What can AI do for cyber security?

For Tumelo Mashego, AI might be the cops that every machine needs in the fight against cyber crime.

Johannesburg, 28 Oct 2019
Read time 10min 30sec

Axiz business unit manager Tumelo Mashego says even though artificial intelligence (AI) can be a thorny topic, especially with talks of it possibly taking humanity to new heights or the end of us, the truth is still undetermined since many of these futuristic systems don’t even exist yet.

But for Mashego, AI is a powerful tool when it comes to pattern recognition, which is very useful when trying to keep cyber criminals at bay. "These threats use the speed and volume of data, as well as the complexity of modern networks and technology stacks, to ferret into systems and hide attacks."

Mashego adds that even though they are not clandestine, those acts can often create alerts. However, the problem is that so does everything else in an ICT estate. "According to a survey by the Cloud Security Alliance, over 30% of IT security professionals ignore alerts because there are so many false positives." So the sheer volume of information generated by modern technology threatens to overwhelm security measures.

“The era of big data means there is much more going around. Adding to this is the fact that IT professionals have a lot to do because of digital transformation and other technology influences. They also don’t have the control they used to rely on because data can now leave the company’s parameters. Even just a poor BYOD security environment can become incredibly dangerous. Cyber security has never been harder and more complicated than it is now.”

Can AI save us?

Can one take out the security, but leave in the factors overwhelming it? Mashego explains that this is the very reason why everyone struggles with today’s information age, because we have too much information and too little time to make sense of it.

"AI has become popular for this specific reason. It can move faster than humans, take in more data, connect more dots through pattern recognition and respond at the blink of a computer’s eye," she adds.

"Computer systems have not been inept against cyber attackers. But they tend to focus on high-volume and low-sophistication attacks. When a threat is much more advanced, more akin to a careful chess game than a random bug infection, it becomes much harder to spot. It’s how some black hat hackers have stayed inside systems for months and even years on end."

But unsophisticated attacks can also have an edge that’s hard to stop. “Ransomware isn’t a very sophisticated attack. But once it’s in a system, it can spread quickly, right under the noses of security measures. You want to catch it at the source.

“Such unsophisticated attacks can also be introduced in sophisticated ways, such as spear-phishing. That’s when criminals use tailored correspondence to get to a specific person, usually to get their security credentials. Then the criminals can infect the systems using those login details.”

AI trained to spot for behavioural anomalies can spot such attempts. In a practice called multi-factor authentication, different indicators such as user behaviour, geography and timing are used to calculate if something doesn’t add up around certain credentials. It’s not that different from a bank noticing your credit card is suddenly being used in Burma, only more sophisticated in the behaviours it spots.

Sophisticated pattern recognition can also detect behaviours such as ransomware or malware trying to spread. With the right policies in place, the AI can lock down infections before they spread.

Augmented intelligence

Should AI be tasked to look after security? Mashego says no, that would be a bad idea, but not because of AI trust issues. AI is still a machine doing a specific task and AI becomes useless outside of its parameters.

Cyber attacks are also inevitably performed by humans who make a career out of subverting security systems. AI is just another system. Despite the dominance of AI in playing chess and go games, motivated and skilled cyber criminals can beat them. For good security, you need people in the mix.

Catch 22? Mashego points out this issue takes us back to the alert fatigue problem and another interesting statistic from that survey by Cloud Security Alliance: 40.4% of security professionals said they lacked actionable intelligence to decide on an alert. The most potent use of AI in security is perhaps to collaborate with human security professionals. “An AI can act quickly and stop certain things in their tracks. But that’s not foolproof. Humans have the intuition and experience to look at many factors and come up with creative explanations. AI can’t do that; not yet, anyway. But it can create greater context around alerts and decide what should be shown to security staff, who can then decide on the appropriate actions.”

This begs the question: Where is AI in today’s security products? Even though AI solutions are starting to appear, they are still quite scarce. One reason, Mashego says, is the cost associated: “You don’t just buy AI and install it and there it goes. AI needs to be trained and maintained. It can be a very demanding asset.”

Training is made harder by the availability of security data. Cyber attacks are a clandestine activity: even the good guys often keep serious cyber weapons secret. Access to such datasets is by its nature very limited. The massive resource demands mentioned above are also not to be underestimated. For these reasons, security AI is usually found through managed security services that can pool resources and data.

But Mashego adds that we shouldn’t focus on AI alone: “AI has potentially great benefits for security, but that doesn’t mean the other security practices fall away. Train people about good passwords and security hygiene. Put proper BYOD policies in place. Take data management seriously. Invest in end-point security and security skills, and work out the threats to your business for a security strategy. AI is emerging in today’s security products, but those products are also already really good. But they are meant to work with people and good security culture.”

AI won’t save us from cyber criminals. Yet, by giving a little help to humans and catching lightning-fast attacks before they land, it does create an advantage that we, and cyber criminals, can’t dismiss.

A wave of big data from a slew of ubiquitously networked devices, sensors and the Internet of things, is flooding organisations across the board, and putting pressure on data centres to deliver and perform at their peak. Moreover, the need for instant ‘from anywhere’ resources from the business perspective has led to the development of powerful ‘hyper-scale’ cloud data centres.

This is according to Tondani David Mphephu, Azure expert at leading ICT value-added distributor, Axiz. “It’s no surprise then that Internet giants, and the hyper-scale data centres they are creating to support their platforms, are at the centre stage of all conversations around the storage and data centre today. The sheer scale at which these providers are developing infrastructure, the innovation they are driving, and how they are competing are dominating the cloud landscape and are hot topics.”

He says the hyper-scale cloud was developed by the cloud behemoths (think Microsoft, Amazon and Google) to support the creation and delivery of software-based services at lightning speed, and with the lowest possible price tag. “They wanted a platform that underpins the ongoing, reliable and scalable delivery of software-based services without the expense and speed limitations that go hand in hand with physical hardware and networking infrastructure.”

The hyper-scale cloud is essentially a software-based environment that is removed from physical infrastructure so that all resources provided by the infrastructure can be manipulated quickly and programmatically, without long, onerous procurement cycles and time-wasting human intervention, explains Mphephu. Software applications developed to run in a hyper-scale cloud environment are designed to be fast, cheap to deploy and extremely resilient to physical infrastructure failure.

Hyper-scale cloud is not only removing the barriers to service innovation by allowing new software to be deployed almost as fast as it can be created, but it is also driving the democratisation of many technologies that were previously only available to large enterprises, such as analytics and AI, he says.

Mphephu adds a caveat: “All hyper-scale providers are not equal, and because software is at the heart of all technology innovation, those who get it right will devour market share. This is why Microsoft Azure now offers a whole new set of capabilities and features far superior to its competitors. The fact that more than 95% of Fortune 500 companies use Azure speaks for itself.”

Today’s world is an ‘everything instantly’ one. Organisations need speed to deliver, and they require vast amounts of data capacity. At the very core, hyper-scale is built on three pillars of speed – build, deploy and respond, and it can help businesses deliver on all of these. However, hyper-scale needs to be executed and deployed in phases, and this is one area where having a good partner is key, as they will not only help you plan to improve your time to value, but help navigate your organisation through deployment, ensuring that your business has the appropriate services and the space needed to expand.”

And because organisations can’t afford any downtime, a good hyper-scale partner will ensure your environment is kept up and running and is resilient, says Mphephu. A good partner will have the necessary experience in delivering hyper-scale deployments and will have proven themselves, by having a true understanding of the points of failure to avoid, and an appreciation of what challenges hyper-scale providers face.

Another major benefit of having the right hyper-scale partner is visibility. “We all know the old adage, you can’t manage what you can’t see, and in a hyper-scale environment, visibility is crucial. Too many people trying to manage such a vast ecosystem is asking for trouble, but at the same time, it is crucial that the right people know what is going on in the data centre at all times. To avoid a bad management situation, a hyper-scale provider will be able to deliver on a service-based integrated technology that gives your organisation the appropriate optics and controls that boost performance through a single pane of glass,” Mphephu continues.

Next, he says, is flexibility. “There’s no point in adopting hyper-scale if you don’t have the agility and flexibility needed to scale up and down as required, or if you are locked into a contract that doesn’t meet your needs. It is not an exact science, it is not always possible to predict exactly how much capacity the organisation needs now, never mind how much it might need in two years' time. Finding out what works and what doesn’t can take time, and a good hyper-scale partner will work with your business, and scale and grow with you, as well as give you a flexible contract.”

Finally, in terms of cost savings, it’s no good jumping on the bandwagon without understanding the true cost of ownership (TCO). It’s not a question of an upfront expense, or even knowing exactly what you’re in for on a monthly basis financially into perpetuity. “It is crucial to work with a hyper-scale partner who can help align your business strategy with your hyper-scale needs,” concludes Mphephu.