Is AI/ML a game-changer for security, or overhyped?
Jeff, I agree with you. I think first of all, data is just too fluid at this point. I was on a call with SOC leaders and we were talking about next generation SOAR. What is that really going to get us?
I definitely agree with you, Jeff, that you are renting someone else's server. I have been raising a red flag within electronics manufacturing to secure the hardware. I've been wanting to get the electronics manufacturers industry to start securing the device. Whatever they're making, it should be secured in manufacturing. No disrespect to anybody in software, but sometimes, there's only certain things that you can't do in hardware that you need software for, and hardware is more difficult to hack. If you can build it embedded, you're ahead of the game.
I think we need to get to the place where we are actually taking cyber threats more seriously at the board level, where they don't question the investment to complete a lifecycle migration. Then we can just be done with it rather than spoon-feeding the migration, which then keeps you from being able to defend at the same rate. When we look at the Solar Winds attack, it wasn't necessarily that they leveraged a vulnerability which was embedded in code. It was the fact that they were able to go undetected for so long and mimic traffic that our security tools are designed to detect. I think we have to be able to free ourselves, to move at the speed of the actors, and have that singular focus to really start to win this battle. AI and machine learning are very important to do that, but they have to learn my network faster. I can't take like a year and a half for it to learn my network.
If the AI isn't getting to know your network, is it bad AI or is it that your network isn't generating enough information to create a useful model? To create a set of patterns of normal activity.
I wholly agree that AI needs to be faster at learning the intricacies of individual environments. Time-to-value is one of the biggest barriers of acceptance for AI being necessary within an organization. I also agree that much of the issue resides in the lack of meaningful input to feed the AI engine. Without external influene and integrations as well as "care and feeding", many times ROI doesn't start until 6 months and true value at a year or so (if ever without the right inputs). But is that so different than a human in the same role? There is a reason why skilled cyber-pros are hard to come by. They have years of experience to lean on. They can use information from past events and from their peers and they can use their intuition to correlate seemingly non-similar data. Dare I say that AI and ML are under-hyped in their ability to help organizations cut through the noise, expedite response time, and augment the human element today but over-hyped when it comes to being the "silver bullet" of tomorrow?
To wit, if a model is trained to pick up a pronoun in the wrong context, that's a very simple way for an AI to start breaking down NLP or other kinds of capabilities, whether it's email or content or something outside of a structured environment, and use it. That's just one example. In manufacturing, it's 10 times that, because you have sensors and actuators and PLCs and all sorts of equipment. In that environment, even the 1 or 0 in binary can become a weapon for a hacker. Because the mechanical of “open a circuit, close a circuit, one and zero,” can easily be triggered by a malevolent actor to go the wrong way. There goes $100,000 worth of product that falls off the line.
But there's still something inside of me that says, there is a way to do this properly. Maybe it's design for security or design for privacy or both at the model level. Maybe the emphasis to the board is that if we build the models correctly, we can leverage those, because depending on whose version of model and how good the data scientist, you don't need a year and a half. You need five cases that are germane and specific to the traffic flow of the environment. I live in insurance, I need something that's insurance-related. I live in manufacturing, I need something that's manufacturing-related and so on and so forth.
I agree with you, Joseph. At the heart of it, it's just good hygiene. But then the additional assurance is important.
I can throw up a whole bunch of reasons why it's bad or why it's hard. Executing applications based on math and trying to have computer systems that execute programs that we think are supposed to run on those particular computer systems and platforms is great. But it is so hard to keep up with the configuration management and the class of computing systems that things are running on at enterprise scale. Move it into the cloud and I think you've just magnified the problem exponentially several times over, because it's not your computer. It's somebody else's computer that you're renting space on.