Chief Scientist and CTO for MixMode, Igor Mezic, wrote this article for Forbes magazine on the advantages of moving away from a legacy rule-based cybersecurity platform to a third-wave AI platform that can better detect zero-day threats. He is a Forbes Technology Council Member and the article was originally published here.
Platforms leveraging analyst-written rules and supervised machine learning may have been considered the gold standard for network monitoring in the past, but the advancing threatscape means these platforms are becoming less effective at stopping modern cybercriminals.
I believe there’s an urgent need for security analysts to move away from spending hours writing rules in an attempt to determine what is and is not OK. Even with this massive investment, SOC analysts only gain a rudimentary understanding of their own networks and have built a system of distracting false alerts — and more importantly, they miss threats that aren’t seen like attacks using zero-day exploits.
This legacy approach attempts to make sense of raw data by comparing it to historical logs, human-written rules and signature feeds. One solution is to leverage “third-wave AI,” which DARPA defines as AI that is based on generative dynamical models of the underlying network and leverages contextual reasoning rather than simple automation.
Rule-based and supervised machine learning systems can’t see no-signature or zero-day threats.
Rule-based and supervised machine learning systems are inherently based on a “look back” approach; new rules are created that reflect previous undesirable behavior, while in supervised learning, the threat type is labeled during the learning process. No-signature threats are effective as “surprise” attacks that go undetected by rule-based systems that are set up to trigger on known behaviors.
Theoretically, a SOC could develop rules based on potential scenarios, but the sheer number of possibilities makes this approach impractical. One cannot predict all of the ways hackers might explore vulnerabilities, and we don’t have knowledge about vulnerabilities until they are exploited.
Advantages of moving away from a rule-based and/or supervised machine learning system.
In addition to saving on human capital and improving overall cybersecurity, moving away from a rule-based system to a third-wave AI solution can introduce several key advantages.