Managed Detection and Response, SOC-as-a-Service
Narayan Makaram

Debunking Cybersecurity Myths: Part V— Don’t Rely on AI and ML Alone

The last article in our Cybersecurity Mythbusters series busted the myth that cyber-risk is simply a “big business” problem, and small businesses have nothing to worry about.

This brings us to:

Myth #5 – AI and ML are Enough – We Don’t Need Humans for Cybersecurity!

How tired are you of buzzwords like artificial intelligence (AI) and machine learning (ML) being sprinkled like pixie dust in cybersecurity product collateral? Have you ever wondered if such technologies truly help your IT team detect advanced threats more accurately and, thus, simplify your life? Faced with the cybersecurity skills shortage, IT organizations would like to believe that these technologies are a panacea for today’s threats, and that they won’t have to hire skilled professionals to operate them. Wrong!

The growing list of high-profile data breaches shows that cybercriminals find ways to bypass sophisticated products with built-in AI and ML. Hackers can easily evade the many technology obstacles and directly target human users, who are susceptible to phishing attacks and provide a legitimate invitation through the front door. What’s worse, hackers themselves use machine learning to carry out these nefarious attacks by repackaging malware to bypass detection mechanisms used by these products.

Here are some AI and ML fundamentals that you should know before you question security vendors on how their products address your challenges.

Basic AI and ML Terminology

  • Artificial Intelligence –the science (concept) of making things “smart” like humans, such as voice recognition through natural language processing, or edge detection for your robotic vacuum cleaner.
  • Machine Learning –an approach (one of many) to implement AI that feeds data through ongoing experiences to train the system and “learn” to differentiate good from bad. Most cybersecurity products use ML to detect known and unknown cyberattacks.

There are two types of ML techniques used in cybersecurity technologies:

Supervised ML: Detection based on a significant amount of “known/labeled” threat data, which helps classify threats more accurately. A good analogy is predicting the predisposition of a disease like diabetes in a new set of patients, using parameters like height, weight, age, and blood sugar levels associated with “known” diabetes patients.

Unsupervised ML: Detection based on anomalous patterns automatically extracted from unlabeled log data, where threat parameters aren’t established. This can lead to a heavy load of false-positives and alerts, resulting in alert fatigue and operational inefficiencies. It is analogous to identifying a new strain of virus (similar to a zero-day attack), where the causes of the disease are not yet known.

Uncovering the Truth About ML in Cybersecurity Products

Here are the top three questions any company evaluating technologies should ask their cybersecurity vendor/provider to see if its machine learning can eliminate the need for expert humans in the loop who manage these sophisticated products:

Does the product need ongoing policy/rules configuration after initial setup?

If the answer is yes, then you will still need the same number of cybersecurity experts on your staff and can’t rely exclusively on the AI/ML built into such products.

How exactly does the product use machine learning to detect cyberattacks?

For instance, learn how the product uses machine learning to detect specific attack types (i.e. ransomware) to reduce false positives and improve accuracy.

How often does your model need updating?

Signature-based ML models will age and stop performing with time as hackers learn to circumvent them. Such models need to be updated on a daily basis.

Hybrid-AI – Harnessing the Potential of AI and ML

Like any advanced technology, both supervised and unsupervised ML are not something that can be set once and forgotten. Cybercriminals constantly morph malware code and improvise new malware delivery mechanisms to bypass existing cyber defenses that rely exclusively on ML. What’s more, machine learning must be human-assisted to filter out the false positives found in pure ML techniques.

With Hybrid-AI, a cybersecurity expert can use supervised ML with threat intelligence feeds to automatically catch well-known malware strains. For the new strains, the security expert can use unsupervised ML, and discover new strains of malware through behavior analytics.

That’s why Arctic Wolf’s industry-leading security operations center (SOC)-as-a-service is anchored by a Concierge Security™ team, who leverage the machine learning built into the AWN CyberSOC™ service, and apply their cybersecurity expertise to accurately detect and respond to cyberattacks. Find out more by clicking on the banner below:

AWN_HYBRID_AI_CTA_BANNER