Blog

AI in Cyber Security: Forget About It

If you’re in the mood for some non-controversial, light entertainment you don’t have to work too hard to enjoy, rent the movie Yesterday.  The premise is clever:  a global weather event removes any and all recollection of the Beatles and their music from just about every person on the planet, except a struggling singer/songwriter.  When he realizes what’s happened, he recreates classic Beatles hits as his own and, predictably, becomes a worldwide music sensation.

The Yesterday premise is not only clever, but intoxicating.  There are countless events I’d like to wipe from the collective memories of the general population.  Parachute pants, mullets, and the Orioles 2019 season (I’m a long-suffering fan) come quickly to mind.  But as a proud member of Delve, a company successfully using machine learning and other AI techniques to automate vulnerability management and revolutionize vulnerability prioritization, I’d love to apply the Yesterday memory-erasing concept to AI in cyber security.  Simply flip a switch, and every cyber security professional would be purged of the memory of false AI-in-cyber-security promises that have created a generation of justifiably skeptical - even cynical - security product consumers.

By either wildly exaggerating the capabilities of AI-based products, or falsely labeling heuristics as “AI,” security vendors have preemptively besmirched the reputations of legitimate AI-based cyber security products.  In 2018’s Artificial Intelligence in Cybersecurity is Not Delivering on its Promise, Kevin Townsend summarizes one study that found 61% of respondents “believe that their ML {machine learning} systems do not stop zero-days and advanced threats -- despite this being one of the primary claims from many vendors.”  Another 41% “complain that rules creation and implementation is 'burdensome'. And post-implementation, the results are not as promising as the hype.”

In a similarly-themed piece, CSO’s The AI hype machine – let’s be careful out there, Rick Grinnell describes a tour of 2018’s RSA Show, where he estimates, “at least half {of the 500 plus vendors} were trumpeting proprietary AI or machine learning in their products.”  He goes on to express frustration at the liberal - a kind word choice...dishonest might be more accurate here - use of the term AI:

What’s most disturbing to me are the number of companies that are claiming they have AI, when they're really using pre-defined statistical algorithms...and then hand-tuning the system on historical data to optimize performance at run-time. This isn’t ML. This isn’t AI. This is optimized statistical modeling.

He offered another anecdote from an “AI”-user’s perspective with a similar theme:

"I heard an AI-focused IT executive from a major bank talk about how much AI the bank was already using in its fraud department. The exec then discussed how the algorithms were manually tuned by the company’s data science team to outperform static models with preset behavioral thresholds. This isn’t AI! It may be intelligent, but it’s not artificial intelligence!

The good news is that it’s not hopeless; it’s just early.  As Rick Grinnel notes in the same piece, “Using a baseball analogy, we are in the first inning of an AI-based solutions market. There are some great companies out there leveraging highly focused applied AI to targeted problems.” 

At Delve, we agree.  Despite the hype, AI and machine learning do have legitimate applications in cyber security.  Those applications leverage AI to address well-defined, focused, data-intensive challenges that can either automate previously labor-intensive tasks, or render feasible data analyses that would be practically impossible for an army of humans to accomplish. But the best AI or ML-based applications can’t substitute for a solid cyber security culture, strong policies and a well-staffed IT or security team; AI can’t perform miracles...but it can add substantial value when applied intelligently (pun intended).

Cyber security can be a Long and Winding Road.  It requires attention...you can’t just Let it BeA Day in the Life of a cyber security professional is filled with challenges....

OK, I’ll stop now.  

But seriously, watch the movie, and if you get the chance, check out our white paper for a sober view of AI in vulnerability management:  Leveraging AI to Modernize Vulnerability Management and Remediation

We think you'll enjoy the white paper, even though, to be fair, it's unlikely to make you Twist and Shout.

Most Recent Related Stories

Gold Nuggeting: A Critical Step in Vulnerability Remediation Prioritization

Read More

Just Say No...to Naive "Just Patch" Advice

Read More

The Vulnerability Management Doctor will See You Now

Read More