This eWEEK Data Points article looks under the hood at what security vendors are really offering in the way of machine learning and artificial intelligence in their products. Any review of information security products on the market is filled with buzzwords of the day, including ML and AI.
However, the main thing is this: What are the real capabilities of ML and AI in each product or service, and are they right for the use cases they will be impacting?
Even by themselves, ML/AI can be hard terms to define, so how does this play into security product marketing? Are the terms being oversold--or undersold--to potential buyers?
Our source for this story is John Omernik, distinguished technologist at MapR and an expert in detecting security threats and preventing fraud using data analytics. Prior to MapR, John was Senior Vice-President of Security Innovations at Bank of America, where his responsibilities included architecting a next-generation security data platform focused on speed of delivery and ease-of-use for security practitioners. His experience in the financial industry includes information security, threat intelligence and fraud analytics/prevention.
Omernik has several recommendations for security decision makers who want to dig deeper into marketing claims by vendors before they make the important decision about where to spend a security investment.
Data Point No. 1: Understand the technical components of ML/AI in the product.
Sometimes a product can use simple classification algorithms on a single type of data, and based on that, make huge claims about the inclusion of ML/AI. Getting the vendor talking about the implementation allows you to assess whether it's a point ML/AI solution or a way to bring ML/AI to security data in a more comprehensive way.
Data Point No. 2: Ask about the flexibility of the AI/ML models.
Does the vendor claim to use a proprietary model that will solve "all the problems?" Can this model be altered by the customer? Can different models all work on the same data, or can your data only be worked on by the models bundled with the security product? Everyone's enterprise is different, and that includes their security needs. There is no one-size- fits-all product or approach.
Data Point No. 3: Ask about the application of AI/ML models.
Can models be applied to different data sets? Can log data, audio data (i.e. phone recordings), video data (i.e. security cameras) and other sources of data (transactional data, for example) all be worked on? If so, can these data sets work together, or must they be independent? Applying AL/ML to data can be great, but an organization’s data stretches across data silos, and if AL/ML can only work on certain silos, something is likely missing.
Data Point No. 4: How will new AI/ML approaches be incorporated into the solution?
Can the vendor describe how this process works? Can the vendor provide examples of when past AI/ML was incorporated into the solution and how that development, testing, implementation and licensing played out? The last component, licensing, is critical: Was an organization’s data held hostage and kept away from new AI/ML until a fee was paid to apply the algorithm? This isn't 100% bad. For instance, if a new AI/ML was developed by the vendor it makes sense. But if they just implemented someone else's algorithm on the data when the licensing fee was paid, then that's something an infosec practitioner will want to know.
Data Point No. 5: Does the product advance the security team’s data knowledge and skills?
Does the platform allow security practitioners to apply the latest ML/AI toolkits? Does the tool help practitioners learn about how data works and help them grow their understanding of data engineering and data science as it pertains to the organization's data? Or, is the solution a black box in which their organization is forced to rely on the expertise of a vendor to solve security problems? A balance must be struck between working with vendors, and growing an internal talent pool. A product that allows growth will serve the organization better.