top of page

AI Rising: Artificial Intelligence and Machine Learning in Cybersecurity

The 21st century is ushering in a new litany of startups democratizing Artificial Intelligence (AI) and machine learning (ML) in this fourth industrial revolution that's reshaping entire industries. AI and ML are now radically changing detection and response methods in cybersecurity. According to KPMG, Venture Capital investments into AI startups globally doubled to $12 Bn in 2017.

AI is the ability for machines or software to demonstrate intelligence; understanding and perceiving their environment and taking action based on that adaptation, or even improving its own capabilities through that understanding. AI and ML systems are capable of cognitive functions, such as learning and problem solving and are continuing to advance as more AI-driven systems are productized and brought to market.

Within the cybersecurity industry, legacy solutions capable of detecting attacks against a network or the endpoint itself historically relied on known patterns or "signatures" to identify potentially malicious behavior. For example, the identification of a NOP sled (a sequence of no-operation instructions meant to "slide" the CPU's instruction execution flow to its final, desired, destination in memory -- usually shellcode), or simply plain text strings in the payload of the packet, such as "Gobble Gobble."

Over the past decade, the cybersecurity market has experienced massive consolidation through M&As and a changed network and endpoint security control landscape caused by the rise in advanced malware leaving many companies defenseless as antiquated signature-based detection systems fail to detect them. New entrants have been reshaping the competitive landscape, companies, such as Cylance, Vectra, and Dark Trace have all brought products powered by AI and ML to the good fight. Palo Alto Networks recently acquired LightCyber in a $105 Mn transaction to add AI to its portfolio of UTM firewalls. While these solutions are effective in combating unknown threats, they don't come without their tradeoffs (read: false positives). However, they are far more effective at detecting zero-day exploits and malware than their signature-based cousins. Additionally, enterprise networks are a constantly changing and evolving environment as systems and software are routinely patched, updated, or rolled out. Therefore something that can continuously learn and dynamically adjust itself to the changing environment is crucial.

LightCyber Magna (now Palo Alto Networks), learns about the behavior of endpoints by synthesizing and profiling network packets, flow data, and other metadata collected from its network probes without needing to install agents on every endpoint.

Today, legacy network and endpoint security controls contain a database of signatures that look for known bad behavior, which significantly limits their visibility in detecting unknown, novel attacks where no known pattern exists as well as detecting command-and-control (c2) traffic that is typically encrypted. Pattern recognition engines are ineffective against network packets that are encrypted via SSL/TLS or VPN tunnels.

Cybersecurity controls that don't use signatures use "machine learning" to profile or "baseline" the behavior of systems on the network by analyzing their traffic and alert to deviations from that established good behavior and is how many of the solutions in this list are designed.

AI in cybersecurity is the the necessary next evolution in cyber defense for companies tired of constantly playing "wack-a-mole" as new infections or compromises appear due to a lack in detection efficacy caused by signature-based antivirus or intrusion detection. I anticipate that in the very near future, vendors will have to move away from signature-based detection completely if not augment it using AI or ML or face being rendered obsolete as the threat landscape continues to evolve along with the tactics, techniques, and procedures of adversaries.

If you're starting to evaluate different AI/ML solutions for a new rollout, here are some questions that should be asked of the vendor:

  1. What is the CPU and memory footprint of the solution?

  2. Can the AI/ML system perform all functionality if the host is offline and not able to reach the Internet?

  3. When was the AI engine developed and has it been used to effectively detect contemporary malware and exploits?

  4. Does it require an initial infection of a host in order to begin detecting malicious behavior/traffic?

About Alissa Knight

Alissa Knight is a senior analyst with Aite Group's cybersecurity practice. Ms. Knight covers cybersecurity in financial services and healthcare, serving as a thought leader and trusted advisor to financial institutions, established technology vendors, startups, and venture capital firms. She provides actionable recommendations to clients by producing research papers, speaking at conferences, interacting with clients, and leading consulting engagements as a purveyor of research and advisory services on the contemporary IT risk management topics that matter most.

Ms. Knight's most recent research has been in the cybersecurity of point-of-sale systems, data loss prevention, artificial intelligence, IT risk management frameworks, and identity access management. Most recently, Ms. Knight was the group managing partner of Brier & Thorn, where she was responsible for U.S., Europe, and Asia operations, and headed its connected car cybersecurity practice. She now sits on the Board of Directors as its Chairperson.

Ms. Knight has worked in cybersecurity for over 18 years as a penetration tester and incident responder, is a published author, and has started and sold two previous cybersecurity startups before launching her own venture capital fund. Ms. Knight is currently attending Temple University's Fox School of Business in pursuit of a degree in Economics.

8 views0 comments

Recent Posts

See All

SMTP Smuggling

What is SMTP Smuggling? SMTP smuggling involves exploiting vulnerabilities in mail servers to bypass security measures. Attackers manipulate the interaction between mail servers, leading to unauthoriz


bottom of page