3 Reasons Why a Rule-Based Cybersecurity Platform Will Always Fail

by Ana Mezic on September 24, 2020

Humans love making rules. Whether it’s for health and safety or to provide a stable and enjoyable environment for everyone, we’re always creating, implementing, and enforcing rules. It gives a sense of control and provides predictability.

But when it comes to advancements in cybersecurity, rule-based systems are holding the industry back. Relying on humans to constantly input and label rules in order to detect and stay ahead of threats is a bottleneck process that is setting security teams up for failure, especially with tools like SIEM, NDR, and NTA.

The COVID-19 pandemic made the fault in using a rules-based system extremely clear as enterprises using legacy cybersecurity systems which were filled with rules based on our traditional office based work environment moved 90% of its workforce home overnight. Rules became obsolete, organizations became vulnerable, and breaches skyrocketed.

Rule Limitations When the Unexpected Occurs

As work-from-home mandates spread across the country, leaders quickly shifted their security priorities – establishing secure remote connections for teleworking capabilities. As a result of this hasty, unprecedented movement, bad actors were immediately emboldened to take action.

Suddenly, networks everywhere were hit with thousands of unexpected remote connections from thousands of unknown devices. Rule-based cybersecurity systems – and the humans that write them – simply could not keep up with the exponentially growing number of rules to protect the growing number of network access points and traffic. The problem, it turns out, was foundational: “supervised machine learning” platforms were designed around expected network behavior.

Sponsorships Available

Existing or outdated automated systems can’t have hard-and-fast rules for detecting the zillion potential cybersecurity attack vectors. And for an industry with a wide talent gap and shortage of skilled workers, the constant changes are only further straining the security staff.

Labeling and False Positives

What’s worse than being short staffed? Having to deal with time-consuming, energy-draining, menial tasks – like labeling or writing rules – on top of a lack of skill. For an industry that’s already struggling to handle the work, labeling is simply a waste of time.

Labeling was an effective way to manage network security in the past, but as soon as chaos unfolds or a brand-new attack is developed, rule-based systems simply cannot hold up. Unless of course, you have unlimited time for restructuring and relabeling.

On average, security centers are wasting 15 minutes every hour on false positives. As rules grow exponentially, data labels must too – a ceaseless, swelling pile of work. According to analyst firm Cognilytica, almost 80% of an AI project is spent gathering, organizing, and labeling data, as security teams race to find usable, structured data to train and deploy models.

On top of that, models crank out mountains of false positives, causing security teams to chase their tail and waste more time. A recent study from the Ponemon Institute estimated that “25 percent of a security analyst’s time is spent chasing false positives – sifting through erroneous security alerts or false indicators of confidence – before being able to tackle real findings.”

At best, your analysts put in hours of work that could have been dedicated to more meaningful tasks when an alert turns out to be a false positive. At worst, true cybersecurity threats can be missed when busy IT departments aren’t able to spare the resources needed to examine every potential threat.

Humans Are Both Error-Prone and Invaluable

When humans interact with technology, there is an inherent increase in errors and missed details. When it comes to security, human error correlates directly with network vulnerability.

These mistakes come in many forms, including:

Basic human errors – like writing mistakes
Failure to add enough rules given time/personnel constraints
Inability to detect zero-day threats with rules – since you can’t write a rule for something you’ve never seen

However, creative problem solving has never been as crucial for teams facing the unprecedented challenges of today. Qualities like intuition and experience-based decision-making are invaluable, and even the most advanced AI cannot replace them.

Machines will never be able to entirely replicate or take over the work security professionals do, so it’s essential for companies to look for security platforms that underscore the talents of human security analysts. Security teams that view AI as one part of a complete, multi-faceted approach will benefit the most from these improvements.

Moving From Rules to Self-Supervised AI

In a short-staffed, rapidly changing environment, there’s just one solution – a self-supervised AI based cybersecurity system.

“The number of people and the amount of time it takes to make a rule for everything is massive and just doesn’t make sense when some big change happens,” explains Dr. Igor Mexic, Mix Mode CTO, “And then the label doesn’t matter anymore anyways because you’re having to relearn everything. With an unsupervised system, it is constantly adapting and learning.”

More advanced AI technologies, like Unsupervised or Self-Supervised AI, can predict what the network is supposed to look like – forming a constantly updating baseline of network traffic. In the event of a catastrophe or unprecedented event, the AI system can constantly process and adapt to changes – thanks to machine learning.

With AI, the network is protected at all times – no matter the circumstance.

In just 7 days, MixMode’s self-supervised AI studies the network and develops a baseline for regular network traffic – using this baseline to determine whether something unusual might be happening in real time.

Depending on rules and human intelligence, the old method relied on historical data and network information to build a baseline.

Whereas, MixModes’s new approach applies AI in real time to multiple parts of the stack – finding anomalies and predicting new threats simultaneously.