4 ways data and AI tip the cybersecurity scales towards the defenders

When it comes to cybersecurity, attackers have historically had the advantage. The barrier to entry for cybercriminals is low, while defense is increasingly complex. An attacker only needs to be right once, while defenders need to be right every single time.

But now, for the first time, it’s possible to tip the scales in favour of the defenders. Now, we can give defenders a data advantage. And security is a game of data.

With the right data, organizations can apply Artificial Intelligence to draw meaningful insights. The more data and intelligence they have, the more meaning they can derive from that information.

For defenders, this combination of data and AI has the potential to change the game completely. It can help businesses start to operate at machine scale, not just human scale. Defenders can see more threats and contain attacks faster to minimize damage. They can start to move from detection and remediation to prediction and prevention. Organizations can even start to address the massive shortage of cybersecurity resources and skills.

Here are four ways data and AI can start giving defenders an advantage over the attackers:

Managing security policies is notorious for requiring highly specialized resources. With AI, admins could ask the assistant to write new policies for them, identify and resolve conflicts among thousands of existing policies, find misconfigured policies and rules that cyberattacks could exploit and implement corrective actions. This would eliminate errors and reduce risk, while saving security teams countless hours and making them more effective — even with less experienced resources.

There’s a huge volume of telemetry available across the IT environment – from endpoint processes, web and application connections, network traffic, user behavior and more. This results in a huge number of signals, which can generate so many alerts and false positives that overburdened security teams can’t review them all and as a result experience alert fatigue. It makes sense that they would ignore low-level alerts. With AI models, they can analyze and correlate all the small signals that are typically ignored and reveal a larger signal of a real attack pattern that should not be ignored and might otherwise be missed. It means that fewer attacks get through, and security teams can cover more ground.

When deep learning models start to see small signals of a new vulnerability that it predicts could be a potential threat, AI can automatically trigger a snapshot of an environment right then and there — even before the threat is verified. Then, if the small signals start to add up and it turns out to be ransomware, defenders now have a point of immediate recovery. No data is lost. This is game-changing because it means that even if the defenders aren’t right every single time, they can still recover, contain and minimize the damage.

In a world where most traffic is encrypted, it’s not realistic to decrypt all traffic for deep packet inspection. AI can learn from vast volumes of data to understand indicators of malicious behaviour. AI can then analyze encrypted traffic to infer anomalous behaviour in near real-time and automatically take the appropriate actions.

As promising as the combination of data and AI is for tipping the scales, there are important considerations too.

The quality of data is key. As AI models ingest vast amounts of data, there is a growing concern about the quality of that information. Models risk learning from content that could be considered “garbage content,” which poses challenges for organizations relying on these models for decision-making. It’s crucial to carefully select the right model and training approach to minimize the risks associated with biased or unreliable data.

There is a need for “unlearning.” When it comes to data and AI models, the ability to discard or recalibrate acquired and potentially outdated data and knowledge is just as crucial as the initial learning process. Overly trained models may rely too heavily on historical data, to the point of possibly overlooking more recent developments. In other words, less is more here, and it’s imperative to strike a balance between learning and unlearning to ensure accuracy and relevance over time.

As technology advances, we must also look at the people and skills needed to ensure its success. Expanding the talent pool is critical. Organizations must start actively recruiting talent from a broader pool of resources with more varied perspectives, backgrounds and experiences — including non-traditional sources such as designers and liberal arts majors. The ability to solve problems, think critically and innovate will be just as important as cybersecurity expertise. Diverse teams also bring fresh perspectives on threats, which can pay dividends in AI training effectiveness and help improve an organization’s cybersecurity posture. In fact, the goal in cybersecurity should be to protect the 8 billion people in the world, and cybersecurity talent should reflect the people we are protecting.

We’re at an incredibly exciting time in the industry. Combining the right data with the right AI approach can be a force multiplier for security professionals that starts shifting defenses from reactive response to proactive containment. But there is much work still to do.

The world is increasingly interconnected. Economic, political, social and environmental issues cannot be addressed in silos. Keeping the world safe from cyberattacks will require significant public-private partnerships and collaboration. It will also require new levels of data exchange and interoperability amongst industry stakeholders despite their competitive dynamics. Overcoming these challenges is no easy feat — but doing so will tip the cybersecurity scales in favour of the defenders.