• United States




AI, ML – is it all just BS?

Sep 12, 20174 mins
Artificial IntelligenceData and Information SecurityMachine Learning

Though we’re easily enamored with new technologies like artificial intelligence and machine learning, do they actually help us solve real problems in the SOC like reducing Mean Time to Resolution (MTTR)?

machine learning
Credit: Thinkstock

Read a security related press release or been to an event recently? You’ve no doubt been wondering how you managed to do your job all this time without Artificial Intelligence (AI) or Machine Learning (ML).

Do these technologies really live up to the hype or are they just the latest in a series of new buzzwords?

NOW AVAILABLE: Industry’s First Machine Learning Incident Response Platform that Gets Smarter with Every Analyst Action!

Despite being positioned as the latest “silver bullet” in security, neither are new concepts. Artificial Intelligence, which in layman’s terms is simply making a computer think like a human, was first discussed at a Dartmouth Summer Research Program in 1956. Similarly, Machine Learning, which is broadly considered a type of Artificial Intelligence and is defined as giving computers the ability to learn without explicit programming, was pioneered by an IBMer named Arthur Samuel in 1959.

Though decades old, Artificial Intelligence and Machine Learning are both garnering interest in the field of cyber security. Recent research by ESG surveyed 412 cybersecurity professionals to assess and characterize their knowledge of Artificial Intelligence and Machine Learning as it relates to cybersecurity analytics and operations. The findings show a confusion in the market which is no surprise given the uprise in promises made by vendors.

Two interesting, yet conflicting stats that I noticed in the ESG research are that although 70% don’t understand where Machine Learning and Artificial Intelligence fit in their organization, 82% plan to deploy it! Clearly we have an opportunity for education.

Artificial Intelligence is a broad term and represents technologies with many approaches, from simply creating rules to handle specific tasks, to highly-sophisticated algorithms that learn correct behavior. Machine Learning is thought to be the most promising form of Artificial Intelligence. Machine Learning uses algorithms and data to learn without being explicitly programed. This corrects a major limitation with other forms of Artificial Intelligence where rules must be created to handle specific tasks requiring foresight and programing for all possible outcomes in advance. There are many forms of Machine Learning including Decision Tree Learning, Inductive Logic Programming, Deep Learning, Clustering, and others like Reinforcement Learning.

Security Automation & Orchestration platforms are beginning to use Reinforcement Learning, which is a simple form of Artificial Intelligence (and Machine Learning) that automatically determines the actions required to get the best outcome. In the context of SA&O platforms, Reinforcement Learning can make recommendations based on event data, ultimately suggesting automation playbooks that can help solve real problems in the SOC. Guidance when dealing with “known unknowns” (i.e. those cases when we know about the threat, but aren’t sure how to respond) is valuable to new and experienced analysts alike.

Though we’re easily enamored with new technologies like Artificial Intelligence, Machine Learning, or even Reinforcement Learning, it’s always useful to step-back and ask the bigger question. How do any of these new technologies help us solve real problems like reducing our Mean Time to Resolution (MTTR)?

The reality is that no one technology provides the “silver bullet,” each merely adds another dimension to the solution. While perhaps not as fresh to the market narrative, foundational capabilities like architectural maturity, community collaboration, an open & extensible ecosystem, and feature completeness often do more to make an impact than the “latest thing.”

That’s not to say artificial intelligence, machine learning, reinforcement learning, etc. don’t have a place. I think they’ll play an increasingly important role in the future in providing guidance to an analyst that enables a new level of security handling, one where threats with no associated procedures can be handled effectively through intelligent guidance.

Let’s not get carried away though. Artificial intelligence, machine learning, reinforcement learning are great ways to augment – though not outsmart – the analyst.


CP Morey is Vice President, Marketing & Products at Phantom, the leader in security automation and orchestration. He has a track record building teams and launching new products in fast growth markets. Prior to Phantom, CP was Senior Director of Product Marketing for Cisco’s industry leading security portfolio – a role he assumed after the $2.7 billion acquisition of Sourcefire. While at Cisco, he successfully restructured the team and doubled its size to support the fastest growing business in the company.

Before joining Cisco, CP was Vice President of Product Marketing at Sourcefire where he helped with its transformation into a multiproduct company with the launch of FireAMP, a product with exponential revenue growth since its release in 2012, that now thrives as Cisco’s Advanced Malware Protection (AMP) business.

A veteran of the security industry since 2001, CP has also held leadership positions in product marketing and product management at ISS and PentaSafe while helping to scale the companies for successful acquisitions by IBM and NetIQ, respectively.

The opinions expressed in this blog are those of CP Morey and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.