By Rathna Kalidas, Senior Product Manager, K7 Computing
ChatGPT and Bard have brought renewed interest in the much-marketed, ubiquitous, term AI/ML. If marketing claims are to be believed, anything that is powered by AI/ML is significantly better than that which is not; further, anything that does not bear the AI/ML tag is obsolete and ineffective. The reality is not quite what marketing would have us believe. AI/ML is powerful, just not all-powerful. In fact ML is a subset of AI, and is the term best suited for our cybersecurity context.
Although ML is employed to advantage in many areas of defensive and offensive cybersecurity, solutions solely based on ML are far from perfect. ML solutions are no silver bullet and cannot supersede human intelligence. After all, we are not talking about fully-autonomous AI, but rather ‘model’s encompassing essentially pre-written rules based on common patterns in big data sets that can be swiftly, at least in theory, adapted to evolving attack scenarios. Changes in attack scenarios generate different data that need to be “learned” by the models resulting in updated rules. Where have we seen pattern-based, adaptable rules and conditions before? Well, ‘signatures’ of course, generic and heuristic ones, which the marketing spiel about ‘signature-less detection with AI’ conveniently disregards; signatures need not be hash-based!
Given the sheer volume of data fed to ML models, they generate a lot of noise before we can see reliable results. They require time, fault-tolerance, and loads of relevant, contextual data to be reasonably successful in detection and remediation. Ironically, enterprises seek ML-based solutions precisely because they do not have one or any of the foregoing. Consider a SOC that handles a large number of complex systems with a vast number of events to be monitored, analysed, triaged and acted upon. Cool-sounding technology such as XDR, SOAR, [insert yet another acronym here], that uses ML sounds attractive. In practice, however, the noise leads to stress, alert fatigue, and compromised networks.
ML is only as good as the quality of data that is fed to the model. Outdated, irrelevant or downright incorrect data lacking context damage the results. Garbage in, garbage out. So quality, quantity and contextual data are critical, especially where ML is involved. This kind of data is available with companies that have access to real-time protection telemetry and crowd-sourced data from millions of devices. If such vetted, contextual threat intelligence (TI) data is collated from reputed, world-class companies, curated and shared with defenders, the benefits are enormous. CTA has been doing just that for the past 6 years and counting. Each CTA member has access to quality data that it may not individually be able to source due to business, geographical or other constraints. This TI can be used to inform their respective security solutions, ML-based or not, resulting in higher quality protection for all their users.
When attackers are collaborating to expand the depth and breadth of attacks, to defeat defenders, CTA’s community provides a global cybersecurity response. K7 is happy to be a contributing CTA member, helping to make the cybersphere safer.