We’ve been hearing more and more about the ubiquity of AI, and how it is being embraced across virtually every industry sector, as well as in technologies ranging from autonomous vehicles to digital assistants. Beyond the hype and concerns about robot takeovers, AI offers pragmatic, science-based techniques and computations to make sense of very large datasets, help identify patterns and spot anomalies.
IDC recently launched its semi-annual Cognitive Artificial Intelligence Systems Spending Guide. According to the Guide, Canada’s spending on cognitive and AI systems is forecasted to hit C$675.2 million in 2018. And IDC Canada’s IT Advisory Panel found that AI adoption will increase by more than 50% within two years in Canada.
So we know that AI is becoming a growing fixture in how we do business. What does that mean for security?
Let’s take the example of TELUS where I work – we are an organization with complex security needs, and our AI work has focused on its application in security incident response (IR). Incident responders are the guardians of the organization. We monitor and respond to threats and threat actors. In my years in incident response, I’ve seen organizations move along the continuum of insight. We all started with data. We found ways to automate the conversion of that data into information. More recently, we’ve begun to take the next step of refining information into knowledge by harnessing what is known as ‘narrow AI’ – machine intelligence focused on one specific task.
Machines have played a vital role in automating each step along this continuum of insight. However, it’s only recently that we’ve seen machines offer the capabilities that allow us to apply AI algorithms at the scale required to solve complex, real-world problems.
But the final step, and arguably the most important one, is still firmly the domain of humans. Once we have the knowledge and insights generated by human-created algorithms, we need to step in again to refine that knowledge into wisdom, in order to extract the ‘why,’ which ultimately informs how we respond to a particular situation.
The continuum of insight broken down: data, information, knowledge, wisdom
The continuum of insight and its role in incident response is one example of how humans and machines co-exist within the paradigm of AI and security.
Data comprises the raw events generated by an environment. For example, Alice logged in at 9:00 a.m., and Bob logged in via VPN from Vancouver. If you have a large base of users like TELUS does, it’s a lot of data to process at human speed. In fact, on any given day, TELUS’ systems generate 4.2 billion events. Scalable log collection “engines” are critical to help our incident response teams stay on top of these large data events.
Humans have trouble processing data at these volumes, but we need to be able to meaningfully interpret these events in order to keep our customers and systems secure. By using system automation to distill that data into information, our security teams can focus their analysis efforts on a lower volume of more useful information. Up until now, the tools available in the industry have only provided simple processing and analytics capabilities. In fact, the 2016 SANS Security Analytics Survey found that 66% of organizations indicated that they developed in-house analytics systems, and only 4% considered analytics to be fully automated. That gap in the market created an opening for the application of AI and machine learning techniques.
With a desire for better data volume management, increased processing power and deeper analytics, organizations have begun to embrace AI and machine learning. But there is still this unaddressed need to decipher intent, which is hard to codify.
Some AI researchers are beginning to dabble in this endeavor, applying user behaviour analytics to understand the intent behind actions. For example, they are looking at activities like email habits and swipe cards to uncover anomalies and risks. It’s a potentially exciting breakthrough for incident response, because a lot of what is done now is based on gut and instinct.
But just like police officers, we can never have too many IR analysts to comb through the volumes of information and make educated calls. If we can automate the extraction of data into information and knowledge, we will be better positioned to focus on the appropriate responses and scale our processes accordingly.
Wisdom is the ‘why’ – why something has happened, not that it has happened or how it happened. And the why is obviously valuable when it comes to security. It helps us understand whether a person or an organization is being targeted systematically, or whether an event is a one-off situation. We can share these findings with colleagues across industry sectors for risk management, and to better understand threat actors and their intentions.
Extracting wisdom is a difficult proposition in cyberspace. You can’t quite dust for prints. And that’s why we need the brightest minds in our cybersecurity functions. This final stage of the insight continuum truly brings to light how much humans and machines complement each other. Machines are valuable in automating knowledge generation, and humans focus on using that knowledge to generate the wisdom of the ‘why’ and determine appropriate action.
Machines can make us more secure
From a security standpoint, the ‘march of the machines’ blended with human-designed and human-centric applications ultimately means that we can be more secure as a society. We can cover off more attack vectors. We can monitor more systems in more ways with the same size of team. We can take advantage of machine speed of response when analyzing staggeringly large datasets. If we can extract knowledge in an automated way, then we can also automate and significantly enhance our responses and mitigations.
With how fast threats are evolving, churning through volumes of data quickly (and in a manner that prioritizes privacy), generating knowledge in an automated manner, and empowering our people to focus on wisdom generation can contribute to better security outcomes.
For more discussion on the technological and societal impacts of Artificial Intelligence, read our blog post, Bina48 - The next technological frontier or robot apocalypse?