Artificial Intelligence (AI) is beginning to move from a nascent technology into one that is beginning to have an impact on our lives. We already have examples such as shopping bots and voice technologies that answer our questions, order goods and help run our daily lives. Cybersecurity vendors would have us believe that they are all using AI to detect attacks and keep us safe. But is everything as it seems?
Check Point Software, CPX360 show is in Barcelona this week. On day one, Orli Gan, Head of Threat Prevention Products took to the stage to talk about the potential and risks of this technology. Her main premise was that AI is NOT a silver bullet for cybersecurity. In saying that, Gan appears to be out of step with a large portion of the industry. Rarely does a week go by without at least one cybersecurity vendor talking about how AI is helping to keep everyone safe on the Internet.
The problem for the technology is that it has been one of those perennial emerging technologies. In the late 1980’s there was a belief that we were at most a decade from seeing working AI systems. In reality it took three decades for the technologies AI requires to align. According to Gan, we have reached a point where the storage and compute power can now support the demands of AI. More importantly, we have the mathematical knowledge to make it happen.
What is needed to make AI work?
One of the biggest challenges for AI systems is data. As Gan says: “We need data. Lots and lots of it and it needs to be rich enough to cover the problem.” The problem with data is that it also has to be the right type of data.
The Internet is awash with data but it is unfiltered, unmanaged data as Microsoft found out. In March 2016 it released the Tay Bot onto Twitter. The hope was that it would learn from Twitter users about how to interact with people. 16 hours later Microsoft unceremoniously shut Tay down and buried this experiment. By that time Tay had turned into a misogynistic, racist, homophobic and downright nasty bot. As bad as it was for Microsoft it sent a message to AI researchers. You need to think more carefully about the corpus of data you ingest.
Use the wrong corpus of data and the inherent bias in the data will skew any results. Worse still, once the data is contaminated with bias, it can often require a complete reset. This mean reloading all the data and rebuilding all those connections between data points that gives AI its edge.
This poses a significant challenge for cybersecurity companies, especially start-ups. There is a limited amount of data available that can be used to train a cybersecurity AI. This problem is just as acute for large companies. Although they may have access to larger sets of data from their own research, they are still limited in what they can access. As a result, it is hard to see how all bar a few very large vendors can claim to have enough data to properly train their solution.
Data alone doesn’t solve the problem
In addition to data there is a need for AI and domain expertise. Knowledge of AI systems helps design the learning and processing algorithms that are required. The domain knowledge helps understand the results and to validate what the solution has produced. Unlike human analysts, computers and AI systems are not good at explaining their answers. Gan says: “AI verdict logic is obscure. They don’t explain their decisions. It’s data in, decision out and trusting that decision requires a significant leap of faith.”
Despite these challenges Gan says that the technologyis revolutionising cybersecurity. It is having the most impact where it automates tasks that were previously done by analysts. An example of this is the ability of AI to ingest and resolve mountains of log data, delivering results in short periods of time.
Check Point making its own bet on AI
Gan also took the opportunity to give some insight into how Check Point was building its own AI solutions. She talked about three solutions, two of which are in production today.
- Campaign hunting: This system is about predictive threat intelligence. It is used to identify Command and Control (C&C) domains. It identifies who has registered a domain and when. This data is used to assign trust but also attribute attacks to different campaigns. Gan says that this has increased the detection of Threat Cloud by 10%.
- Huntress: This AI look for malicious executables. Gan says that this is a very tough problem and it can be hard to identify if an executable is malicious without doing a lot of work. However, cyber criminals are not always as clever as they think. According to Gan: “Attackers are rarely original. They reuse code and logic. Huntress looks for similarities in millions of attacks and can uncover the malicious code. We then run the executable in a sandbox, collect parameters and get a verdict.” Huntress finds 13% of the malicious executables that Check Point identifies.
- Cadet: This is a new AI and is just moving into production. It uses context aware detection techniques that provide it with a view on the infrastructure surrounding an attack. Gan says it: “Looks at the full context around an element. Where did it come from? Who owns the domain? When was it registered?” Check Point extracts thousands of different parameters which are fed back into Cadet and it is asked for a verdict. The result is a 10 fold reduction in the false positive rate and a significant reduction in the missed detection rate.
What does this mean?
AI might not be the silver bullet that many cybersecurity vendors are claiming. That does not mean it has no benefits at all. With the right training and expertise, AI can help cybersecurity teams.
The key to making AI work according to Gan is: “any AI is that the solution must be practical and not create too much overhead for IT staff. We only use AI where we can demonstrate an improvement where it matters. We are also creating multiple engines to cover the entire attack landscape.”