Why ML Comes Before AI in Digital Security

Are you becoming jaded by the hype of artificial intelligence (AI) and the overemphasis vendors are putting on its capability to solve a widening array of business issues?

Whether you have faith in its potential or fear its downsides, AI and cognitive technologies are taking hold in the Asia-Pacific region and expected to grow at a CAGR of about 70% between 2016 and 2021 according to IDC. Although Singapore is one of the countries in the region leading AI adoption efforts, McKinsey predicted that Southeast Asia companies need more "defined business use cases, better data ecosystems." It also noted that more effort is required for talent-development for AI adoption to take off.

As a subset of AI, machine learning (ML) “allows the software to learn through training itself instead of following a predetermined set of rules,” as defined by MMC Ventures in a recent report. According to research, ML was the most common AI tool deployed by business leaders in the Asia-Pacific region.

In the cybersecurity domain, we see CISOs investing in ML but remaining justifiably skeptical of AI. The reason is that security teams are drowning in too many warnings and have trouble narrowing down which ones require investigating.

In light of the heightened risk of security breaches in Asia and a shortage of cybersecurity talent, perhaps companies should be looking more closely at adopting security solutions powered by proven ML.

Understand the ML Difference

ML can help security staff decide what to investigate, detect low-and-slow attacks that defenses have missed, and gain enough time to validate and respond to the most serious problems. It can discern indicators of a breach in progress from collections of loosely related behavioral data faster, and more reliably than an overworked (and often under-experienced) analyst.

In security operations, ML helps combat the urgent and challenging shortage of security analysts. Demand for cyber professionals is particularly high in Singapore, where it is predicted that 3,400 professionals are needed by the year 2020 to fill roles in “threat and vulnerability assessment, security management, and incident and crisis management.”

ML models evolve based on what they observe or how they are trained. Used on authoritative data sets, it helps detect and prioritize materially-interesting threats. It also automates aspects of an investigation that are slow and ineffective to execute manually.

What About Automated Response and Remediation?

The next step in ML adoption is to automate response. Security Operations Centers (SOCs) have historically and rightly been hesitant to automate remediation actions due to the risk of unplanned downtime and negative user experience from false-positive auto-responses. Vendors who claim to provide “AI” and “autonomous response” in one simple package are at risk of overpromising and disappointing an already hype-fatigued crowd of CISOs.

However, there is a significant opportunity in the market for ML-driven detection and investigation tools that integrate with the best-of-breed response tools. These include next-gen firewalls and security orchestration, automation, and response platforms that are already in use by mature Security Operations Centers (SOCs).

Technology leaders have seen the value of automation in DevOps and other areas. They are now embracing automation for cybersecurity and contemplating on using AI in cybersecurity. However, just not yet.

For CISOs seeking solutions, it pays to understand the distinctions between ML and AI. Right now, AI in security is still mostly artificial and not that intelligent, while ML offers plenty of potential for positive impact in threat detection and investigation without AI’s downsides.

Albert Kuo, vice president of Asia Pacific, ExtraHop contributed this article.

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.