Artificial intelligence is all the rage in IT these days, with vendors rushing out new products and trying to assure CISOs that their products include some element of machine learning. But how much of this is hype?
Quite a bit, cautions Oliver Rochford, vice-president of security evangelism at DFLabs, in a column this week. ” Machine learning by itself solves nothing without being applied to distinct problems,” he writes.
So what’s a CISO to do? Ask a few intelligent questions, Rochford advises.
What does your machine learn? Does the software really learn or just do statistical analysis or correlation.
Where does it learn it? In a lab or in your environment? The former isn’t acceptable, Rochford says, but adds that a hybrid of both can be okay. There is, he adds, another consideration, though: Does it learn on premise or does data have to be sent into the cloud?
How does it learn? A vendor should be able to provide a high-level overview of which machine learning approaches its implementation uses: Supervised, Unsupervised and Reinforced are the keywords to look for , as well the high level algorithmic descriptions. For the inexperienced Rochford suggests reading cheat sheets provided by Microsoft. This information can help an infosec pro understand if the vendor is using the right algorithm for the problems they are trying to solve.
Why does it learn it? In other words, why use that particular approach.
What does it solve? Does it solve a problem that would be impossible to solve with less sophisticated means, or that would be unfeasible or inefficient to solve any other way. Does it solve more than one problem.
It’s not that machine learning. In a recent interview Forrester Research analyst Joseph Blankenship told me that it has a lot of potential to help in threat detection by overcoming limitations of existing rule-based systems, as well as automating and orchestrating security operations to help analysts in their decision-making. “One of the areas that’s very promising is the notion that we can use the technologies to help make the job of security analyst a little easier,” he said.
“As we add automated components to security operations we’re able to accelerate from minutes to seconds in terms of being able to do more manual aspects of investigations,” he said, particularly to guide more junior analysts on appropriate next steps in incident response.
But, he added, “we’re years away from the Skynet for security operations,” with robots handling cyber security. (Of course, Terminator movie fanatics know that Skynet ended up taking over the world …)
So be careful, says Rochford. Machine learning’s value is in solving aspects of incident response, advanced threat detection, hunting and investigation, he argues — in other words, to specific problems.