Most security teams in the cybersecurity industry are facing challenges due to lack of sufficient manpower and an overwhelming number of false positives and noisy alerts. This situation often leads to genuine threats being overlooked or underestimated. The integration of artificial intelligence (AI) and machine learning (ML) into daily workflow has the potential to greatly benefit these teams. However, many ML-based detections currently fall short in terms of quality, and incident responders often struggle to interpret the meaning and significance of these alerts.
The question arises as to why, despite all the hype surrounding AI and ML, many security users feel underwhelmed. What needs to happen in the next few years for AI and ML to fully deliver on their cybersecurity promises? The answer lies in understanding the difference between AI and ML and addressing the challenges facing the widespread adoption of these technologies.
AI is a broader term that refers to machines mimicking human intelligence, while ML is a subset of AI that utilizes algorithms to analyze data, learn from it, and make informed decisions without explicit programming. It is crucial for cybersecurity leaders and practitioners to understand this distinction.
When new technologies like AI and ML are introduced, it can be difficult to determine what is commercially viable and what is just hype. The Gartner Hype Cycle offers a visual representation of the maturity and adoption of technologies, helping to differentiate between hype and real-world applications. However, there is a problem when it comes to discussions about AI and ML. The term “AI” is often used as a catch-all term without consistent reference to any particular method or value proposition. This overselling of ML tools as AI leads to unrealistic expectations and results in many ML projects failing to deliver value. ML projects that focus on concrete operational objectives are more likely to achieve their goals.
While AI and ML have made significant advancements in enhancing cybersecurity systems, they are still relatively nascent technologies. When their capabilities are exaggerated, users become disillusioned and begin questioning the value of ML in cybersecurity altogether. Another obstacle to the widespread deployment of AI/ML in cybersecurity is the lack of transparency between vendors and users. As the algorithms become more complex, it becomes increasingly difficult for users to understand how a particular decision was made. Vendors often fail to provide clear explanations citing the confidentiality of their intellectual property. This lack of transparency erodes trust, causing users to rely on familiar technologies instead.
To fulfill the promise of AI and ML in cybersecurity, cooperation between stakeholders with different incentives and motivations is necessary. Security researchers and data scientists need to work together closely, exchanging knowledge and expertise. Data scientists can contribute by using ML to identify meaningful patterns in large datasets, while security researchers can provide insights into threat vectors and vulnerabilities.
Data quality is also crucial for the success of AI/ML tools. Normalizing data at the point of collection ensures that it is in a standard format, resulting in more accurate ML models. Prioritizing the user experience is another important aspect. Security applications are often known for complex and unintuitive interfaces, but by starting from the user experience, developers can create tools that are easy to use and engage with. Incorporating clean visualizations, customizable alert settings, and easy-to-understand notifications can greatly improve the adoption and usability of security tools. It is also essential to have a feedback loop when applying an AI/ML model to a security context so that security analysts and threat researchers can provide input and make corrections to tailor the model to their organization’s specific requirements.
The ultimate goal of cybersecurity is to prevent attacks rather than just reacting to them. By delivering practical ML capabilities that security teams can effectively implement, the hype surrounding AI and ML can be overcome, and the promise of these technologies can be fulfilled. It will require collaboration, transparency, and a user-centric approach to bring AI and ML to their full potential in the cybersecurity field.