Breaking the hype cycle of AI in cybersecurity

Every few years in IT, there’s a new buzzword or phrase that seems to grip the imaginations of both the technology press, but also the wider public.

Around a year or two ago, the talk circled around blockchain. Now the phrase on everyone’s lips is “AI,” and it seems that every product coming to market ships with some form of intelligent, self-learning machine at its core.

Often those claims are spurious but can be justified by the broad terms that define artificial intelligence. Whether or not your new household appliance does or does not teach itself how to behave more responsively to your particular behavior is not of interest here. Still, it is worth paying attention to claims of “AI power” in mission-critical enterprise systems, especially those that are coming to market in the cybersecurity field.

Without getting into the detail of TensorFlow, PyTorch, SINGA, or Caffe, it’s probably worth defining what we mean by artificial intelligence in the cybersecurity function. Firstly we can safely assume that vendors’ claims of AI in their products are indeed valid — after all, it’s practically impossible to pull the wool over the eyes of professional cybersecurity operatives, whose grasp of networking and computing technology is about as deep as it gets!

But there’s a deal of variance in the areas in which cognitive routines are deployed. No vendor is claiming that its new product line can accurately predict the next move made by hackers and prevent it, and the industry is thankful for that. Instead, AI appears to be taking hold in certain areas, where the technology is proving its worth and forming useful additions to the inventory of tools, methods, and processes that can help protect the enterprise.

Mapping the standard

Like any organism, a modern organization comprises many thousands, if not millions, of points through which information passes, emanates or exits. From an old handheld brought every day into a branch office, to a highly distributed server cluster spread over multiple clouds, every entity will exhibit what might be termed “typical” behavior.

At a packet level, mapping that behavior is certainly easier to describe in language (“it’s a SQL database”) than in terms understandable by a computer, however smart it might be. Thankfully, the type of massive data ingress and parsing is what AI excels at; given enough time to monitor every endpoint, a picture can be built up of digital behaviors that are typical so that anomalies can be flagged for further attention.

Meet metadata

A sweeping term like “metadata” is applied in this context as a neat collective term for various peripheral aspects of network data. The non-encrypted handshakes that precede an HTTPS/TLS exchange, for example (TLS version, certificate authority, and so on), unusual user agents accessing unstructured data over CIFS, or DNS lookups of newly-created domains that comprise random strings of ASCII: all are relevant examples.

The ability for machine learning routines to process these types of input in real-time is invaluable and can form an essential weapon in addition to other methods of protecting the enterprise.

Keeping an ear out

Unstructured data is problematic in many areas of IT, as normalizing information presented is often most economically “processed” by humans. In cybersecurity, that’s the role of staff in the SOC, tasked with responding to red flags, reading blogs and attack reports, keeping the cybersecurity community up to speed, and generally watching the arena of battle.

There’s still little substitute for experience and human knowledge, but the relatively slow speed at which we can absorb and process, means that there’s always a good chance that something important will be missed.

Here, artificial intelligence can help to pull cybersecurity intelligence reports into news feeds from multiple sources, collating and normalizing the data, and producing useful information as to attack vectors as they emerge, and their efficacy.

Here at Tech Wire Asia, we’re looking at two vendors with a new take on cybersecurity tools that use artificial intelligence to increase the enterprise’s overall security posture. Neither company is in the business of making overconfident claims as to its products, and that is, as of itself, reassuring. We think either product (or both) bears scrutiny as well-organized groups of cybercriminals get faster, more inventive, and — we hope — less successful.


The Cognito platform from Vectra comprises a network traffic-based approach to cybersecurity, seeking out and identifying not what a malware instance might be, but what it does.

The solution is capable of monitoring entire networks in real-time from a cloud install, or hybrid, or on-premise deployment. It uses cognitive routines to build host-based models of the whole network (irrespective of IP address or whether a node is real or virtual, for instance). Anomalous network activity, shown by its giveaway activities exhibited in key attack phases, is flagged and assessed and passed to Tier I staff.

Because much of the basic groundwork is done for staff, the onus on having large Tier I pools of cybersecurity experts is significantly lessened, with considerable reductions in staffing costs possible — yet while cutting false positive numbers to more easily-managed levels.

Identification and resolution are also aided, with Cognito finding the source of the issue quickly, and letting staff or automated routines fix the problem, as teams update defensive systems “live.”

Information passed on to teams is actionable data, rather than Cognito being another source of red flags that need to be sifted through by human operators. The platform fits in neatly with legacy tools and plays nicely with other cybersecurity measures and systems. You can read more about Cognito by Vectra here on the pages of Tech Wire Asia.


As you might expect from Big Blue, the company’s Watson platform figures heavily on the scene when it comes to its offering in this space.

But rather than using AI to examine network traffic or anomalous user behavior, the company’s AI routines are instead turned outwards, being used to collate and comb the multiple sources of cybersecurity data that abound on the internet.

Many companies will already be signed up to receive briefing papers, specialist news, and immediately machine-digestible updates from other companies that use a particular product, but what IBM’s Watson does here is quite specific.

Using AI to draw insights from disparate sources, and unstructured data, in particular, companies get a more in-depth insight into information that would otherwise take hundreds of working hours to consume and process.

The overall effect is that your human cybersecurity operatives can take their critical decisions more quickly (in the typical lifecycle of malware) and from a more informed position, and thus better protect the enterprise.

The insightful data comes with complete background and supporting information, so the required steps to prevent or negate any potential threat are made much more clear.

IBM calls its approach “Cognitive Security,” and who better to provide the indicators of compromise that need immediate investigation? For more information on this valuable addition to the cybersecurity team’s war chest, click here.