Founder, President and CTO at Fortinet, overseeing the technology vision and strategy for the global infrastructure security leader.
If security operations teams look exhausted, it’s because they are — and for good reason. Even before the current pandemic, which has seen a significant increase in certain types of cyberattacks, cybersecurity experts were already warding off more attacks than ever across their ever-evolving digital landscape. The result is that the cost of an average data breach now tops $3.78 million.
However, as the pandemic continues, networks are being stretched even further. Remote employees are now working on infrastructures never designed to have the majority of workloads coming from outside the network, and cybercriminals have been quick to exploit the urgency and confusion of the moment. In addition to a spike in highly manipulative spam and phishing email campaigns delivering malicious malware, there has also been an increased targeting of high-value individuals to steal critical information, deliver ransomware or install remote-access trojans that control and monitor networks. The risk is not just that organizations are taking their chances on a $4 million bet. It’s that they are taking that chance a million times every day.
That’s not hyperbole. In an age of increased alerts due to the prevalence of threats, some stretched-thin SOC teams receive an average of 1 million security alerts daily. Because they are short-staffed, they have little choice but to ignore many of the alerts they receive. In a report by ESG, cybersecurity professionals reported organizations ignoring as many as 75% of all security alerts — and even when they were able to respond, they often found themselves racing to contain and mitigate threats that traversed networks faster than ever thanks to a wide array of new attack techniques, including those that are beginning to leverage artificial intelligence and machine learning.
It’s man vs. machine at the velocity of the digital age, and it is simply unsustainable. Today’s SOC teams must not be held responsible for doing the impossible. Forcing them to be faster than an AI-based attack — especially across massive networks of remotely connected devices, only one of which needs to be breached for criminals to succeed — is simply not realistic.
When an attack occurs, security analysts scramble to learn how it got in, who patient zero was and what it is going to infect next. While even the fastest responses can take more than 10 minutes to return results, ransomworms — which self-replicate by exploiting vulnerable files and programs — can destroy entire networks, including connected devices and systems, in a fraction of that time. All it takes to unleash one is a single employee clicking one link from anywhere on the network.
It’s little wonder the pressure on security professionals is heavier than ever. Adding to that pressure is the expectation that SOC analysts should be experts at everything, even as organizations expand their networks to include multicloud environments, remote workers and home networks. However, skills like malware research and patient-zero tracing take years of accumulated experience to develop. Just as hospitals overwhelmed by Covid-19 patients are calling in medical school students to attend to their front lines, the cybersecurity skills gap is forcing organizations to take an all-hands approach. This is barely a stopgap, however, let alone a solution.
The real solution must be twofold: The first is to deploy AI that is capable of exceeding the speeds of the technology being used to attack it. The second is to leverage AI speed and accuracy to repurpose security professionals away from mundane data analysis.
Developing and deploying an AI solution can be extraordinarily time- and labor-intensive. However, when it comes to actually identifying and responding to an attack, speed is the name of the game. Once an AI system has been properly constructed and trained, the power of AI-driven security is revealed by its response times. An effective AI system can perform the tasks of a dozen security analysts — and in a threat landscape constantly launching new zero-day threats, the ability for AI to respond at machine speeds is critical. Today, effective AI can detect and disable a threat in subseconds, when it could take a seasoned security analyst days to identify and isolate it.
However, just because SOC team members should not be doing AI’s job does not mean that AI solutions should be doing theirs. Far from it. The true power of AI is revealed not when it is used as a replacement for higher-order decision-making and human insight. If anything, this is the best way to see its limitations. Rather, it is when the speed and power of AI are wielded by seasoned security experts.
Because AI can operate at machine speeds to detect and effectively mitigate attacks faster and more accurately than ever, security professionals are then free to solve much more complicated problems that demand higher orders of analysis — such as forensic analysis of the attack chain and restoration of systems, as well as identifying and filling security gaps and reporting up to management about what happened and why. While AI can almost instantly identify targets and shut down a breach, security professionals still need to analyze the context around the attack, including who has been targeted and why, thereby enabling deeper recognition of potential vulnerabilities.
AI and machine learning are becoming a more significant part of the arsenal being used by cybercriminals to circumvent the security controls we have put in place to defend our digital resources. As a result, we must not shy away from discussing the need for the speed and power these technologies can provide to secure our expanding networks. However, while that speed is crucial to digital security, its value is as a tool for security professionals, not as a replacement. It is not a contradiction to say that in an evolving and intensifying threat landscape, networks must now deploy AI that is faster than any seasoned security analyst because we need those seasoned security analysts more than ever.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?