Chapter 2. Understanding AI, ML, and Automation
Prior to discussing the ways in which you can use ML and AI to help your defenders better protect your organization, let’s step back and define the terms. There is a lot of confusion around the definition of ML and AI and how the technologies interact with each other. In addition to defining these terms, no discussion of ML and AI is complete if it doesn’t touch on automation. One of the overarching goals of both ML and AI is to reliably automate the process of identifying patterns and connections. In addition, and specifically to security, ML and AI allow security teams to reliably automate mundane tasks, freeing analysts to focus on their core mission, as opposed to spending their days chasing false positives.
AI and ML
Although many people in the industry have a tendency to use the terms AI and ML interchangeably, they are not the same thing. AI is defined as the theory and development of computer systems that are able to perform tasks that normally require human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages. With AI, machines demonstrate “intelligence” (some call this the “simulation of an intelligent behavior”), in contrast to the natural intelligence displayed by humans. The term is applied when a machine mimics cognitive functions that humans associate with other human minds, such as learning and problem solving.
Machine learning is an application of AI that provides systems with the ability to automatically learn and improve from experience without being explicitly programmed. ML focuses on the development of computer programs that can access data and use it to learn for themselves. The more machines are trained, the “smarter” they become, as long as the training material is valuable for the tasks that the machines are supposed to focus on. In the current defense landscape, ML is more established and, therefore, more likely to be used defensively as compared to AI. With ML, humans—generally analysts in the case of security—are responsible for training the machine, and the machine is capable of learning with the help of humans as feedback systems.
Curt Aubley of CrowdStrike proposed that one way to distinguish between the two types of technologies is that AI is like the Terminators from the movie series of the same name, whereas Iron Man’s suit is an example of ML. The terminators are completely autonomous and can adapt to the situation around them as it changes. The Iron Man suit is constantly giving Tony Stark feedback as well as accepting new inputs from him.
A more realistic example that provides a better understanding of the differences between AI and ML is one of the most common uses of the two combined capabilities: monitoring for credit card fraud. Credit card companies monitor billions of transactions each day, looking for potential fraudulent transactions. The algorithms need to account for millions of factors. Some algorithms are obvious, such as a credit card that is physically swiped in New York City cannot be physically swiped in Singapore five minutes later. But other factors are not as obvious. For example, when a card that is regularly used to buy clothes at a retailer such as Target or Kohl’s is suddenly used to buy clothes at Gucci, it might raise a red flag. But it is not immediately clear whether that is fraudulent activity or just someone buying clothes for a special occasion. No human can possibly account for all the different ways that fraudulent transactions can manifest themselves, so the algorithms must consider any anomalous transactions. This is where AI is part of the process. The ML part of the process involves combing through those billions of transactions each day, discovering new patterns that indicate fraud and adjusting the AI algorithms to account for the new information.
ML and AI do not always need to work together; some systems take advantage of one technology or the other, but not both. In addition, most of the time both AI and ML are invisible to the end user. Modern security information and event managers (SIEMs) use ML to search through hundreds of millions of log events to build alerts, but the security operations center (SOC) analyst sees only the alerts. Similarly, Facebook and Google use AI to help automatically identify and tag users in pictures millions of times each day. The technology is invisible to the user; they just know that when they upload a picture, all of their friends are automatically tagged in it.
Automation
Automation is simply defined as the technique, method, or system of operating or controlling a process by highly automatic means, reducing human intervention to a minimum. Automation is really just manual rules and processes repeated automatically, but nothing is learned, as in the case with ML and AI. Automation is often the end result of AI and ML systems within an organization. For instance, an organization might use AI and ML to identify suspicious activity and then use automation to automatically provide alerts on that activity, or even take action to stop it. In other words, automation might be the visible result of AI and ML systems.
Automation driven by AI and ML backend systems is one of the biggest growth areas in cybersecurity. Although it has become somewhat cliché to say that security teams are overwhelmed by alerts, it is true. Automation, especially through orchestration platforms, allows security teams to have the orchestration system automatically perform mundane or repetitive tasks that have a low false-positive rate. This, in turn, frees security teams to work on the more complex alerts, which is a priority as cyberthreats escalate in speed and intensity.
Challenges in Adopting AI and ML
It should be noted, that as powerful as AI and ML are, they are not without their downsides. Any organization that’s serious about incorporating AI and ML into its security program should consider some of the potential pitfalls and be prepared to address them.
One of the biggest challenges that your organization might face when embarking on the AI and ML journey is the challenge of collecting data to feed into AI and ML systems. Security vendors have become a lot better over the past few years about creating open systems that communicate well with one another, but not all vendors play nice with all of the other vendors in the sandbox.
From a practical perspective, this means that your team will often struggle to get data from one system into another system, or even to extract the necessary data at all. Building out new AI and ML systems requires a lot of planning and might require some arm-twisting of vendors to ensure that they will play nice.
Even when different security vendors are willing to talk to one another, they sometimes don’t speak the same language. Some tools might output data only in Syslog format, whereas others output in XML or JSON. Whatever AI and ML system your organization adopts must be able to ingest the data in whatever format it is presented and understand its structure so that it can be parsed and correlated against other data types being ingested by the AI and ML system.
Even when the systems talk to one another, there are often organizational politics that come into play. This happens at organizations of any size, but it can be especially common in large organizations. Simply put, you, as the security leader, need input from specific systems, but the owners of those systems don’t want to share it. Irrespective of whether their reasons are valid, getting the necessary data can be as much of a political challenge as it is a technical one. That is why any AI and machine learning initiatives within your organizations need to have senior executive or board sponsorship. This helps to ensure that any reluctance to share will be addressed at a high level and encourages more cooperation between departments.
Finally, let’s address something that was touched on briefly earlier in this chapter: AI and ML systems require a lot of maintenance, at least initially. Not only do you need to feed the right data into these systems, but there needs to be a continuous curation of the data in the system to help it learn what your organization considers good output and bad output. In other words, your analyst team must help train the AI and ML systems to better understand the kind of results the analysts are looking for.
These caveats aren’t meant to scare anyone away from adopting AI and ML solutions; in fact, for most organizations the adoption is inevitable. However, it is important to note some of the potential challenges and be prepared to deal with them.
The Way Forward
Most security professionals agree that first-generation and even next-generation security technologies cannot keep pace with the scale of attacks targeting their organizations. What’s more, cyberattackers are proving these traditional defenses and legacy approaches are not solving the problem. Today, attackers seem to have the upper hand as demonstrated by the sheer number of successful breaches. Traditional endpoint security can’t keep up with sophisticated attack techniques, while outdated edge defenses are being rendered ineffective by the sheer volume of alerts. This leaves many security teams forced to play “whack-a-mole” security, jumping from one threat to the next without ever truly solving the problem.
This analogy presents a way to move forward with a clear understanding between AI, ML, and human activity: Many who’ve had a chance to visit a military airshow are often amazed at the technologies on display. Attendees can usually observe firsthand an array of fighter jets with tons of airpower, attack helicopters with astonishing features, and bombers with stealth capabilities. But is the technology sitting on that airfield (or flying over your head) all that is needed to win a battle? The answer is no. These magnificent technologies on their own are nothing more than metal, plastic, and glass. What makes these technologies effective is the highly skilled humans that operate these fighting machines, and the intelligent computer systems that reside within them.
Most people don’t realize that when a pilot is flying an aircraft cruising at nearly Mach 2, that pilot really does not have direct control of the “stick”; a computer does. The reason is that humans often react too quickly or radically when in danger. If the pilot pulls too hard on the control stick in a plane, it could be disastrous. So, the computer running the aircraft actually compensates for this and ensures that the pilot’s moves on the stick do not put the plane in danger.
As you might observe, there is a synergy occurring in many of these aircraft. The human-computer synergy is quite apparent. It not only keeps the aircraft safe, it also keeps the human in check. In this case, the computer compensates for the potential human error caused by the pilot.
Turning back to this security discussion, it is clear that as a new generation of security technologies comes to market, a slightly different human–computer collaboration will become even more apparent.
Security technologies using AI and ML are a reality today. However, these advances are not designed to eliminate humans from the equation. It’s actually the opposite. They’re designed to equip the human with the tools that they need to better defend their organizations against cybercrime. However, misunderstandings are prevalent surrounding AI and what it actually is.
Some people believe AI will lead to an end-of-the-world scenario as in the previously referenced movie The Terminator. Great for headlines—however that’s not what AI is all about. Others believe AI-enabled security technology is designed to be “set it and forget it,” replacing the skilled human operator with some sort of robot, which is not the case, either.
When implemented correctly, AI and ML can be a force multiplier. The goal is to teach a cybersecurity technology to automate and reduce false positives, and do it all much faster than humans could ever hope to. ML in cybersecurity uses the concept of creating models that often contain a large number of good and malicious pieces of data. These could be real-time pieces of data or data that was captured and stored from known samples. As an ML engine runs a model, it makes assumptions about what is good data, what is malicious data, and what is still clearly unknown.
After the ML engine has finished running a model, the results are captured. When a human interprets the results, the human then begins to “train the ML engine,” telling it what assumptions were correct, what mistakes were made, and what still needs to be rerun.
With the distinction between the roles and interplay of AI, ML, and essential human involvement clearly defined, we can move on to the next chapter to discuss some of the practical applications of these technologies in security.