Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/20/2017
10:30 AM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cutting through the Noise: Is It AI or Pattern Matching?

Many vendors are fudging terms when trying to sell their artificial intelligence security systems. Here's what you need to know when you buy.

At any recent security conference lately, you probably have heard hundreds of vendors repeating the words "We have the best artificial intelligence (AI) and machine learning." If you happened to be in one of those conversations and asked "What does that mean?," you probably got a blank stare. Many security consumers are frustrated when marketing pitches don't clearly articulate what AI does in a product to help protect an environment better.

There are several dilemmas facing security companies that keep them from being more up-front about how they use AI and machine learning. For some, the concepts are a marketing statement only, and what they call AI and machine learning is actually pattern matching. Also, machine learning relies on a tremendous volume of data to be effective, and there are very few vendors that possess enough of it to be successful in its implementation.

To avoid a wasted investment in this technology, it's essential to understand the basics of what AI and machine learning provide in security tools. My goal is for you to be equipped to ask the right questions when a vendor proclaims "We have the best AI!"

What Is AI and What Does It Do?
There are many definitions of AI; the definition I use is that it's a system that can monitor behavior, learn, and then adapt and problem solve. The problem solving is where the machine learning component of AI comes into effect. An example of an AI use case is when a machine plays chess. Because there are so many permutations of options and movements in chess, it requires an AI system to observe adversary behavior, learn the consequence of these behaviors, and then formulate actions that result in a strategy to defeat a human opponent.

In contrast, a good example of pattern matching is playing checkers. Any simple computer program can run the limited number of moves and counter-moves an adversary would use in checkers based on the pattern of movement that the human establishes.

So, the first question a vendor should be asked is: "Is your AI doing pattern matching or problem-solving?" A good indicator that a security tool is just doing pattern matching is if a vendor tells you that it works right out of the box and doesn't need to learn the environment. Pattern matching isn't necessarily bad, but it isn't adaptable to ever-changing threats. This technique constantly requires vendor updates to stay alongside threats while never getting ahead of them.  

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Another question to ask vendors is: "What type of machine learning does your system use?" Decision tree learning is common in what I'd refer to as pattern-matching systems. Basically, decision tree learning consists of mapping observations to predefined conclusions or actions. For example, "if I see this C2 domain in packet capture and detect this hash value in network intrusion monitoring, then I likely have this particular threat actor in my environment." This approach is great for lowering the amount of human touch or repetitive tasks your security team must do on a daily basis. 

Another common machine learning strategy in security tools is a Bayesian model. This is where you transition between algebra with a decision tree to calculus with a Bayesian approach and, in my opinion, move from pattern matching to true AI. Essentially, the Bayesian model observes the state of many variables across your environment and maps them based on whether they're true or false into a data table that allows the AI system to determine the probability or confidence level that a particular event has happened. This approach doesn't have predefined conclusions on these observations; instead, it informs you of anomalous activity, based on the observation or status of many variables, that there's a high probability of malicious activity. The more data points you can process through a Bayesian model, the more accurate it becomes.

My favorite machine learning technique is clustering or k-means clustering. This is a machine learning system that plots a graph of what's expected from the telemetry of your environment in a clustered model. If you have a million dots in your cluster, and you see a dot that's plotted outside of the cluster, that's an anomaly that should be investigated. This learning system doesn't need a pattern; it's basically mapping what normal behavior looks like and identifies outliers. 

Bringing It All Together
A good AI system will have elements of a decision tree (for known patterns), Bayesian analysis for anomaly detection, and clustering for baseline monitoring. If the AI system you want to buy can seamlessly integrate these three machine learning techniques, you're probably on the right track.

But you're not done yet. Next, you have to ask yourself: "What data do I need to provide to these tools, and do I collect the data needed to make these tools work the way they're designed?" Billions of dollars are wasted on strategies and tools because the users who buy them get wowed by a sales pitch and can't implement the tools when they get them.

Here's my advice for selecting an AI solution to enhance your security program:

1. Don't fall for the marketing pitch, and ask the critical questions.

2. Make sure you understand the machine learning strategies leveraged by the vendor and that they make sense for the data you have in your environment

3. Decide if you are playing checkers or chess with your adversary.

Understanding these points will help you make an informed decision that avoids wasted investments, time, and resources. While AI and machine learning create efficiencies that can't be duplicated by humans, the human element still must be in place to make sense of the information and process it properly so it can be used to achieve organizational objectives.

Related Content:

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11931
PUBLISHED: 2019-11-14
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prio...
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.