policy-based decisioning.
- Detection of spam - Neural networks are used to help identity spam and other forms of unwanted, but non-malicious emails.
- DNS-based data exfiltration – Use of AI to detect the malicious use of external DNS calls by malware to sneakily exfiltrate data.
- Identifying and categorizing customer reported phishing emails – Pre-sorting and categorizing emails submitted by customers to improve the efficiency of the Mimecast SOC. The Mimecast SOC staff is tasked with continuously curating the Mimecast service to improve detection and analyzing customer submitted emails are part of this.
Best Practices for Artificial Intelligence in Cybersecurity
To answer the question in the introduction, where is AI in cybersecurity on the technology adoption or Hype Cycle? If you had asked me a few years ago, particularly right after attending the annual RSA Conference, I would have said it was at The Peak of Inflated Expectations, as there was lots of chatter but not much substance behind the security use cases presented and demonstrated. But I think now, given the practical applications coming out of Mimecast and other companies, we are the early stages on the Slope of Enlightenment. AI in its multiple forms is finding its rightful place as a valuable analytic technique in the overall security technology toolbox.
Now to the question, what type of organization is best positioned to leverage AI for security: enterprises, or security vendors? For the majority of enterprises, it doesn’t make sense to invest directly in AI and the teams of experts necessary to make it work for the security of a single enterprise. You need very deep pockets and lots of data to make this work! Most enterprises lack the data and resources to do AI well and should be focusing on perfecting and operationalizing the security basics I mentioned above.
By contrast, cloud security vendors have access to the data and the experts, and they also have the scale, scope, and financial resources to put AI techniques to work on behalf of their broad customer bases. So, as you move your security controls to the cloud, consider how your prospective vendors are applying AI to provide a better and more efficient service.
The Bottom Line
As Professor Davis said, “Who are the giants in AI? Those with the data! If you have nearly infinite data, AI is your realm.” Given the amount of data cloud security providers have and the number of uses cases that are well suited to AI, I think AI in cybersecurity will be moving up the slope of enlightenment even more rapidly over the next few years. But just in case you were expecting an easy solution to a hard problem, as Herb says, “AI is mostly just good engineering.”
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly