Federal leaders looking at artificial intelligence offerings to strengthen the cybersecurity of their systems are often met with a confusing array of hype that leads to misunderstanding – and all too often – to inertia. And, as government decision-makers are well aware, cyber threats against public sector systems are increasing daily and growing in sophistication.
Unfortunately, overhype about artificial intelligence in cybersecurity only reinforces our human tendency to resist change. Remember how government IT leaders were slow to see the real benefits of cloud technology?
In just the same way, some federal agency IT experts, even in the face of rising threats to their systems, remain reluctant to examine the commercial off-the-shelf (COTS) applications using AI at scale.
Perhaps a brief review of what cybersecurity AI is – and is not – will be helpful. For starters, confusion (and often inadvertent misinformation) is centered on descriptions about how AI is used.
Cyber AI is not big data alone. Machine learning is not possible using deficient data sets. With consumer-facing AI-based tools such as voice-activated home assistants like Amazon’s Alexa, the Google Assistant or Apple’s Siri, we see how large data sets of consumer behavior - “Alexa, tell me an apple pie recipe” - leverage forms of AI known as “deep machine learning” or “artificial narrow intelligence.”
Similarly, for cyber AI, training the data set is essential. Ideally these are solutions that can learn, train, and reliably identify constantly moving threats like complex malware and other file-less attack patterns that are increasingly more common . It’s critical to remember that AI is not a panacea – yes, effectively training AI algorithms at scale can prevent future attacks, but the human element is still necessary to thwart cyber actors.
Cyber AI also is not laboratory AI alone. One of the clearest distinctions between cyber and other types of AI is whether its functionality can be accomplished in the real world outside the perfect conditions of the laboratory setting. For instance, claims about accuracy and false positive rates should always be interrogated in light of sample sizes. As an example, an AI model that learns only about breach attempts in the financial sector cannot be adequately applied to the intricacies of guarding protected health information in hospitals.
A solution is only as good as the data
For cybersecurity AI to meet the challenges facing federal IT leaders, the data must be relevant to the evolutionary nature of the of threatscape, the increasing demands that the agency’s mission is placing on its systems and the risks posed by the human element from within the agency’s walls.
For example, it is well understood that many cyber breaches result from human error. A good cyber AI solution can analyze human behavior to anticipate mistakes and correct them proactively as part of the scanning and response functions. To that end, data must be constantly refreshed in order to keep pace with the agency’s requirements - addressing both the internal environment along with changes in the external threat conditions.
Our experience tells us that the power of cyber AI is unleashed by:
- Collecting and indexing data from across all deployed sensors globally (over 2.5 trillion unique endpoint-related events ingested by the cloud per week)
- Enriching the data with threat intelligence (100+ adversaries tracked + hundreds of thousands of indicators of compromise and known bad domains/IPs)
- Analyzing data using multi-source automated analysis (2.3 million+ decisions per second + good/bad/in-between + added human intelligence)
- Making data actionable by turning new classes of attack into indicators-of-attack (IOA)-based prevention techniques; validating these IOA patterns and automatically updating sensors to protect against these new threats in real-time. This is why none of our customers were impacted when WannaCry hit.
The Need for Speed
Equally important, as we found in our 2019 Global Threat Report, is the importance of speed.
The report identified that breakout times (the time it takes an adversary to move beyond their initial foothold within a network to when they successfully gain broader access) of the most dangerous groups targeting U.S. government agencies have continued to shrink year over year. Russian-identified hacker groups led the way with a breakout time of less than 19 minutes.
These shrinking attack windows bolster the case for the 1-10-60 Rule: One minute to detect an incident or intrusion; 10 minutes to determine if the incident is legitimate and determine next steps (containment, remediation, etc.); and 60 minutes to eject the intruder and clean up the network.
Taking cybersecurity to the next level, as described in this perhaps deceptively simple rule is possible. The cybersecurity AI solutions that can help to accomplish this objective must utilize the power of vast data sets in a shared cloud environment, set up to collect, analyze and interpret events in real time. No overhype – just the right data, smart vision, and a mission to stop breaches faster.
James Yeager is vice president for public sector and healthcare at CrowdStrike.