Artificial Intelligence is not always Artificial Intelligence, every Cyber Security vendor selling solutions today is either putting an “using AI” sticker on their website, or they are investigating how they can use Artificial Intelligence “AI” and Machine Learning “ML”in their branding.
It stands to reason as the terms are well on the incline of the Gartner hype cycle in 2021.
Somewhat showing my age, I have been in the IT business a long time. Long enough to have gone through many hype terms- the most recent being:”Grid Computing”, “Edge Computing”, “Cloud”, “Big Data”, “Block Chain”, “IOT” (many of the older ones are not even exciting today so I left them out). My target today is two of the more recent: “Artificial Intelligence” and “Machine Learning, (I fully understand that one is a subset of the other). Artificial Intelligence(AI) is a huge field of research that Machine Learning is a part of, but the difference is that with Artificial Intelligence we are expecting a system to be able to learn from almost nothing. The system uses complex algorithms that utilise its own “intelligence” to learn about its subject, environment etc. AI can be considered the compute equivalent to your own brain, when you are born you know nothing except “rudimentary”code necessary for learning how to be a human. As far as processing data, true AI is able to process Structured, semi-structured and non-structured data, in Cyber Security terms the “non structured” data is important, to do a Donald Rumsfeld “We do not know what we do not know” and a new breach can be considered “ SOMETHING WE DID NOT KNOW OR EXPECT” as the best malicious actors do not work the way we expect them to! These attackers have read the Mitre Att&ck handbook and are paid well by foreign governments etc to learn how to infiltrate an organisation without leaving a footprint. Machine Learning on the other hand is about a given algorithm being able to parse and process data that is provided and generate result from that data without explicitly being coded because the algorithms have “learn” from past data. Machine Learning is only for Structured and Semi-structured Data and will never “Know what we do not know”, because Machine Learning is blind to the “Unknown”. Today, most of the cases where a technology uses the term “Artificial Intelligence”, the vendor is talking about a very small subset of AI, Machine learning. Machine Learning is still a critical part of being able to process Data efficiently and fast but Machine learning in Cyber Security can not decipher noise from real malicious activity with any level of certainty which is why most of the Cyber security solutions today generate a lot of “False positives” and create so much noise that the Detection and Response capability is not useful. With smaller customers without specialist IT this is a really critical, your organisation must know accurately when suspicious behaviour is occurring but too many false alarms and they stop looking with the same urgency. With larger customers, when there is 10,000 endpoints, the noise (False positives) from a traditional AI/ML based Endpoint Detection and Response solution is deafening. When looking at Cyber Security Vendors the provide your Managed Detection and Response(MDR) service, if the (M) is using traditional EDR then you as the customer are either receiving many false positives which lead to Alert fatigue, or worse, there could be activity happening on your network that you do not know about for days, weeks, months after the event.