Artificial intelligence no longer is the “next new thing.” AI, machine learning, deep learning and other forms of algorithmic-based, automated processes are now mainstream and on their way to being deeply integrated into a wide range of front office, back office and in-the-field operations. And we certainly have seen a lot of great examples of AI being used to spot potential cybersecurity threats and preventing their infection on an organization.
As business leaders, you have given at least some consideration to the notion that AI will completely replace your security operations center (SOC). After all, you’ve probably calculated the money it takes to run your SOC 24/7/365, and what it means when your CISO comes to an executive lunch or the board meeting and explains that we need more resources – i.e., people, technology and money – to fight new and more security threats. I can hear and feel the dollar signs spinning in your heads … because I’ve been there.
My advice to you is this: Don’t rely solely on technology to protect your organization, but assess instead how AI can help to complement your SOC.
To help you understand why you will be not able to replace your SOC with AI, let me give you a real-world lesson from the world of competitive chess.
Deep Blue’s Unorthodox Move Against Kasparov
Most of you know that in 1997, chess grandmaster Garry Kasparov played—and lost to—IBM’s famous AI machine, Deep Blue. What you may not realize is that Kasparov was winning a key game, when Deep Blue made what was then considered an unusual move, confusing Kasparov to the point where he lost his rhythm and, ultimately, the game. Deep Blue’s unorthodox move, however, was not a calculated step to trip up the chessmaster. Instead, it was later discovered that Deep Blue ran into a bug and made a random, rather than meticulously-thought-out, move.
While Deep Blue’s victory was hailed as a milestone in the evolution of AI, the “bug” influencing the outcome of the key game should be a cautionary tale in not putting all our eggs in the AI basket. In fact, sometimes you have to think and to act outside of the box (like the error in Deep Blue) and not based on predefined rules to win the game. This is true, especially when it comes to cybersecurity.
In other words, let’s not get caught up in the hype around AI and machine learning and assume that it is ready to replace our SOCs and the dedicated, resourceful and critically essential security engineers and analysts.
How Is Cybersecurity Benefiting From AI?
AI and ML have demonstrated the ability to automate many tasks previously done either by SOC personnel or earlier-generation tools. And AI is a great way to automate many decision-making processes about cybersecurity. But AI will always be limited in its ability to replace human intelligence in an area that is changing as rapidly and dramatically as cybersecurity threat identification and management.
Ask any CISO or SOC analyst across a wide range of industries and geographies, and you’ll get widespread agreement on a key challenge in implementing AI in the SOC, let alone having it replace the SOC: We often don’t know what the threat is and what its impact can be until it is actually spotted.
Consequently, often it is not possible to train a machine in advance to recognize completely unknown patterns. Machines, like humans, have found it extremely difficult to sort out the signal from the noise, the real threats from the false positives. Why do you think that we still have so many unfounded intrusions even in an era profoundly influenced by automated and algorithmic tools?
As we continue to compete as cybersecurity grandmasters, we look for ways to get ahead of the threats by tapping into the massive and still-growing public data set coming from threat intelligence services and other surveillance methods.
Analyzing recent incidents, participating in cybersecurity discussion groups, setting up honeypots or crafting red-team exercises all help and can become the training set basis for an AI-driven defense. But training our machines using this data is very difficult, and far from gap-proof.
Teaching the Machines
What machines are great at doing, of course, is recognizing patterns based on input and learning from human sources. I can teach a machine how to recognize a chair by showing it billions of pictures of different sizes, shapes and formats. But what happens to our machine learning when someone develops a completely new form of chair, like those ergonomic chairs in the form of a large rubber ball or some product of whimsy like a chair shaped like a farm animal or a piece of sporting apparatus like a baseball glove?
In those cases, the human brain is going to make the connection between this never-before-seen format and the functionality of a chair, while any machine will immediately fail to understand that you can seat on it unless it looks like a chair.
We still need our clever SOC analysts to teach the algorithms how to recognize it is a chair—just as they would teach the AI system to recognize a new piece of malware for the threat it is.
So, while AI and ML are not going to replace your SOC, those technologies are going to play an increasingly important role in automating decision processes at light-speed in such areas as:
- Network traffic analytics
- File or mail classification
- Endpoint protection
- User behavior analytics
- Source code analysis
- Application or database request analysis
- Process behavior (think of credit card fraud or other forms of identity theft)
Is Your Organization AI Ready?
Before being able to consume AI, organizations often forget to transform both cybersecurity technologies and the SOC itself. The success of AI is defined by the automation and integration level of your security controls. Technologies and tools designed to block bad network traffic, quarantine a machine, remediate a problem or roll out a patch must be available and implemented beforehand —as an automated application programming interface across an entire enterprise. The advantage of rapid decisions by AI is otherwise useless if you can’t act in an automated way.
AI is going to have an important impact on SOC analysts—but not the job-killing impact that news reports and pundits would have you believe. AI will actually enrich the role SOC analysts play by freeing them up to become data scientists and security architects. In those roles, they will focus on re-architecting core operational processes, ensuring that the right data is being collected and is of the highest quality and coming up with innovative “hunting” techniques and creative new ways to spot problems unique to individual industries, organizations or job functions. And the SOC analyst will sooner or later evolve into those roles.
So when business executives and boards start thinking about the role that AI plays in supplementing and extending—not replacing—the SOC, it’s important to understand that AI is going to reduce your risk, but also transform your SOC personnel.
Consequently, executives need to focus on AI’s ability to automate the decision processes when machines are working under the direction of SOC personnel to ensure full threat visibility, access to the full range of relevant data and the instrumentation of controls.
Finally, remember that there are new bad actors popping up all the time, and they don’t play by the rules the machines have learned and mastered. So you’d better have your own cybersecurity grandmasters at hand to ensure you can thwart the attackers as they invent new rules.
Sergej Epp is chief security officer, Central European region, for Palo Alto Networks.