At Billington’s recent 13th Summit, a group of private and public sector experts gathered to discuss the role of artificial intelligence and machine learning (AI/ML) in cybersecurity. The group identified areas where AI/ML could and is having impact today, discussed some lessons learned for those considering more use of AI/ML in their cybersecurity programs, and highlighted some areas where more work needs to be done to enhance AI/ML’s role in these programs.
The group identified a broad array where they both saw AI/ML having impact on current programs and areas where AI/ML potentially could be applied to improve cyber defenses. These included:
- Automating the detection of known bad actor tactics, techniques, and procedures. AI/ML applications can find the known and highlight anomalies faster and with greater efficiency.
- Helping to understand network assets and identifying normal interaction between them and their interaction with other devices, users, and networks.
- Improving incident response to focus on the “right” threats while minimizing the false positives.
- Helping to identify new policies based on observing and understanding normal behavior to reduce vulnerabilities.
- Helping to identify the “wrong” security solutions while creating more effective ones.
- Helping to reduce supply chain risks, for example, helping to better analyze source code.
The group also highlighted some useful lessons learned from applying AI/ML in past projects. These included:
- Make organizations aware of both AI/ML’s benefits and limitations to help build better trust in applying it in the right way right from the start of any effort. The group highlighted that AI/ML is only as good as the expertise, testing and validation process, and continued learning injected into its application.
- Focus on leveraging AI/ML on the “right data” and expertise.
- Leverage AI/ML as an augmenter and not a replacement of your overall cybersecurity program.
- Focus AI/ML on problems that automation can address with the goal of freeing up your expertise to focus on new, as yet, least understood, means to continually improve security.
- Make sure to build an environment around your AI/ML implementation to continually assess, modify, and improve your automation.
Finally, the group highlighted areas that continue to be addressed or refined to make AI/ML even more impactful for cybersecurity programs. These included:
- There is a continued need to define AI/ML standards both technically and in application.
- There is a continued need to better understand how adversaries are using AI/ML in their work.
- More focus leveraging AI/ML is needed to help better understand supply chain issues.
- More focus leveraging AI/ML is needed to help protect operational networks and critical infrastructure.