How Domain Expertise And AI Can Conquer The Next Generation Of Cyber Threats

No one, not even Google CEO Sundar Pichai, is immune to being hacked. And this problem isn’t going away. Cybercrime figures are increasing each year, with a reported 22% rise in breaches already in 2016. While organizations spent $75 billion on security products and services in 2015, there were still 2,000 breaches (75-90% of which were in large enterprises), with the median dwell time of 146 days before detection.

The security industry has not kept pace with cybercriminals' innovation or creativity; it’s been left playing checkers while the enemy plays chess. Cybercriminals are not only becoming more sophisticated and numerous, but today’s IT infrastructure is more vulnerable than ever thanks to the growing number of entry points into an organization.

After 20 years in the security industry with organizations like the NSA, Mandiant and FireEye, and now as the CTO of cybersecurity firm Endgame, I've seen a lot of changes within the field. However, I know that all hope is not lost when it comes to strengthening enterprise security. For instance, in the past few years, the scientific community has empowered companies to leverage artificial intelligence (AI) for everything from fraud detection to self-driving cars. I've seen through my own company's work that utilizing AI in the cybersecurity industry can help platforms block and expel threats from a network. But AI cannot do it alone; it must be critically informed by domain expertise, or it could become just another buzzword.

How AI Could Modernize Security

AI should be seen as a multiplier, not a silver bullet. The hype around AI and data science is warranted, but AI isn’t a homogenous black box. There are many machine learning approaches and different models that fall under the AI umbrella. Like all robust data science, the model and approach must be suited to the each case’s unique data and operational constraints. Nevertheless, machine learning can expedite data wrangling -- a process that becomes tougher as the velocity, volume, variety and veracity (the four Vs) of data continues to expand -- and it can also help organizations make intelligent decisions about the data.

My firm recently conducted research to demonstrate how AI can improve security processes in a project called Machine Learning Red Teams. "Red Teaming" usually entails a team TISI +% of people manually simulating an attack on a system to test its defense, identifying vulnerabilities, and then patching any weaknesses they’ve found. Think of it as two computer robots facing off in a series of rounds. The Red Team model generates malicious samples to bypass the Blue Team detector, which learns how to identify these attacks. Through this process, the Red Team’s technical capabilities against the defense improves. Meanwhile, the Blue Team becomes hardened against blind spot attacks simulated by the generator. Using machine learning, we can simulate the testing portion of process -- pitting offense against defense -- and attempt to deliver faster results in greater volume to recursively improve defenses.

While Machine Learning Red Teaming involves proprietary research, it demonstrates the power of AI to take common, known activities and supercharge them. Notably, DARPA is getting in on the action with their Cyber Grand Challenge, investing in automated systems that can work alongside human security practitioners. We are just scratching the surface of how AI can transform the security world, but it’s incumbent upon all of us to push ourselves in that direction.

Looking Towards Data Science Plus Domain Expertise

Given the complexity of data in the security industry, damage to or loss of critical assets can occur if models are applied thoughtlessly. This is where domain expertise comes into play. Domain experts go beyond security practitioners and should include vulnerability researchers, hackers, and those familiar with implementing advanced techniques that stop the most sophisticated cyberattacks. Together, domain experts and data scientists can shape the model’s assumptions, spotting anomalies and patterns in the data. While an automated system can analyze and forecast events on its own, humans are needed to interpret the results, provide the best courses of action, and further shape the AI model.

Finding domain experts can be tricky. However, we’re starting to see companies post job descriptions for them. At my firm, we used our roots within the public and private sectors to assemble a group of over 20 domain experts, but it wasn't easy to build this kind of team. For others looking to do so, I recommend recruiting those leaving government service looking for commercial opportunities. Federal labs, the intelligence community, and federal law enforcement are great places to find trained domain experts who have faced the full range of cybercriminals, including sophisticated nation state adversaries.

In short, AI still requires domain experts to work alongside the data scientists who are building the models to ensure they are relevant and operationally useful in order to truly innovate the industry.

A Change In Mindset Creates A Change in Culture

For AI to become the revolutionary tool it has the potential to be, enterprises should adopt a new way of thinking that highlights a scientific approach among not only practitioners but the entire enterprise all the way up to the C-suite. By understanding that machine learning is not a silver bullet by itself, enterprises that invest intelligently in these other areas will see improvements across their entire business.

In the security industry, thanks to the automation of many time-consuming and repetitive tasks, companies can take a more proactive approach to security. Instead of simply responding to alerts, security personnel could proactively hunt malicious activity within their networks.

Technology and cybercrime are evolving quickly. I believe it's time to integrate a diversity of expertise and bring the security industry up to speed. AI bolstered by domain expertise could put the security industry at the forefront of innovation. These machine learning-backed defenses will continue to evolve, expanding the shelf-life of security investments while enabling organizations to have greater defensive capabilities and a more proactive approach to cybersecurity.

This piece was originally featured on