If you're a CISO, you already know that the tech industry is a hype machine generating an incredible amount of noise. This is particularly true in security, where hype collides with fear-mongering and hero-tropes to create some truly outstanding buzzwords. One of the worst offenders is AI (Artificial Intelligence), which you've likely heard shouted from vendors across the spectrum.
But what do vendors really mean when they're trumpeting AI? For the most part, it's a way to spice up the much more accurate term "machine learning." Sometimes, the truth is even more attenuated, and it refers to more basic analysis. Either way, it's a term that's created a lot of noise and a lot of confusion while being more artificial than it is intelligent.
How can you rise above the noise created by marketing hype and overused buzzwords? This recent Gartner report contains a wide range of questions that security teams should use when evaluating a vendor's claims about AI.
Using that guide as a foundation, I'm going to provide some honest, authentic answers to five of those questions on behalf of ExtraHop Reveal(x)—ranging from big-picture to granular.
Before we get started, you should know that we don't do "AI." We do what most people who claim AI really do: machine learning (ML). Our unsupervised machine learning (service details here) is proven in complex enterprise environments where it helps our customers detect threats 95 percent faster and—thanks to guided investigation—reduces employee time spent resolving threats by nearly 60 percent.
However, we recognize our ML isn't a silver bullet solution for every use case. When simpler rules and custom models can do the job easily, ML might be overkill. That's why we focus on solving the right problems with the right technology, so we can drive real-world results rather than delivering style over substance.
Now, let's get to the questions.
Question 1: What is the state of AI in security?
AI in cybersecurity is lagging behind other business applications of the technology. There are valid applications for data mining, but we believe the area of automated response driven by AI remains too risky for all but the most banal tasks—ones that could be done as easily with other tools and without the overhead of an AI engine.
Question 2: Which analytics methods (ML and others) contribute to AI functionality?
In the security operations realm, ExtraHop Reveal(x) uses ML because it's been proven in the field as ideally suited to detecting dynamic and sophisticated modern attack techniques, tactics, and procedures (TTPs) without taking the human out of the loop when it comes to interpreting and applying the results. For example, unsupervised learning can detect previously unknown variants of known TTPs, quickly adapt to each customer's environment, and achieve high accuracy without requiring any manual labeling, training, or tweaking from customers.
ExtraHop data scientists have been constantly refining our machine learning capabilities since 2014, and their work is based on activity from hundreds of ExtraHop enterprise deployments encompassing millions of devices and petabytes of network traffic each day.
While detections in Reveal(x) rely primarily on unsupervised ML and predictive models that identify deviations from normal behavior, the product also performs full-spectrum analysis of all metrics collected and allows users to configure alerts for deviations from statistical baselines with a high degree of precision.
Question 3: What are the security and performance metrics relevant to measure the results from AI?
The best measure of success is whether a technology helps you do your job better. That answer may sound trite, but it's true. If what you're using doesn't help you improve in the areas that matter most, it's time to consider investing in something that will.
While there's not a one-size-fits-all standard for success across all enterprises, there are results that can help you determine if an ML-backed product could be right for you. These are the same metrics you likely use for products without ML.
Some important metrics:
- Time to detect threats
- Reduction in staff time to resolve threats
- Reduction in staff time spent troubleshooting
- Reduction in unplanned downtime
- Reduction in lost user time due to application degradation
- Reduction in time needed to repair application degradations
ExtraHop's technology has also been evaluated by the SANS Institute as well as Enterprise Management Associates, who subsequently named ExtraHop a Top Vendor in their Decision Guide for Security Analytics in 2019. In addition to these independent reviews, ExtraHop Reveal(x) has also received SOC2 certification.
Question 4: How does your solution integrate into our enterprise workflow (e.g., incident response, ticketing)?
ExtraHop can integrate directly via technology integrations, REST APIs, or via security orchestration and automation (SOAR) providers. Integrations include CMDB tools, ticketing and project management platforms such as JIRA and ServiceNow, SIEM, firewalls, as well as many other data aggregation and analysis tools to enable seamless investigation in broad, rich datasets.
Within the Reveal(x) investigative environment, ExtraHop can display the progress of tickets so that analysts can see at a glance whether a particular detection has been investigated at all or resolved. You can also initiate an incident in a ticketing system or SOAR product, or drive an automated response such as a NAC quarantine. You can also add ExtraHop detections to a SIEM dashboard and pivot back to ExtraHop for device and detection details.
Question 5: Should I fire my security team (and find a new job)?
This probably is my favorite question, because I love it when serious analysts cut loose and have a little fun. The short answer is, of course, "no."
AI can't fill the sizable gap between talent supply and demand, but one of the real values our machine learning provides is helping your security team do their jobs with greater efficiency. They can easily prioritize alerts worth their attention, and then use guided investigations to get the details they need to make quick, confident, and correct decisions about threat response. Our ML also leverages wire data to help your team avoid manual processes such as data collection, correlation, and incident triage, so humans can focus on less mundane tasks.
If you have the right people with the right skills in the right roles, they're worth their weight in Bitcoin. Sounds simple enough, but as we all know, finding top-tier talent is only a little easier than hunting unicorns. What you want to do is help your existing staff enjoy what they do and learn as they do it, keeping them happy and more likely to stay with you.
Besides, if you fire your security team, who's going to laugh at your jokes during meetings? OK, maybe Siri or Alexa would, but that's just not the same.