Network Security Solutions: Be Wary of the Hype Around AI

Network Security Solutions: Be Wary of the Hype Around AI

AI-based network security FIHow many times have you seen a trailer for a new movie that makes it looks absolutely fabulous? Special effects, big name actors, promised plot twists. But then when you actually see the movie it’s another Hollywood formula movie that’s not nearly as inspiring or entertaining as the trailer. We’ve all been there.

This same result, unfortunately, also is shared by businesses that are looking to secure their networks. Due to the rapidly increasing competition in the network security space, more and more vendors are now marketing “style-over-substance” to businesses worldwide.

Just as movie trailer producers use gimmicks to convince prospective moviegoers that this one is worth it, some network security vendors are creating a false illusion of performance and efficacy while distracting businesses with a fancy dashboard and blasting them with a barrage of alerts.

False Marketing Could Cripple Your Online Security

In a nutshell, there is growing hype in the security industry. Companies are using buzzwords and marketing jargon with little to back it up. Let’s examine a few crucial aspects that few vendors are upfront about during the purchase process.

Overhyping Artificial Intelligence (AI) Capabilities

Some vendors say their product is AI-powered, and certainly, they do use some AI functionality. But their implementation of AI often is simplistic, and their claims for what AI can do often far exceed reality. For example, Darktrace uses primarily an unsupervised machine learning algorithm called “Recursive Bayesian Estimation,” which is applied to all accumulated data. This probability-based algorithm doesn’t give accurate threat insights, however. In addition, the increasing complexity of cyberattacks means that this solution is fast becoming a false-positive generating machine, something that can hinder your security operations with unnecessary investigations.

Exaggerating Product Capabilities

After seeing the final product it may become clear that many vendors simply offer anomaly detection solutions. For instance, Darktrace’s product flags anomalies – anything that is inconsistent with baseline behavior – a very large number of which are benign false positives. Also, there is little to no information about the detected anomalies. So, what is claimed to be a time-saver actually makes the remediation task difficult and time-consuming.

Also, many companies market features while they are still in development by their R&D teams. For example, Darktrace claims full integrations but primarily integrates only with SIEMs and firewalls, which limits its functionality. It can’t share alerts with endpoint protection or email gateways.

Fast Remediation Times. Really?

Comprehensive solutions that provide actionable insights significantly help security teams save valuable time and resources. However, with some solutions security professionals have to work with limited context that doesn’t help in pinpointing issues and creates more work, slowing remediation. And the alerts are isolated to single incidents where typically there are many facets of each attack, so remediating a single alert doesn’t remediate the entire attack.

5 Questions You Need to Ask Before Picking a Solution?

Now that you have seen how some companies hype their products beyond actual capabilities, you need to ask yourself five questions as part of evaluating a solution. And be sure to include in your evaluation the security analysts who will actually be using the product.

1. Does it recognize malicious behavior?

AI can be very effective in organizing the massive volume of data that is generated when analyzing network traffic. It can figure out what’s normal, and what’s anomalous. But simply identifying something as anomalous does not mean it’s malicious. Products that also understand what malicious behavior looks like can distinguish between benign and malicious anomalies, minimizing false positives and improving detection of high-risk activity. And simply subscribing to published lists of malicious domains, IP addresses, and IoCs isn’t enough as these databases are always playing catch up to the latest attacks.

2. Does a prospective vendor or product actually deliver as promised?

You need to ask for details about what exactly is behind the promises you see in marketing campaigns or in initial sales pitches, such as what a vendor’s AI is truly capable of. You need to complete a thorough background check, including reading product reviews and employees’ work experience to learn about the DNA of the company you are considering. The more you research prospective vendors and their products, the more you can avoid surprises that arise after implementing the chosen solution.

3. Will it scale?

You are a growing company, likely with multiple locations. The bigger you become, the more, and more complex, cyber threats your security team will need to handle on a daily basis. This means that you need a solution that easily can scale to handle the increased workload, including lots of data flowing between multiple locations and stored in the cloud, and is reliable, especially when it comes to false positives (and false negatives).

4. What information do you need to remediate a network breach?

Consider how your security team operates today. What information do they get from existing tools, and is it enough for them to quickly and completely remediate a breach? Do the tools identify all impacted systems, with enough context to speed investigation and action? Or are they simplistic alerts, including false positives, which require time-consuming investigation? Be sure that whatever solutions you consider can deliver the details you need.

5. How many personal devices are brought into the office every day?

Bring your own device (BYOD) has gone mainstream. Employees now access information from anywhere, anytime, and from any device. Also, employees who travel are expected to be online while they do so. IT teams are now expected to give them remote access to systems and secure all private and confidential data on their phones and laptops. How will you secure devices that are at risk of compromise off-site, and then brought into the office where the infection can spread? How will you detect malicious network anomalies that indicate lateral movement?

Bringing Smart into Your Security

There’s no doubt that the use of AI in combination with internally generated threat intelligence can support the crucial aspects of a comprehensive enterprise defense plan. These strategic elements include prioritization, metrics, continuous diagnostics, and other best practices, as encapsulated in the Center for Internet Security’s Critical Security Controls. Learn more about how you can follow these recommended actions in your fight against digital threats.

AI certainly can improve cybersecurity solutions – especially considering the volume of data generated by network activity – but not all AI is the same. You must have appropriate expectations for what AI is capable of and full disclosure from the vendor of its implementation. My advice is to avoid the hype and find vendors that are explicit and clear about how they’ve incorporated AI and the level of human engagement that will still be needed. Find a vendor that understands the capabilities and limitations of AI.

Here at Lastline, we have built AI, more specifically machine learning (which is a particular type of AI), into our products from day one. Lastline Defender uses supervised and unsupervised AI capabilities to analyze network traffic and malicious behaviors to detect attacks, eliminate false positives, and provide high fidelity insights into and context for the entire infection chain. Security teams can then use these insights to respond faster and completely remediate advanced threats. Think of it as that rare movie that actually lives up to the promise of the trailer and performs as promised!

Find out more about how Lastline delivers what we call “AI Done Right.”

Mustafa Rassiwala

Mustafa Rassiwala

Rassiwala has more than 10 years of experience in security product management, building DLP, SIEM, security analytics, fraud management and network security products. He has proven success at many companies including RSA, Symantec, HPE (ArcSight) and startups such as ThreatMetrix, Platfora and JASK. He has also held engineering roles at EMC/Documentum.
Mustafa Rassiwala