Getting AI Right for Security: 5 Principles
By Kevin Kennedy, SVP Products, Vectra AI
Now more than ever, companies need effective security solutions. The cost of global cybercrime is projected to grow by seventeen percent each year, reaching a staggering $12 trillion USD, cumulatively, by 2025.Thankfully, fire can be used to fight fire: AI can help organizations better protect their data, thwart attackers, and quickly identify and remediate threats. But with the buzz around “AI” dwarfing even “crypto” at its peak, it’s nearly impossible to cut through the marketing to find truth. Based on a decade of building applied cybersecurity AI, here are the five principles we’ve identified for maximizing value:
Start with a clear problem statement.
If you’ve played with ChatGPT, you know that small tweaks to the query can make huge differences in the output. The same is true in building any AI model. So, nailing the problem statement is critical. When we started, we built a model with the problem statement: “Find unusual use of any account.” Our customers begged us to turn it off because it was too noisy. Turns out, unusual is the usual in the modern enterprise.
We went back to the drawing board, thought through the threat model, and got more precise: “Identity any privileged account operating in the gap between observed and granted privilege”. Why? Attackers inevitably escalate through privileged accounts, and they take advantage of overly broad privilege. So, if we can effectively define the zero-trust policy and then flag violations, we can accurately identify attacker activity. This required an entirely different approach to building the models, but the difference is profound. Privileged Access Analytics (PAA) is now one of the most valued capabilities in our entire portfolio—because we started with a more precise problem statement.
Collect the right data
No AI model can be better than the data it’s trained and operates on. The PAA models referenced could not operate without knowledge of every Kerberos transaction and/or Azure AD action in the relevant domain. That data trains its view of privilege and relationships, as well as gives the right insight to evaluate account usage in real-time for detection. Similarly, reliably identifying network command and control requires very granular time-series data on packet flow, along with a massive corpus of labeled data for both bad and good traffic.
It may be tempting to use the data that’s most readily available. For networks, that may be flow or firewall logs rather than detailed network metadata. But if you take shortcuts like that, it will dramatically impact the value delivered.
Choose the best AI approach for each problem
You have the right problem statement and the right data; now it’s time to select an AI approach tailored to the problem you’re trying to solve. There are a plethora of machine learning (ML) techniques available—from neural networks and deep learning, to K-means clustering, novelties, and (the current rage) transformer and large language models
As the “No free lunch” theorem dictates, just as with the data, there are no shortcuts to success when it comes to working with AI algorithms. Data scientists and machine learning engineers (MLEs) need to understand the data they’re working with and the problem at hand in order to select a specialized algorithm that will achieve the desired results—and general-purpose algorithms won’t cut it. In fact, choosing the wrong algorithm may give results that aren’t just suboptimal, but flat-out wrong.
Oh, and if you think that LLMs/transformers make this theorem obsolete, you’d be wrong: we’ve evaluated state of the art for detection use cases and found that they underperform specialized models today. LLMs are good at predicting what’s next (e.g. how many bytes will be in the next packet), but not so good at categorizing things (e.g. is this connection malicious or benign).
Run at speed and scale (and cost-effectively!)
Cyberattacks happen fast. This is especially true in the cloud, but even in-network, ransomware attacks can occur seemingly in the blink of an eye. Every minute counts for defenders. According to one study, the vast majority of organizations—90 percent—can’t detect, contain, and resolve cyber threats within an hour.
Against this backdrop, it’s critical that AI not just get the right answers, but also that it works fast and is affordable in your environment. The speed requirements rule out batch analytics, as it’s not helpful to detect today that you were ransomwared yesterday. That means it’s critical to have a real-time, streaming architecture that still meets the requirements above to run the best AI approach against your organizations data to answer all of the security problem statements you need coverage on…at an affordable price point. Platform matters.
Getting the most from AI requires continuous validation and improvement
Security is a hyper-dynamic space: Attack surfaces are ever-expanding, and threats are becoming increasingly difficult to detect. At the same time, security operations center (SOC) analysts are being inundated with alerts. According to The 2023 State of Threat Detection Research Report, “97 percent of SOC analysts worry about missing a relevant security event because it’s buried under a flood of alerts.”
Thus, it’s important even for AI that vendors validate and improve products on an ongoing basis to ensure that AI models are continuing to accomplish what they’re designed to do. In the jargon, this is done by precision and recall. Precision is a measure of the false-positive rates and recall is a measure of false-negative rates, and they generally operate in tension with each other. Essentially, vendors need to know whether their models are catching the threats they’re intended to detect without burying analysts in alerts. No ML model is perfect, but with the right focus they can be an amazingly powerful weapon for defenders.
With 92 percent of companies either using or planning to use AI and ML to enhance cybersecurity, a significant opportunity exists for vendors to create groundbreaking products that bolster security. By practicing the principles outlined above, vendors can maximize their AI-powered security offerings and bring more value to their customers than ever before.
About the Author
Kevin Kennedy is senior vice president of products at Vectra AI. With more than 27 years in technology product management, more than half of those years in security, Kevin has seen it all. From Threat Intel, Encryption and Secure Web Gateways to Content, Email, Firewall, and Network security to today leading the Threat Detection and Response product vision and strategy for Vectra. Not afraid to challenge the status quo, but respectful of the challenges security teams face, Kevin approaches product with a healthy dose of empathy – staying true to the problem to be solved – and effectively balancing innovation and practicality. Prior to Vectra, Kevin launched his career in threat intel at IronPort. He continued to hone his security product management skills with stints at Juniper, Cisco, and Agari Data. Kevin bleeds maize and blue graduating from the University of Michigan with a BSE in computer engineering.
Kevin can be reached on LinkedIn at https://www.linkedin.com/in/kevinkennedysf/ and at the Vectra AI company website https://www.vectra.ai/.