Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
Machine Learning (ML) and Artificial Intelligence (AI) have been buzzwords in the cybersecurity industry for quite some time now, and many still confuse them as being the same thing. This blog post aims to clear up the confusion around these two terms, as well as to provide some insights into their importance in the cybersecurity world.
Both of these terms pop up frequently, especially amongst analytics, big data and other current major technological changes. Generally speaking, Artificial Intelligence is a broad concept of the ability of machines to perform tasks which we would consider “smart”.
From self-driving cars to SIRI, AI is rapidly growing. Today, it is more properly known as narrow artificial intelligence (or weak artificial intelligence), which means it is designed to perform a narrow task (e.g. only for driving a car, or only for searching the internet, etc.). A strong AI, also known as general intelligence, is a system with generalized human cognitive abilities. When presented a problem, a strong AI system will try to solve it without the need for human intervention.
Machine Learning is a specific part of artificial intelligence that enables computers to learn without being explicitly programmed. For example, a machine learning driven system is able to find patterns in data and use them to predict the outcome of something it has never seen before.
The emergence of machine learning as a vehicle that drives AI forward was due to the realization that instead of teaching computers everything in order to perform tasks, it is now possible to teach them to learn for themselves. With the evolution of the internet, and generation of huge amounts of information and data available at our fingertips, engineers realized it’s now far more efficient to code computers to think like humans, giving them access to all the information in the world.
Machine learning is therefore believed to be a subset of artificial intelligence. Despite some overlaps, AI covers more topics than machine learning, such as intuition, speech recognition, understanding and perception, object manipulation and more. What led to the emergence of machine learning was the capability of managing large sets of big data, the capacity to store that data and the computer power.
This is the most popular paradigm for machine learning, the easiest to understand and to implement. It’s similar to teaching a child using flash cards. For example, we can feed the learning algorithm with data in the form of examples with labels - with this, the algorithm will be able to predict the label for each example, while we can give feedback whether the answer is correct. Over time the algorithm will learn to predict the relationship between examples and their labels. At the end of the training, the algorithm will be able to observe a new example and predict the label for it. This type of learning is usually described as task-oriented, since is focused on a single task, giving more and more examples to the algorithm until it is able to perform the task correctly.
This type of learning stands on the opposite side of the spectrum, as it features no labels. In this case the algorithm is fed with a lot of data and is given the tools to understand the properties of the data. The expectations are that it can learn to group, organize and cluster the data in such a manner that a human could make sense of the data organized in that particular way.
The unique thing about this type of learning is the fact that there's a huge amount of data in this world that isn’t labeled. Many industries see great potential in having algorithms that can take terabytes of unlabeled data and make sense of it. For a number of fields, this could be a major boost in so many ways.
Let’s make sense out of this with the following example. You start a research project and you have a huge database of all research papers ever published in an algorithm that knows how to group these papers in a way so that you are constantly aware of the progress in a particular domain. As you write your research, the algorithm will suggest related works or papers you might wish to cite, and perform other activities to boost your productivity.
Unsupervised learning is data driven since it’s based upon data and its properties. The results from an unsupervised learning tasks are directed by the data and the way it is formatted.
Gone is the time when an organization could rely only on simple antivirus software or firewall with white or blacklists. The industry today struggles with evolving and sophisticated cyber attacks, against which traditional security measures simply won’t work. Let’s look at how artificial intelligence and machine learning provide much-needed help in handling cybersecurity threats below.
Human expertise and efficiency aren’t limitless; there are certain pitfalls such as lack of accuracy, poor speed of incident response, longer delays in detection and removal of advanced threats like ransomware or fileless attacks. The application of AI provides insights and makes sense of millions of logs and anomalous events. By employing AI, it is possible to identify a suspicious event, detect a malicious file or notice a behavior from a seemingly harmless data cluster or file.
Security strategists can now feed massive historic training data to today’s advanced machine learning models. The more valuable data you feed, the better your security response is. However, don’t forget that many organization’s today still hold detection and response models to be their primary approach, as it has been the case for several decades. In any case, traditional security technologies remain necessary for an even more comprehensive approach in the battle with security threats.
Here are a few points to bear in mind before employing AI or machine learning within your cybersecurity program.
Firstly, be realistic towards your business perspective. Will AI/ML make your business grow, or reduce costs? Secondly, consider deploying AI/ML as an extra layer of protection on top of existing security solutions, and consider partnering with a vendor that helps integrate AI or ML solutions in a way that supplements existing security tools and speeds up the quality incident response.
Arguably, the most important aspect to understand is that ML is a continuous process. Over time, there will be a need to check if your ML algorithms or models need a tweak to improve their accuracy. As your AI system gets exposed to more data, this will prove to be an indispensible practice. The cybersecurity industry can hugely benefit from AI and ML, but delivering predictive protection to thwart evolving attacks will require commitment in maintaining the quality of data sets.
If you would like to learn more, keep a look out for an upcoming blog post which will describe how machine learning is being used by DFLabs within its SOAR platform to compare actions from previously handled incidents, in order to recommend relevant playbooks and runbooks to effectively and efficiently manage and mitigate future incidents.
DFLabs / 4 Apr 2018
CISOs face a wide spectrum of challenges in 2018. Security orchestration, automation and response platforms can help them tackle those challenges.
Heather Hixon / 5 Mar 2019
Find out why automation has been changing security operations within SOCs for the better, despite its initial bad reputation in the cybersecurity realm.
DFLabs / 27 Jun 2018
Integrating SIEM and SOAR combines the power of each, enabling security teams to minimize incident resolution time and avoid alert fatigue.
See IncMan SOAR in Action.