Approach AI with a clear mind and a clean sheet

Artificial intelligence in the security space is an exciting development that will help businesses, but don’t get caught up in the hype.

No matter what industry you’re in, buzzwords and bandwagons have a tendency to pop up. You only have to think about the hype that surrounded things like the cloud, Internet of Things and blockchain.

The security sector isn’t immune to this either and as a result, the likes of artificial intelligence (AI) are popping up regularly. While it’s easy to get caught up in the hype and call it the next big thing™️, the terms are being used liberally, according to Anton Grashion, senior director product and marketing of Cylance.

“There’s quite a significant bandwagon effect going on, which is what you’d expect because as with all things, not all AI is created equal,” he said. “I think the use of AI in cybersecurity in particular will become the rule because quite honestly there’s no way of getting ahead [of these].

“The way the threat landscape is developing, the ability of people to change malware so quickly, it’s an accepted fact that the signature-based approach, while useful at the time, has really outgrown its usefulness because you spend more time updating and making sure everything is working.”

That said, it’s still important to remember that AI is a tool, a means to an end rather than a silver bullet that will solve your woes. Grashion said that while AI could be applied across the board, it was not as simple as just tacking it on.

“If you have a legacy approach to malware, it’s very difficult to get rid of that, so what you tend to do is to add other things to it,” he said. “What happened then was it was obvious that they weren’t able to stop everything with antivirus, so we added lots of technologies such as sandboxing or micro-isolation. We’ve added extra layers because the first bit didn’t do anything or didn’t prevent enough.

“Adding AI is just like adding another spot lamp to your 1978 Ford Escort, it won’t change the Ford Escort, but it will make you look a bit flashier.”

“Really what you have to do and what the founders of Cylance did was they went away, took a clean sheet of paper and said what are our edge cases, what is the extreme edge we’re trying to cope with here?”

“When you write that, you don’t want to use signatures down. There are only so many ways you can go, and fortunately the advent of very elastic computing like AWS means you can develop significantly better machine learning models by using more compute power.”

That computing power is a major reason why AI is coming back to the fore. By providing the ability to train models accurately on huge numbers of features while distilling it down to a lightweight model that sits on an end-point, it offers great possibilities for those in the sector.

Still, that doesn’t mean that things are simple and easy now. The industry is still a complicated beast and the methods of dealing with threats are always changing.

“You’re really on the horns of a dilemma: if you work from the basis that your prevention tactics work, you can do a couple of things – you can prevent, you can detect and you can respond,” said Grashion. “Everyone will run to the side that is detect and respond to get visibility because they don’t think they can prevent things, therefore they need to look at it in a network and that’s a problem because you push it into the network.

“It’s like opening a can of worms, the only way of re-canning one is to use a bigger can. It’s a good analogy because you’re going to spend a lot of money, once your threat is inside and it’s doing what it’s doing. Even if you have the best detection and response technologies in the world and you got the manpower . . . the effects of that can cost you so much money.

“If you can reduce the number of things that get in so you concentrate or balance your spending to prevent and detect and respond, you have a better chance.”

Striking the balance can be tough as some threats are best handled with a detect and respond system like insider threat and abstraction of data from malicious insiders. Overall, it’s down to what you value in the organisation and what it is you wish to protect.

“It’s a matter of scale. It’s also a matter of where you really think you value as an organisation,” he said.

“You’re balancing your risk against the likelihood of that risk actually happening, then whether you want to keep that in-house or to resource it. We work with a lot of reseller partners who are moving that way and offering those services.”