Artificial intelligence is no longer the stuff of science fiction films. It’s already here, driving a Fourth Industrial Revolution which promises to radically reshape the world and society we live in. The changes for the way we live and work is more disruptive than anything since the invention of the wheel – OK, let’s be more realistic, the industrial revolution. But let us focus today on cybersecurity as an fundamental part of digital transformation.
Much has been made of its application in cybersecurity and threat detection — and it’s certainly helping us a lot here at NTT Security. But let’s take a moment to dial down the hype. While there is plenty to get excited about, AI is not a silver bullet. There are many more prosaic, tried-and-tested tools and processes, which are just as important, if not more so, to helping your organization mitigate cyber risk.
Not a Holy Grail
First, the good news. AI and its sub-discipline of machine learning are fast becoming indispensable to the modern Security Operations Center (SOC). Here, systems powered with the technology are able to ingest enormous volumes of data and spot the anomalous patterns indicative of a potential threat. While the most common approach is supervised learning — where the analyst “teaches” the algorithm what conclusions it should come up with — increasingly we are seeing effective unsupervised learning, which can work without human guidance. The result? Highly effective threat detection capabilities that free up security teams to focus on higher value tasks. This is extremely important as we are in the midst of a massive skills shortage in our industry.
But AI is not the Holy Grail for security. In fact, believing too much in the promise of AI and you might begin to suffer from a false sense of security. Not all AI is created equal. The quality of the algorithm depends on how it is trained, and what records and data are fed into it. Poor data quality will result in weak AI, a bad recognition rate and failing security. So do not blindly trust the label “powered by machine learning”!
Let’s not forget either that AI could be harnessed by cyber criminals themselves: e.g. to monitor targeted users’ social behavior, email writing style and messaging behavior in a bid to improve the hit rate of spear-phishing attacks. As security professionals, we must be open to the opportunities but not be blind to the challenges of AI.
Back to basics
In our preoccupation with advanced machine learning algorithms, we should also be careful not to ignore best practices that could have a far bigger impact on our cybersecurity.
Let us renew our focus on training the workforce in how to spot phishing attacks. After all, cybersecurity is a shared responsibility, which is the overriding message in this year’s Cyber Security Month.
Senior managers are a key weakness in your organization’s front-line. Our tests of senior execs in customer organizations revealed some scary results: nearly 100% of the time we managed to compromise accounts to access critical systems — sometimes within minutes.
Consider also that old favorite of security patching. It has been given added urgency now that organizations are witnessing an explosion in IoT endpoints that need constant updating. Heterogeneous devices based on legacy protocols with a long service life make such updates a huge challenge, assuming patches are provided at all by manufacturers. If you’re unsure where to start with your burgeoning IoT environment, then try first conducting a security risk assessment based on guidelines such as ISO / IEC 27005, ISA / IEC 62443 or GDPR. Develop security policies, implement network segmentation, monitor maintenance access and conduct rigorous pen testing. AI can help with anomaly detection, but only as one part of a multi-layered approach.
So are we ready for the fancy stuff? The answer to this question is unequivocally yes-and-no; we need to do our security homework first because smart detection based on machine learning capabilities will be even more efficient if we implement the basics like patching, identity management, network segmentation etc. first. These will help organizations keep many attacks under better control and move towards a proactive strategy. In addition, we can combine these basic strategies with smart ways of new technologies like deception to confuse and hide our critical data from attackers.
Let’s also not forget the bigger picture. NTT Security’s most recent Risk:Value report highlights that global IT departments are spending less today on security than last year, while the number of organizations with a formal security policy in place has barely altered since 2017. This needs to change.
Who sets the rules?
Above all, we must remember that AI is only as good as the people training it. The prejudices of humans can all too easily lead to biased machine learning outcomes. As these algorithms make ever more complex decisions it becomes harder than ever to understand how they arrive at these decisions. Even without touching the sensitive area of Ethical Intelligence (EI) that raises a vital questions: Who sets the rules?
The decisions of machines will increasingly dominate our future. In cybersecurity, it could mean the difference between protecting hundreds of thousands of customers from, or plunging them into, a major service outage. In the end, do you trust the machine? It’s a question we’ll need to find an answer for pretty soon.
Therefore, it is time to get real – don’t put all your eggs into one basket. Leverage AI for threat detection and cyber defense but also remember to implement a smart (everything has be smart nowadays) proactive cyber strategy that is enriched by even smarter people!