Blog >
Cybersecurity & AI: Where Do We Really Stand
AI is a buzzword these days, and cybersecurity is no exception. Several times we've heard cybersecurity or IT managers say that they're looking for AI cybersecurity technology that works all by itself, detects attacks all by itself and blocks them automatically and automagically. This is obviously a myth.
To set the record straight, we put the question to our Head of Cybersecurity, Dr Karim Ganame. He is also a Cybersecurity & AI researcher and holds a US patent since 2019 on the use of AI to detect cyberthreats in computer networks.
According to him, here's the state of play for AI in the specific context of cyber threat detection
AI alone cannot detect all unknown cyberthreats
One of the characteristics of AI (e.g. supervised model) is that it needs to train itself regularly, enabling it to learn continuously and adapt.
The key is not the AI algorithm you use, but how you characterize what it should consider an anomaly or deviation in behavior.
Several times I've been asked what AI algorithm we use in our CDS cyber threat technology at Streamscan.
In reality, the algorithm isn't the most important thing in cybersecurity & AI. It's how you characterize the cyber threat that's key.
Let's take a simple example: you want to create an AI model to detect variants of a given X ransomware? You take said ransomware, run it on a machine, and capture all the information this run creates: the external domain names or IPs with which ransomware X interacts, the network protocols that have been solicited: DNS, HTTPS, SSH, UDP, and so on. You'll also want to know if there's a pattern to how often certain requests from ransomware X are sent to external systems, etc. After that, you look at the actions that ransomware X performs on the computer: what files have been created, deleted or modified? Does ransomware X stop a given process (antivirus, etc.)?
All this information gives you an idea of the overall behavior of ransomware X. That's the easy part. Next, you need to characterize ransomware X: which TCP flags are enabled? Do packets exit at a periodic frequency? Is network traffic in one direction only (unidirectional flow) or in both directions (bidirectional traffic), etc.? We'll also remove traffic that is considered background noise, i.e. diversionary or useless traffic that is not relevant to the characterization of ransomware X.
You'll emerge from this exercise with a set of attributes (features) that you'll work and rework like a goldsmith, to retain only the most relevant attributes. These relevant attributes are the key to your detection capability. Your secret sauce.
Once you have the relevant attributes, you test them with several AI algorithms and choose the algorithm with the best detection rate within a reasonable timeframe.
You then create an AI detection model based on these results.
When you put your AI into production, it observes communications entering or leaving your machine and compares them with the AI model you've created. The objective: to see if similar or like traffic is entering or leaving the machine. If the AI thinks there's a high rate of similarity, it generates an alert. Then it's up to the (human) analyst! He does his thorough checks and confirms whether it's a real threat or not. If it's not a threat, the analyst must flag it to the AI as a false positive. The next time it is trained, the AI takes this into account, and will no longer generate an alert if it sees similar traffic.
Humans help AI to improve. It's this interactive, collaborative work between AI and human that makes for effective AI tools.
Data is a big challenge
One of the biggest challenges in AI applied to cybersecurity is the availability of sufficient data to characterize and train cyberthreats. Streamscan experienced this challenge when we started working on cyberthreat detection via AI in 2014 (10 years ago!). We had to buy data in our early days. We also set up an automated analysis and AI detection model creation environment that has been running 24/7 since 2014, which today gives us access to phenomenal amounts of data that enable us not only to detect unknown cyber threats, but also to anticipate the threat.
AI detects 100% of cyber threats: a myth
The use of AI to detect cyber threats has been mature for several years. In 2017 when we Streamscan released version 1 of CDS, we already had a 99% detection rate. The big challenge since then has been to try and make up the remaining 1%. What a challenge! No cybersecurity vendor on the market today can claim to have a 100% detection rate. If a vendor tells you so, run away from them!
At Streamscan, we take a transparent approach. We work hard to continually improve our detection rate, but it's possible that a few cyberthreats may slip through the cracks.
If this happens, you can count on our seasoned incident response team to help you take charge of the event, then eradicate it as quickly as possible to reduce or eliminate its impact.
AI detects and blocks cyberthreats all by itself, automagically: a myth
I'm going to disappoint all those who are currently looking for an AI tool that you plug in and forget about in the network, with a nice peace of mind, thinking that the tool will detect and block cyberthreats all by itself, train and re-train itself. We're not there yet.
Today, you need a human to work in tandem with the AI to help it evolve. The more expertise this human has in analyzing behavioral deviations (or abnormal behavior) in cybersecurity, the more your AI will improve and become effective. Without a human, your AI will evolve very slowly, which is the worst thing you can do if you want to protect yourself from cyber-attacks that only expose while becoming increasingly complex.
If your AI cybersecurity tool provider tells you that it automatically detects and blocks all cyberthreats, run away from it!
For the record, some of our Managed Detection & Response customers (24/7 security monitoring service) are companies that acquired an automated AI cybersecurity tool and then realized that the tool didn't work on its own. Worse still, the workload generated by these tools is significant, keeping internal IT resources very busy. Indeed, one of the challenges with AI is reducing false positives.
For greater efficiency, these companies decide to outsource the management of these AI tools and contact us, given our recognized expertise in applied AI in cybersecurity.
The future of AI in cyberthreat detection (short and medium term)
There's a shortage of qualified resources in operational/technical cybersecurity, even though demand in this field is growing. The most advanced AI cybersecurity companies, such as Streamscan, are working on AI models that simulate the behavior of human analysts and perform cyberthreat analyses just like them. The idea is to automate analyses as much as possible, while allowing AI to continue to learn and evolve.
Another challenge is how to eliminate routine tasks for human analysts, so as to reduce their workload, enabling them to concentrate on more important cyber threats. The focus is on automating analysis and response.
To conclude, AI in Cybersecurity will continue to evolve, and will experience further major accelerations. But for the time being, the alliance between AI and Humans offers the best result in the cyber defense of organizations.