3min. read

AI in Cybersecurity: Beyond the Hype and Facing the Challenges

By Zachary Malone, Technical Enablement Architect, Palo Alto Networks

What Is, and Perhaps More Importantly, What Isn’t, AI

AI, at its most basic, is some type of algorithm that is designed to interact with a dataset in a way that mimics intelligence. As the algorithms get more complex and focused, they are able to produce some thought-provoking outcomes, such as seemingly human-like language generation, art generation, and beyond-human pattern recognition. The caution and subsequently what is not AI is that it is only “seemingly.” Take language-generation tools for instance. They are actually massive probability mappings of previously made text (typically from the web), which then look to generate text based on the probability that each new word or phrase would come after the previous one(s) just generated (in relation to the prompt given by the user). While it turns out this probability-generative approach works extremely well, it is not free thinking and has pitfalls when the probability of multiple responses is high, yet there is only one correct path. It's essential to remember what makes AI work so that companies can utilize it properly. The effectiveness of the tool depends on how it's wielded.

Why Is AI Important in Cybersecurity

When you look at the basic concept that AI algorithms can create probability mappings of a given dataset and then determine what would probabilistically generate in the same manner, and then apply this to the concept and dataset of malicious tools and behaviors vs. benign ones, we start to see a massive opportunity to have the ability to determine how probable a file, traffic pattern, or behavior is to be malicious even if that particular event has never been seen before. There are key challenges in achieving that outcome, and they must be addressed for AI to improve cybersecurity outcomes.

Facing the Top Challenges: The Path to Successful AI in Cybersecurity Implementations

Challenge 1: Data and Algorithm: The Foundation of AI's Power, and Its Potential Pitfall
AI is only as good as the algorithm being used and the data it is trained on. If the algorithm is not mapping datasets for the parameters that are indicators of malicious activity, then all the data in the world won’t matter and malicious events will pass through undetected. Conversely, if the right algorithm is not given enough data and of the right quality, then the mappings will never be able to create a high-enough level of probability distribution and false events (both positive and negative) will occur as the algorithm comes to the wrong conclusion.
Challenge 2: Obfuscation: Trusting the Black Box?
Some vendors make their AI models operate as "black boxes," obfuscating the algorithm and decision-making processes. This lack of visibility can be problematic, making it difficult to perhaps impossible to understand why the AI flags certain events as suspicious and raising concerns about accountability and potential biases.
Challenge 3: Integration and Expertise: Beyond the Plug-and-Play Fantasy
AI solutions aren't plug-and-play magic bullets. They require integration with existing security infrastructure and expertise to interpret and leverage their outputs effectively. Security teams need to be trained to understand how AI works, its limitations, and how to best incorporate its insights into their overall security posture.

Beyond the Challenges: Dispelling the Myths

Alongside the challenges, several myths cloud the perception of AI in cybersecurity:

Myth 1: AI Automatically Improves Any Cybersecurity Tool:
While many cybersecurity vendors certainly want you to believe this is true, the reality is that many AI algorithms do not fit the need, take art generation for example, and having the wrong one will lead to poor outcomes.
Myth 2: One-Size-Fits-All Solutions:
Different AI solutions cater to different needs. Understanding your specific requirements and choosing the right tool is crucial for successful implementation.
Myth 3: Unbreachable Security
AI, like any technology, is susceptible to attacks. Continuously monitoring and adapting AI systems are crucial to maintain their effectiveness.

Why Hasn’t This Worked in the Past

In some ways, it has worked, such as models built to recognize simple patterns in malicious files. This pattern-matching model technically fits the basic definition of AI and was the foundation for the original IDS/IPS engines, but is not robust or “intelligent” enough to solve the challenges security is trying to solve. Having the right model and, perhaps more importantly, the expertise to build and improve that model are crucial. Building a model that can probabilistically map “the entire internet” is no simple feat, and the same is true for modeling malicious activity versus benign. Furthermore, as discussed in the first challenge above, the data to feed this model has to be massive (much like LLMs using “the entire internet”) while also being properly categorized and filtered.

What Should Executives Consider When Adopting AI in Their Cybersecurity Program

AI in cybersecurity can be extremely powerful yet needs to be handled properly. Adopting a generic AI would not be knowledgeable enough about the threat landscape and would require a company to train the model itself, which is an extremely complex and compute-intensive task. Evaluating a cybersecurity vendor’s AI integration in their product lines with an in-depth review is highly advisable. If a vendor cannot explain how the algorithm is working, how it is being trained, and on what kinds of data, then the potential for problems can add more risk than the vendor claims to resolve.