Artificial Intelligence and Cybersecurity: Are We There Yet?
Artificial intelligence (AI) has been a buzzword inside security circles for many years. It has crept its way into marketing materials and sales brochures as vendors proclaim how much ease, efficiency, and accuracy their company’s tools will produce as a result of AI capabilities. But how much truth is there to the claims that AI is revolutionizing cybersecurity today?
This article will look at some of the promises of AI, the implementations of AI, and muse on whether AI is truly a “thing” cybersecurity practitioners can take advantage of (or should be afraid of).
Let me start this post by saying that I am in no way an artificial intelligence expert. That said, there has been enough talk about AI in cybersecurity over the years, and especially since the ChatGPT breakthrough, that I am conversant. And obviously I have thoughts, because…Reformed Analyst. I also spoke with several cybersecurity experts who research and have hands-on experience with AI. Their thoughts are included in this piece for greater insight and context.
And then I’ve included thoughts by Vijay Dheap, an AI expert who founded RozieAI, an artificial intelligence platform for messaging and data analytics that has been deployed in call centers for major companies you’ve heard of and possibly do business with.
“Artificial Intelligence” or “Machine Learning”?
Before we get to opinions, though, it’s important to level-set on what AI is. Too often, “artificial intelligence” and “machine learning” are treated as synonyms. They’re not. But companies will sometimes use the terms interchangeably in an attempt to make products sound more advanced, whichskews market perception and understanding.
Broadly speaking, “machine learning” (which is a subset of AI) uses algorithms and statistical models that allow computers/machines to analyze and predict patterns or outcomes based on known data, called “training data.” “Artificial intelligence,” on the other hand, uses ML, but is trained to simulate human decisions, behaviors, and processes. It’s that simulated/emulted human element that differentiates AI from ML. Strictly speaking, it’s “sentience” that differentiates the two.
Why all the hype?
The potential impact of AI on cybersecurity is huge. With organizations’ vast digital ecosystems churning out, consuming, and processing ever-expanding amounts of data, a learning and prediction system is enormously helpful. Human calculations cannot keep up with the processing power of machines; it would take thousands of person-hours to complete what a machine can do in minutes.
When correlating cybersecurity and automated analysis, it’s clear to see why this is advantageous:
Too much data
Not enough people
Complex digital ecosystems
Fast-moving threats
Ever-changing environments
It’s almost like AI and ML were purpose-built for cybersecurity. But where are we really? How do the claims stack up? What works today, and what should we be holding off on until more advancements are provable?
Are we there yet?
It’s understandable that end users and vendors alike want to incorporate AI into their daily workings – there is so much data being thrown off by systems, and the pattern recognition and automated remediation and responses that could come from true AI would save an enormous amount of time and energy, and theoretically improve accuracy.
But there are many things to consider. AI and MLare predicated on training data, and training data is only as good as the raw data the machines are fed. To start, AI/ML models require massive amounts of data to “learn” what they need to learn. A lot of AI/ML models don’t have enough data to be reliable enough for highly complex problems.
Further, any skew in the ingested data throws off the model. To illustrate, a few years ago, Amazon had to suspend its AI recruiting tool because it ”showed bias against women.” Not surprising—the data the tool was given to process—even though it was considered massive amounts of data—relied on historical data, when mostly male candidates had been hired. The tool was literally trained to seek out male candidates because that’s what the data “told” Amazon about the ideal candidate. Bad training = bad conclusions.
More recently, researchers at Cambridge University concluded that companies’ use of AI video and image analysis in hiring was nothing more than a farce. Several other research projects came to the same conclusion.
So while these are only two, isolated examples, it’s very easy to see how AI can be influenced by bad data.
What’s more, we’re still essentially talking about machine learning here, even though these tools are being positioned as AI. The sentience in AI, the nuances of humanoid decisions, are on the precipice but aren’t fully incorporated into most “AI” tools yet.
AI, ChatGPT, and your job
In speaking with Tom Eston, Associate VP of Consulting at Bishop Fox and Co-host of the Shared Security Show, it becomes clear that there are at least a few other humans on this planet who agree with me, at least as far as AI and cybersecurity go.
When I asked Tom his opinions about AI, ChatGPT, and their impact on security, he answered:
“In the cybersecurity space, I think ChatGPT is a little overhyped. I’m seeing all types of posts about how ChatGPT can write malware, phishing emails, pentest reports, etc. What I don’t see is talk about how people have been doing this forever, without an AI engine. The AI makes it easier, but in a lot of cases (I would argue) less accurate and error-prone.
With the code ChatGPT produces, just like other code development, you still need a human who knows how to review code and interpret the results, otherwise you can get clumsy wording and phrasing, like we’ve seen in many ChatGPT examples.
Do I think AI and things like ChatGPT will destroy cybersecurity jobs? Unlikely. However, I predict that AI will be leveraged more for things like first reviews of log data, interpreting scan results to identify false positives, and even suggesting and/or fixing bad code… But all of this will continue to require human approval. In my opinion, at least today, AI is more of a “partnership” to help humans automate “the boring stuff”; humans will still be involved in making the decisions, not the AI.”
In support of Tom’s observations, you can look at CNET and its failed AI-authored articles experiment. The media firm was publicly called out—and had to issue correction notices—for using AI to generate articles that contained some “very dumb errors.” The artificially generated text was also called “serviceable but plodding, pocked by cliches, lacking humor or sass or anything resembling emotions or idiosyncrasies.” So much for so-called sentient AI.
AI for “fixing” data problems
Another colleague, Jonathan Sander, Security Field CTO at Snowflake, a data platform that incorporates heavy ML and AI, also had thoughts about whether AI is the panacea of marketing promises.
“This topic comes up very often in my world. Every security pro can agree that infrastructure throws off a lot of noise. So many logs, tons of config data, user activity information, entitlement structures and their changes, approvals and reviews of most of the above, and more are all in scope when attempting to answer basic questions.
What’s clear about AI today is that it cannot handle these basic questions. You can't take just any AI engine, chuck in all your data, and say "is anyone doing anything fishy?" AI—or in most cases, it's actually machine learning—is good at more specified tasks.
If you imagine that you're trying to work through a list of questions to arrive at the basic answers, then along the way you'll encounter questions that amount to scrutinizing huge data sets for patterns, outliers, and other things that lend themselves well to algorithmic approaches. That's where ML can add a lot of value. It can find potential signals in your noise. With feedback from your human experts, it can get quite good at narrowing down candidates. In the end, though, it's still the human who must evaluate the real threats today.
There is a great desire by security pros to take as many of the questions that are part of daily workflows and transform them by applying AI/ML. The more that this happens, the more we can churn through the huge volumes of data being fed by everything in IT.
Some people worry that AI is aimed at replacing humans—and it's naive to think there aren't bean counters who would like to do just that. In the foreseeable future, however, it's unlikely that AI will threaten security folks who have expertise. For now, the machines aren't quite ready to rise up and replace us.”
AI as the “easy” button
And last but not least, I spoke with Kevin Johnson, CEO of Secure Ideas, a security consultancy, pen testing, and training firm.
“I personally believe machine learning and AI can be a huge leap forward in supporting all aspects of cybersecurity. From handling alerts to detecting exploits, remediation efforts, and so much more, there is a lot to be excited about.
Yet I am horrified at the misrepresentation of AI in marketing materials. Where we are today, with what has been accomplished in AI and machine learning, is useful for things that used to be manually intensive and deadly boring for most security professionals— things like categorizing and ruling out false positives, for instance. So, just from the aspect of handling and analyzing the sheer amount of data that cybersecurity requires, I think ML and AI are life changing.
Having said that, I doubt every claim by every product firm that says their offering has perfected AI for cyber. Why? Because so many vendors claim that, because their R&D teams built in algorithms to analyze data, they have a push-button solution that will fix every woe of every security analyst. That just isn’t true. Show me one security product on the market that doesn’t require some level of human oversight. Will we get there? I hope so.
One of the applications of machine learning—or, if you want to call it AI for the same reasons we changed “infosec” to “cyber”— where I’ve personally seen good progress is in threat hunting and identifying indicators of compromise. This is where machine learning shines. The whole idea of threat hunting is searching through heaps and heaps of data to find patterns—the exact same aim of ML or AI. The leaps and bounds of processing that machine learning provides is exponential, but it still requires a human to look it over. It still requires a human brain to understand what’s going on.”
So there you have it: Three security experts fundamentally agree (four, if you include me): AI is not ready to take over. It’s not even ready to put security teams out of work. It is ready to supplement the work people do. It is ready to help us do more with less and have greater sets of data upon which to make better decisions. But as of right now, those decisions require human oversight and, at least to a degree, gut feel.
A final word from an AI expert
Does the AI expert agree? This is a snippet of the conversation I had with Dheap:
“What we’ve seen over the past decade is that the pace at which we are improving machine learning algorithms is accelerating dramatically. With increasing compute capabilities, the data processing power of the cloud, chips that allow for better and faster processing—that’s where AI gets really exciting and the promise is enormous. The number of attributes or variables we can use to make a prediction is growing. And this increase makes for greater accuracy and better predictive capabilities.
That said, AI is all about the data and the training models used. Where there is a normalized data format, that’s where AI is at its best. Where there is unstructured data, we still need human input. AI is not able to discern between formats quite yet.
In addition, If there are any biases or errors in the training data, if there are any errors in reinforcement or processes, all of those get compounded with AI. Any problems are amplified by the magnitude of data. If left unchecked, those errors can greatly affect the decisions or outcomes of the AI process. So, as of today, you still need human oversight to say, “You got this right. You got this wrong.”
All of this being said, AI today can take tremendous amounts of information and relate it very quickly—much more quickly than even a large group of humans working at breakneck speed—then arrive at predictions very fast. What this means is that AI can augment human capabilities at this point. There is huge benefit in that, in and of itself. Humans no longer have to look for that “needle in a haystack.” AI/ML can, in effect, turn the “haystack” into a “bushel” that’s more easily managed by humans. It’s creating efficiencies that would not be possible without this compute power. AI gives us efficiency boosts that are extraordinary—the speed at which you can arrive at a hypothesis. The scale of data and variables that can be taken into account—it's unprecedented.”
When I asked Dheap if he believes AI is close to sentience, the element that make AI more than just a ton of data and mathematically processing, he answered:
“Machine learning is modeled after what humans do, what they think. The models that mimic humans are the more sophisticated ones. But there is still nuance these systems don’t yet understand. However, some advanced AI can make autonomous decisions that are similar to human decisions.
You can give AI context, an element of “awareness,” and that influences everything that is processed. Today, AI can interpret speech. Emotion or feeling can be simulated. AI can learn which words cause a desired effect. In other words, AI can learn what data does and then simulate the results. In that sense, there is a human-like element, but it’s not sentient and won’t be for a long time.”
Conclusion
After all these opinions, this very long post, I think it’s safe to say that AI at this point in time is a great tool with lots of promise. But just like many of the buzzwords used in marketing and sales materials, AI isn’t living up to the hype; it’s not precisely what vendors claim it to be. To be clear, I am not singling out cybersecurity vendors here. The same can be said of non-cybersecurity vendors in equal amounts. The reality of AI at this point is that it’s a lot of math with inaccuracies and quirks that need to be corrected by a human. For what it is, at least right now, in its current form, it offers great efficiencies that most certainly help cybersecurity teams accomplish their goals better and faster. We’re not “there” yet, though, and you’re not losing your job to a machine any time soon. But it’s never a bad idea to learn more about programming and how using algorithms can help make your job a bit easier.