Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Disrupting Cybercriminal Strategy With AI and Automation

Organizations Need to be Skeptical When Looking at Any Vendor Claiming to Offer AI-based Security

Organizations Need to be Skeptical When Looking at Any Vendor Claiming to Offer AI-based Security

Spending on cybersecurity solutions continues at a rapid pace. According to IDC, global spending on cybersecurity this year is predicted to grow by nearly 10% over 2018, topping $103 billion – with large organizations accounting for almost two-thirds of that outlay. However, in spite of this, some predict the total cost of cybercrime could exceed $2 trillion by the end of 2019. This means that the cost of criminal activity is currently outpacing security spend by around 20X.

This is the result of a system that has always been rigged in favor of the cybercriminal. It’s the classic scenario of organizations having to anticipate and block 100% of the attacks they will encounter, while cybercriminals only need to exploit a single misconfigured device or unpatched system to get in. The only difference now is, in the wake of global digital transformation, the stakes are much higher than ever before.

Three Critical Security Strategies

Of course, repeating the same behavior over and over and expecting different results is part of the problem. To win this war, you need to rethink your security strategy, and changing your security paradigm involves three basic approaches.

1. Start with Security. Rather than building a network and then overlaying security, start with security in mind. Today’s security policies need to flow seamlessly and enforce policies consistently across your distributed network, from your core network to the cloud, and from the OT network to your branch offices and mobile workers. 

2. Exploit Cybercriminal Economics. Cybercriminals are subject to the same financial restraints as any organization. Profitability requires keeping costs and overhead lower than revenue. This means that most criminals prefer to target low-hanging fruit using known exploits because developing new tools and zero-day attacks are expensive. You can eliminate a lot of risk by doing the following: exercise good security hygiene, discover and remove security gaps,  centralize visibility and control, settle on an integrated security framework based on interoperability, high performance, and deep integration, and segment the network to restrict or slow down the lateral movement of malware looking for data to steal and devices to exploit. 

3. Fight Fire with Fire. Business and cybercrime alike operate at digital speeds. Many cyber events are successful because they happen faster than security systems can respond. This is especially true if human intervention is required in any step of the process. Instead, critical events need to trigger an immediate response. Of course, automation can only respond to known threats. And while adding machine learning allows automated systems to better identify unusual or abnormal behavior and reduce false positives, the process is often slow.

The Critical Need for Artificial Intelligence

Unlike automation and machine learning, AI attempts to replicate the analytical processes of human intelligence not only to enable decision-making at machine speeds, but over time, can even begin to predict and prevent security events before they occur. Of course, this technology is far more challenging to achieve, and it is why organizations need to be skeptical when looking at any vendor claiming to offer AI-based security.

A true AI system requires an artificial neural network (ANN) combined with a deep-learning model to not only accelerate data analysis and decision making, but also enable the network to adapt and evolve when encountering new information. This extensive training process includes being carefully fed massive amounts of increasingly complex information so it can not only identify patterns and develop problem-solving strategies, but also adjust those problem-solving algorithms when it encounters a new pattern.

Training an AI

One of the most critical lines of inquiry when examining a solution that claims to provide AI is about how it was trained. The AI community recommends that any AI solution undergo three stages of training: 

1. Supervised learning. This initial model begins by feeding the AI system with massive amounts of labeled data, where the characteristics of each data set are clearly labeled, and decisions are predictable. As an example, Fortinet’s AI development team leverages the data produced by our more than 200 FortiGuard Lab researchers who currently log over 580,000 hours of research data each year. In addition, it ingests data collected from devices and sensors deployed worldwide, including data feeds from our threat intelligence sources. Ultimately, it is this level and volume of input that allows our AI systems to continually improve by expand their set of recognizable patterns and responses.

2. Unsupervised learning. In this next phase, unlabeled data is slowly introduced, forcing the system to learn on its own as it starts to see and recognize new patterns. 

3. Reinforcement. Both of these processes monitor the system’s performance with familiar and unfamiliar files and “rewarding” the system for good results. Training cycles between these three learning strategies on an ongoing basis for months, or sometimes years, depending on the complexity of the problems it needs to identify and resolve.

Because of the recursive requirements of the learning process, any AI system that does not use all three of these learning models is incomplete. Each learning model helps refine results and improve accuracy.

And naturally, because the threat environment continues to evolve, AI training models cannot afford to be static. The system needs to be constantly infused with new models that branch off from existing information, based on new threats and techniques as well as new strategies for identification and resolution. And ongoing monitoring must also be applied, as its effectiveness is only good as the data it consumes. AI can be unintentionally poisoned with bad data, creating a bias that impacts its ability to make good decisions, or be intentionally poisoned to miss certain types of threats, 

AI Disrupts the Entire Cybercriminal Strategy

Many cybersecurity companies claim to have introduced AI capabilities into their solutions. But the reality is, most fall short of true AI because their underlying infrastructure is too small or their learning models are incomplete. Others refuse to divulge the methods that they use, which raises concerns about the reliability of their AI. These should be red flags for any organization looking to adopt an AI-based system.

Just as important, even if an AI system meets basic training and infrastructure requirements, it still needs to interoperate within the security environment you have in place. Intelligence in isolation is useless. The more threat intelligence is shared – whether from an external intelligence feed or the integrated security systems deployed across your distributed network – the more effective your AI-based defensive systems will become. 

But when done right, an AI-based system will give your organization an advantage over even the most sophisticated cybercriminals. It weaves security deep into your infrastructure, identifies and responds to the most advanced threats, and forces criminals to either go back to the drawing board, or more likely, look for a victim that doesn’t have such an impact on their bottom line.

Written By

John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...