Machine Learning and especially Artificial Intelligence (ML and AI respectively) have been all the rage in the last couple of years, starting to grab headlines in the past year or so. Doom, loss of jobs and cyborgs on the horizon? Or more leisure and more interesting and rewarding work?
It is hard to say. What is clear, however, is that AI is making its way into everyday usage and lives, as demonstrated eg. by our Espoo AI case.
In security, the case is very much the same. For many years, the security industry has been building ML and AI into their security products and technologies. What these enable is that we, as cyber security defenders for our organzations, are able to leverage them for protection, detection and response abilities to find threats and attacks.
Machine Learning is and will be even more important in the future as a keydriver for cyber defense work for detecting current anomalies and limiting the time an attacker can be inside your network. What AI can bring to the table is help find anomalies faster than a human, help detect and protect against certain unknown threats, and limit the “dwell time” of a breach in vast numbers – ie. the time from when an attack is successful to the time it is found.
A great example of leveraging ML and AI usage in security technologies is in the anomaly detection tools in Next Generation endpoint solutions. This technology has been a great asset in our Security Operations Center (SOC).
Next generation endpoint solution technologies mostly use a combination of two techniques to identify unknown malware and unknown bad code. One technique is used to identify code “PRE-Execution”, looking at the characteristics of the code before it executes to stop the attack before it is injected to the system.
However, sophisticated malware in most cases hide their true purpose, so the only way to know the code’s true purpose is to let it run. This is where the other function “POST-Execution”, comes to play; it allows the code to execute in a controlled way. This way, we can let the code run to unmask what it truly is meant to do.
It is in the latter where AI is truly used. How this works is that AI traces and tracks behavior of the code and sends findings to the mathematic algorithm to determine and judge if this is bad or good code. If the code is bad, the next generation endpoint solution will block the code based on AI’s analysis, and back trace all the bad findings and “repair” the damage it has done.
Of course, this is one side of the coin. The other, more unfortunate, side is that what we security experts have, the black hat guys have as well. As with all other technologies, AI and ML are used by the attackers to track, crack, monitor and act on the attacks and malware that is not detected. As we noted in our first blog post of the year, AI and ML are a big hit on the dark side. There is already evidence last year of AI being used in malware.
With ML and AI, then, the situation in security vs attackers remains the same that it has even been. A constant and asymmetrical battle in the cyberworld, where attackers and defenders are engaged in a constant and never-ending game of one-upmanship.
This said, however, I would see that AI and ML have a lot to offer to the realm of cybersecurity. Organizations that do not invest in these type of technologies to protect themselves will be far behind in the security space. As security experts we believe that the success in security is adaptation. Today this means AI and ML, and this will be is a key factor to keep up with the rapidly moving security space.
Instead of the doom and gloom with ML and AI, they have already brought a new set of tools to security – and we have barely scratched the surface here. What one must remember is that ML and AI will be neither the doomsday machine nor the silver bullet which solves all of today’s and tomorrow’s security challenges.
As the man says, eternal vigilance is the price of liberty. With ML and AI, man and machine are working together for this end.
Lead Cybersecurity Architect and Evangelist
Read more blogs here