Today we are seeing new products and buzz words such as machine learning or artificial intelligence. What is all the hype about with this new technology? Why now and what does tomorrow hold?
Machine learning and artificial intelligence has come a long was way since the inception. But what do these terms mean to the cyber security industry? Machine learning is part of the overall artificial intelligence process. Machine learning is where you feed data to the artificial intelligence and it can learn and make choices based on that data. There are two main methods for feeding data to the machine learning application the first method is supervised learning. Supervised learning is where you provide the data and an expected outcome. The second method is unsupervised learning where data is provided without the expected outcome.
Artificial intelligence is in its most simplistic definition the ability for a machine to learn and think without human intervention. We could consider various cell phone applications as basic AI considering how they learn and respond when asked questions. Think of your mobile device for example, if you have asked Siri or Google Assistant a question it processed your request and gave you a response.
One might wonder what is the purpose of artificial intelligence and machine learning in security? The short answer can be over simplified to explain that as blackhat professionals utilize automation for their attack the faster the incident response must become. In order to properly respond to the threats, the current approach must evolve. Gone are the days where a firewall was enough protection to deflect most threat vectors. Today we must have a cascading security ecosystem.
Today we see a mixture of security products incorporated in a business environment. What is missing in many environments is a form of artificial intelligence or automated incident response system. I see this field ever expanding with various companies such as Darktrace, ExtraHop, and others. I have the pleasure of using Darktrace and find that it uses an unsupervised learning approach to the specific environment. This approach allows for Darktrace to work in a nonstandard environment and treat the devices as equal. While this could be seen as negative as it may learn the bad actor(s) existing in your environment as normal behavior, I find that it will also compare that bad actor(s) data vs the network as a whole and still conclude thing is amiss.
When thinking about how the society advances the use technology, it is important to remember that technology can be used in both a positive and negative context. It is imperative to keep up to date with the latest security trends. We are seeing an evolution of artificial intelligence into cyber security. The question then becomes if the adversary is using artificial intelligence but the organization is not, what is the expected result?