It’s no longer comparable to Kasparov versus Deep Blue. When security teams use AI, it’s like Kasparov consulting with Deep Blue before deciding on his next move.
A typical cybersecurity analyst is never short of work, a lot of which can be futile. According to a 2015 Ponemon Institute study, by the end of the year the average security operations center has spent around 20,000 hours just on chasing alerts that prove to be false alarms. Traditional security systems generate a lot of noise that needs to be waded through, which creates even more work. At the same time, a vast pool of security information is published across multiple media in natural languages that can’t be quickly processed and leveraged by these systems.
Cognitive security, or artificial intelligence, can “understand” natural language, and is a logical and necessary next step to take advantage of this increasingly massive corpus of intelligence that exists. These solutions, which have recently come into the market from a number of vendors including IBM Resilient, can be effective in all functions of cybersecurity, but perhaps none more so than in the response phase. Here the key metric is how quickly your team can mitigate the threat and get back to normal operations. Pairing humans and cognitive security solutions will help make sense of all this data with speed and precision, accomplishing response in a fraction of the time.
But using cognitive solutions is not about man vs. machine. To borrow from an earlier era of artificial intelligence, it’s not as much Kasparov vs. Deep Blue as it is Kasparov consulting with Deep Blue before deciding on his next move against an unknown opponent. Defense works best when people and machine work together.
There are three fundamental reasons why this is true, especially when responding to a cyber incident:
- Level playing field: Cyber attacks and their breaches aren’t executed by technology; they’re the work of human beings. Therefore, it’s good business sense to level the playing field by having real humans on the other side of this. It’s even been referred to as “hand-to-hand combat.” This symbiosis between cognitive technology and human being is crucial and will ensure your organization is best equipped to respond.
- Information curation: While cognitive solutions can process information in nanoseconds and make key suggestions, not all information is relevant. Systems need to accept input from the analyst to set the broader context of an incident. They also need to be able to describe and document their findings and remediation steps and rank the information, Spotify-style, to separate what was relevant from any red herrings. This all helps to inform the next suggested response.
- Risk of false positives: The cost of a cyber attack is well researched, but the cost of a false positive is more elusive. Consider a penetration test: an automated incident response system may see what looks like an attack on the database and shut it down. This kind of decision is a high-stakes scenario that needs a human in the loop.
AI-Assisted Incident Response & the Skills Shortage
Another key benefit: artificial intelligence will help address the talent management issue of “infosec burnout.” One analyst who documented how long it takes to fill open senior-level security positions theorizes that people bail early in their security careers after getting a taste of what the job is all about. Stress in this job is real but can be reduced if analysts work at a more strategic level by curating, not just reacting, and by consulting with a cognitive system that can share what others have done.
In the face of an increasingly hostile environment, keeping humans in the loop and backing them up with a data-rich cognitive system is what will give businesses their best shot.