More Articles
Information Technology

The Benefits of Artificial Intelligence in Cybersecurity

Jonathan Nguyen-Duy

Jonathan Nguyen-Duy

Deputy CISO at Fortinet

Jonathan Nguyen-Duy, Renee Tarun, Jim Richberg, Fortinet

To truly evolve and make the shift from reactive to proactive cybersecurity, AI should be part of your strategy. 

Quartz Network Executive Correspondent Britt Erler sat down with three executives from Fortinet – Deputy CISO Jonathan Nguyen-Duy and Field CISOs Renee Tarun and Jim Richberg – to discuss why CISOs should include AI/ML in their arsenals and what to look for in AI tools.  

They share insight into: 

  • Why integrating AI and machine learning is so crucial for organizations 
  • How AI and automation complements traditional security approaches 
  • Use case scenarios that increase productivity and decrease costs  

Quartz Network: What’s your take on the issue of whether AI and machine learning are overhyped as solutions in the cybersecurity space? 

Jim Richberg: I don’t see it as an issue of they’re overhyped so much as they’re misunderstood. You can always simplify it to say there seems to be an assumption that AI is a powerful tool. AI basically affects everything that’s digital, it therefore must be affecting cybersecurity, and therefore it must be helping. The reality is, my experience is relatively few, certainly at the executive level, really understand exactly how it works in cybersecurity, the breadth of places that it’s being applied, and how the impact is being felt. That’s unfortunate, because I really do think it is a transformational technology that coupled with the platform-based approach, these broad ecosystems of capability are a game changer that finally where we’ve got a one two punch that may take the advantage away from the attackers and put it on the side of network defenders. I really wish there wasn’t so much misunderstanding about exactly what AI was doing for us in this field. 

Renee Tarun: I agree. I think it’s something that AI machine learning really needs to be in the arsenal of today’s CISOs. With the speed of digital innovation, it’s completely transformed how organizations do business. Instant access to critical business tools and information by cloud-based applications. It really lets workers access any resources they need from any location on any device. However, that same innovation and trend has also transformed cybercrime. Raising the bar on both speed and the severity of the text that we’re seeing. Successful data breaches cost, on average, over $4 million. Part of that challenge that we’re seeing is the speed in which the attacks are occurring. That really is complicated by the fact that our security tools, in a lot of cases, for a lot of organizations, are simply unable to react in time to prevent serious incidents.  

Previously, cyber-attacks moved at human speed, with manual execution required at every step. That manual process once provided a viable chance for our cyber defenders to simply catch that exploit before things caused major damage. Now, cyber criminals are grappling on digital innovation, they’re able to automate and apply AI to many of their tactics. This has enabled them to quickly create more sophisticated, multi vector attacks that can be carried out at machine speeds.  

For example, cyber criminals are now leveraging AI automation to actively locate and exploit multiple vulnerabilities simultaneously while even invading detection. Automation also makes those attacks more much more prolific and causing more damage, so CISOs find themselves constantly searching for new tools to add to their arsenal, and often, only to find that cyber criminals have dealt with even more advanced ways to circumvent those security controls in place.  

Traditional security approaches, from my perspective, really need to be complemented with alternative models such as AI and automation. These really provide advantages to CISOs to not only be able to mitigate the risks brought on by automated cyber-attacks with faster response times, but also to give them broader visibility and simplified network management. As Jim said, we really need to actually get ahead of the cyber adversaries. 

Jonathan Nguyen-Duy: Great points from my colleagues. I think part of the ability of leveraging AI is really to approach it and learn from the lessons we’ve had over the last 25 years. We can’t approach things as operating silos or specific point products, but instead as an integrated capability. Renee is absolutely spot on—AI is a great tool that leverages the ability of automation to really begin to enhance the accuracy of detection, as well as accelerate the speed of mitigation.  

AI, in many ways, has been overhyped. I think the biggest issue about AI today is how’s it going to be applied. Are you thinking about using machine learning? Are you thinking about using deep neural networks or artificial neural networks? Are you thinking about using unsupervised or supervised learning? How are you going to apply it? It is a tool, but the benefit of that tool is how its applied. The need right now is to ensure you, one, have visibility across the land when data center and cloud edges; a and two, now that you have visibility, you can leverage AI to have better contextual awareness about what is happening. If that AI is integrated like the way we’ve approached it at Fortinet, with your operations, and the ability to automate your operational elements across networking, and security, as well as monitoring that end user—that digital experience, then you begin to see the promise of AI.  

AI in itself is a great tool. It becomes a powerful element when it’s complemented by an integrated fabric, so we avoid those mistakes about creating standalone silos and standalone products that were never integrated, and then their utility is greatly diminished. 

Jim Richberg: Let me elaborate and put a little spin on what Jonathan said, because it’s when you put the strength of AI, especially when it’s the back end of a broad system, coupled with the fabric—this integrated platform approach—it turns what is often considered one of our greatest liabilities or vulnerability, the growing size and complexity of the attack surface into a benefit. 

Imagine you take that breadth of the attack surface and the instrumentation are sensors that are reporting back to a place that has AI and machine learning that have become powerful enough that you can make sense of what’s happening on your network in real time. You now have a barometer or a thermometer to let you know what normal healthy network activity looks like, to know what abnormal network activity looks like, and deep neural network. That kind of machine learning is really good at saying, “This is abnormal and bad,” either bad based on what it can do or bad based on its own characteristics. And then, the same devices that are sensors are also controls, so once you’ve decided something is worth acting on, you can send out the command to not only stop it where it’s happening, you can inoculate everybody else in the attack surface against it. Because you’re doing this, in some cases, in sub second, in real time, you’re turning the attack surface into a sensor network. That means, as soon as the intruder pokes at one place while they’re still groping their way to success, you get ahead of you, you divine what they’re doing.  

It’s as if patient zero in Wuhan was battling an infection, and WHO had said, “Oh, look a novel thing!” and been developing a vaccine even while the first patient was fighting an infection. That’s what I mean by the transformational power and enterprises don’t have to do it, it’s being done with the back-end analytics and AI by the OEMs like Fortinet. It’s happening invisibly, and that’s why I say this is transformational. 

Renee Tarun: I would agree with Jim. It’s almost like it’s flipping the script on the adversaries. The answer has been using speed and scale against us, so now we’re taking that same speed and scale on our internal systems and using that as a strategy. A lot of cases we find, organizations are taking a reactive approach. A reactive approach in today’s environment is simply going to cause additional downtime, additional outages, and increasing in costs anytime you have cyber incidents. Speed is essential. That is going to help—what I mean by flipping the script, it’s really taking the approach where you’re doing more proactive threat management strategies. Again, cyber criminals are taking advantage of every second they can, they’re evolving techniques and they’re expanding surface, it can really start to overwhelm and outnumber your security teams. By really leveraging these solutions that incorporate machine learning AI, CISOs can proactively tackle some of these automated attacks we’re seeing and stay ahead. 

Jonathan Nguyen-Duy: That’s a great word—the word “proactive” Renee. When we think about AI and automation, two words come out: proactive and predictive. The ability to leverage data to do more proactive and predictive things, not only in the security side. In terms of vulnerability management, system configuration, and misconfigurations, like the bane of so much of our existence. Also detecting those sophisticated and not so sophisticated threats and anomalous behavior, but also leveraging that integration with the networking side, so that you can improve the responsiveness if that network is SD-WAN highly adaptive, moving from MPLS and broadband to 5G, 4G, on demand based on the criticality of that application, that workload, that particular underlying business processes. Aligning that with security and your compute in the cloud, leveraging AI begins to show you how you not only improve security, but you improve the network performance. You also make it a more responsive application performance as well. That leads to those better outcomes and there’s better customer experiences.  

AI, in conjunction with networking and security, is where we converge at Fortinet. It’s really so transformational, because now the CIO and the CISO can say, “Hey, not only are we providing network performance and assurance and computing and security, but now we’re enabling new, better ways for customers and stakeholders and partners and employees to interact with our brand.” Creating new business processes, the foundation of digital transformation itself. Then you change from Doctor No to Doctor Knowing, and become an enabler of the business. That’s transformational, and that’s why I’m hearing so many CISOs say, “Hey, I’m being asked to measure the ROI on digital experience. I’m being asked how does security enable new revenue accelerate time to market?” I think AI begins to unlock a lot of things that we hadn’t even thought about in the past. 

Jim Richberg: Jonathan raised the issue of ROI and measurement. From my perspective, having been involved in measuring cyber performance for a long time, that, arguably, is the weakest part of cybersecurity. It’s not the technology, it’s not even the workforce skills gap, it’s the fact that we can’t reliably, predictably, and transparently measure cause and effect. If you give me this amount of money, here’s how I can affect our security, here’s how I can affect threat against us.  

Sometimes, we even argue over what is the investment. The people who do close support in your organization are the ones who are doing inventory, they’re doing password management. They’re doing things that arguably affect your cybersecurity. They’re probably not counting against the CISOs budget. I say, “How do you calculate ROI when you don’t even know what the what the number on the denominator of that equation is?” Now, it’s up to you. Am I missing decimal dust rounding error or am I missing significant things? That, I think, is organization specific, but the point is, measurement is what’s really hard.  

That was one of the things that came out of the pivot to remote telework during COVID that really put IT and security in the spotlight. Most organizations said yes, they’re mission enablers, they’re part of the team, but absent of those two things. When we went into lockdown, organizations would have gone into shutdown if the employees just had to go home and binge watch. The fact that we were able to give them conductivity, and to provide some level of assurance, allowed our organizations to keep their heads above water. We were the heroes of the hour in terms of showing how networking and security are key. Now, we need to find ways to build on that success coming forward saying we can give you ways to not only get that digital transformation, but security is intrinsic to the solution. You’re getting an answer, and yes, it’s secure, or else we wouldn’t be proposing this as an option. It’s baked into the DNA. 

Renee Tarun: Ultimately, for a lot of organizations now, some are faced with decreasing budgets and limited resources. It really comes down to also wanting to increase efficiencies by adding that machine learning AI. Add some of that automation to do some of those streamline workflows, create more uniform and efficient environment. Not only does it make the organization become stronger in terms of security, but also makes them become more cost effective across the board. 

Jonathan Nguyen-Duy: If you take a look at one use case, our Fortinet Virtual Security Analyst. In the 52 weeks of development, at week 34, we were able to demonstrate that it was outpacing the average human SOC analysts, tier one, tier two, tier three. At week 52, we’re able to demonstrate that only was it outpacing humans, because it’s self-learning, it’s inherently going to perpetually perform. Humans are always good, bad, or indifferent, right? We hope they’re good, but the practical reality is that the end of the 52 weeks, we demonstrated it was the average of five average human SOC Analysts. If you take a fully loaded cost of a SOC Analyst anywhere in the major metropolitan areas in the US, it’s about $225-250,000. That one solution that our Fortinet Virtual Security Analysts was equivalent to some $850,000 to a million dollars in cost savings. That’s a very easy way to demonstrate the types of productivity enhancements that AI can generate for an organization.  

We simply cannot process the sheer volume, variety, and velocity of data that’s coming at us. I remember SLAs that were in the hours when I first started in the industry. That was that delays went down to minutes, and now we’re 5G. We’re talking about a sub five millisecond SLA. There is no way that you’re going to triage an event, and try to decide how you’re going to mitigate that by swivel chairing across multiple management console—not that I’ve ever done that—but the practical is, that didn’t work 10 years ago, and it’s really not going to work today. We need to use these tools that are available, but to do it in an integrated way. You really get better performance and cost savings that way. 

Quartz Network: Since integrating AI and machine learning is so crucial for an organization, why are companies still reluctant? 

Jim Richberg: Part of it is the education issue, where I started by saying it’s not overhype, it’s misunderstanding. I know I did a lot of procurement when I was in government and I joke, “Procurement comes down usually to a combination of the two P’s: price and performance.” People typically don’t recognize these platforms exist, these ecosystems that, at this point, in the evolution of cyber technology, are now AI-powered and AI-connected.  

The best data source that I point people to is the Data Breach Prevention Study that was done by an organization called NSS labs in 2019, where at the request of their customers who said, “Look, the OEMs are telling us these integrated technology suites are the greatest thing since sliced bread. Can you test it?” This organization was like consumer reports for cybersecurity—independent rigorous testing. They took products from the leading OEMs, Fortinet and its peers, and they said, “Okay, we will take a test network, we will take a live threat data, and we’ll replay it against all of these networks defended by these different products. We’ll also engineer our own samples to be essentially zero-day exploits with as many as 13 layers of obfuscation.”  

That’s a high bar, because the reality is, nobody is perfect against the threat they’ve never seen before that’s actively trying to hide from them. They found that firewalls were over 90 percent effective as a class. They varied a bit, but they were in that cluster. They found that endpoint products were as a class a bit more effective. The interesting thing is when they allowed the same products that we’re running, those two tests to be knit by AI and ML, they rose across the board in effectiveness, and they also became more cost effective as well. That’s the point that I always offer executives to say, “Look, here’s an actual study that says: This approach works.”  

This is the best antidote to people who want to look at all of their procurements from the magic quadrant perspective, just to say, “I’m going to start by looking at best of breed.” If you do that, you lose sight of the fact that any solution that’s integrated in the platform is going to outperform the best of breed. 

Renee Tarun: I think that some of it has to do with education, some of it has to do with the cultural change. For some organizations, it’s the fear of loss of control. They feel that it’s perceived loss of control, when the reality is, the right tool can actually provide greater visibility and enhanced oversight into your cybersecurity processes.  

Then also, I think there’s some distrust of the technology. Sometimes, you have highly skilled analysts that feel that they are more capable than managing—doing some of the things like incident response that the machine could.  

Lastly, I think it’s the fear of change. We see a lot of industries, whether that’s Manufacturing, where you bring in more technology, there’s concern that machines are going to be replacing the human elements. While AI systems do provide a lot of capabilities, it’s simply that they can’t operate in fully autonomous mode. In fact, a lot of the AI implementations are being done, such that the AI systems are really providing augmentation, adding additional intelligence role supporting the humans at what they do best, but not fully replacing them. The fact is, I think that a lot of this AI machine learning technologies and capability, it’s certainly going to change the way people work, but I think it’s also going to be creating more opportunities for them, not necessarily eliminating them. 

For more industry best practices and insights from leading IT executives like Jonathan, Renee, and Jim,join Quartz Network.