AI/ML in Security: Know What You’re Buying

Marketing for information security products is filled with buzzwords of the day, especially when looking at artificial intelligence and machine learning. Even by themselves, AI/ML are hard words to define, so how do decision-makers untangle the marketing jargon to really understand what they are buying? Before purchasing a security solution, decision-makers need to look under the covers at what security vendors are offering in the way of artificial intelligence and machine learning.

Easier said than done? Not if you ask the right questions. Security decision makers should ask the following questions before purchasing to dig deeper into marketing claims made by security vendors:

What are the technical components of AI/ML in the product? Vendors that say they use AI to solve security problems aren’t telling us much. Sometimes a product uses simple classification algorithms on a single type of data and, based on that, makes huge claims about the inclusion of AI/ML. As a buyer, you need to dig deeper by asking what algorithms and frameworks are being used, and whether the vendor developed custom solutions or integrated existing algorithms.

Getting the vendor to talk about the implementation allows you to assess whether it’s a point AI/ML solution or a way to bring AI/ML to security data in a more comprehensive way. Transparency is the key here. There is no right answer we are looking for; the only wrong answer may be when a vendor refuses to disclose what goes into their use of AI/ML.

How flexible are the AI/ML models? Algorithms are usually only a small component of how data flows through an enterprise’s security system. A vendor claiming their proprietary AI/ML model will solve all your problems should raise red flags. Dig deeper by asking whether their model can be altered by you, the customer. Also important to know is whether you can use different models on your data, or are you locked in to certain bundled algorithms on specific data. Everyone’s enterprise is different, and that includes their security needs. There is no one size fits all.

What are the applications of the AI/ML models? Before purchasing, security decision-makers need to understand how AI/ML models are currently being used in potential products. Are models being applied to different types of data sets or is the application limited and myopic? In a modern security practice, looking only at log data is no longer enough. Enterprises deal with myriad data sets; for example, audio data from phone recordings, video data from security cameras and other sources such as transactional data. Can the product work with and apply AI/ML to these data sets as well or is the product a siloed solution? Applying AI/ML to data can be great, but an organization’s data stretches across data silos, and if AI/ML only works on certain silos, something may be missing.

How will new AI/ML approaches be incorporated into the solution? In the security space, adversaries are always evolving. It only makes sense that an AI/ML solution also evolves to meet these new threats. Vendors should be able to describe how updates to their algorithms work as well as provide examples of when past AI/ML was incorporated into their solution and how that development, testing, implementation and licensing played out. The last component, licensing, is critical. Was an organization’s data held hostage and kept away from new AI/ML until a fee was paid to apply the algorithm? This isn’t necessarily bad especially if the new AI/ML was developed by the vendor. If a vendor simply implemented someone else’s algorithm on the data when the licensing fee was paid, then that’s something an InfoSec practitioner needs to know.

Does the product advance the security team’s data knowledge and skills? Before purchasing a solution, it is important to know whether the platform allows security practitioners to apply the latest AI/ML toolkits. Decision-makers should ask whether the solution helps their internal practitioners learn how data works and grow their understanding of data engineering and data science as it pertains to the organization’s InfoSec data, or whether the solution is a black box that forces their organization to rely on the expertise of the vendor to solve security problems. A balance must be struck between working with vendors and growing an internal talent pool.

A product that fosters growth not only will serve the organization better, but also will help the organization attract smart data-driven security analysts. When you consider how tight and finite the pool of data scientists currently is, having cutting-edge technology that advances the security team’s knowledge is essential to wooing new talent.

By digging deep and asking these five questions before making a purchase, security decision-makers will be better informed. And being more informed will likely lead to a more successful implementation and better security outcomes for their enterprise.

John Omernik

Avatar photo

John Omernik

As Distinguished Technologist at MapR, John Omernik brings an analytical approach to big data, utilizing modern tools to identify patterns to facilitate security program improvements and reduce risk to organizations. Prior to MapR, John was SVP Security Innovations at Bank of America. Previously, he was the lead for the Counter Threat Unit Data team at Dell SecureWorks and the VP of Big Data Analytics and Fraud Center of Excellence at Zions Bancorporation. John has an MS in Information Assurance from Norwich University and graduated cum laude from the University of Wisconsin-Stevens Point with a BS in Computer Information Systems.

john-omernik has 1 posts and counting.See all posts by john-omernik

Logging, Management and Analytics

Step 1 of 4

Currently, our log management solution is: