If you were at the last RSA conference in San Francisco, perhaps you had the impression that there would be no more problems with cybersecurity anymore. The AI algorithms would detect any cybersecurity incident. Even long before it started. Perfect, right?
This should mean the end for the whole traditional cybersecurity industry. Perhaps CISOs should already buy these solutions and eliminate the expensive and complex systems of firewalls, antivirus, IPS, etc.
But … wait a moment. Are we sure about this?
Cybersecurity is no longer a marginal discipline that basically begged for alms in the competitive world of budget allocation. Cybersecurity professionals have spent decades warning about the essential need to ensure, at whatever price:
- Legal and regulatory compliance
30 years after its birth and billions of dollars later the cybersecurity industry still does not give a definitive answer to the essential objectives that define it. On the contrary, the progressive dependence of a digitized society in all its facets increases the perception, and reality, of a world increasingly vulnerable and on the verge of catastrophic episodes caused by the lack of cybersecurity. New actors on the dark side (even states) and more sophisticated attack strategies (even through the use of AI) draw a disturbing picture.
We should not label the cybersecurity industry as incompetent, although they may have been overly optimistic in their marketing messages and have abused financially from strong positions in their customer’ networks. But times are changing .. And very quickly.
To date, the traditional approach has been the identification of known attack patterns through signature databases, port filtering, network isolation, event correlation, sandboxing, etc. Time and time again it is shown that this approach is reactive only and incomplete through the facts. This strategy has repeatedly proven to be insufficient in an endless race between attackers and defenders.
To complicate things further, the massive use of information technologies in every aspect of our lives, the use of multiple devices by each person and the IoT explosion are multiplying the complexity and challenge of keeping our technological ecosystem secure and, therefore, our way of life.
We must resist the artificial intelligence hype as a response to all problems when the main offering is mostly old products with a superficial face-lift or get carried away by the enthusiasm of new immature products. CISOs must keep paying attention and resources to the traditional stack of cyber security which still is the one that continues to provide protection to our networks while designing a viable route to the new AI paradigm.
However, the traditional reactive rather than predictive approach is clearly insufficient. The new cybersecurity platforms must be prepared to “understand” what is normal to happen in a network and what is not and to help protect against the unknown.
Today we don’t have a better technology to understand normality (and, by deduction, the abnormality) than through the use of artificial intelligence with one of the many possible machine learning strategies to deal with the problem.. Artificial intelligence has reached the world of cybersecurity to remain and, little by little, to become the central element of any successful strategy fighting threats.
Now, the goal is not to detect the attack or intrusion using previously know scenarios. Current approach with AI and no signatures is to create a complete and deep knowledge about the network or the system and deduce that whatever happens outside normality is a potential threat. That will work with new and unknown attacks. The price will be the false positives. How to reduce to a near zero rate of false positives is a matter of another article. But… IMHO is the only realistic plan and the last hope to, actually, create solid IT operations for the future.
The explosion of devices, the deployment in the cloud, the massive collection of data and full digitalization, create challenges and needs that cannot be imagined not too long ago. The new cybersecurity technology must be able to scale at any level, maintain reasonable acquisition and exploitation costs no matter how massive their use may be.
The new cybersecurity technology must be able to scale at any level, maintain reasonable acquisition and exploitation costs no matter how massive their use may be.
Today’s cybersecurity technology shouldn’t impact the way IT networks and departments work and, at the same time, should adapt to any deployment strategy, whether is based on premises, cloud or hybrid.