Unlike many other fields, data and labels are scarce in the cybersecurity space and usually require highly skilled labor to generate. Looking at a random set of logs in most cybersecurity logging systems will most likely result in zero labels. Nobody labeled a user downloading a document as malicious or benign; nobody provided data if a login was legitimate or not. This is unique to cybersecurity. In many other fields of applied AI, labels are abundant and allow for using techniques leveraging those labels.<\/p>\n
Because of the lack of labels, most detection approaches use unsupervised learning, such as clustering or anomaly detection, as it doesn\u2019t require any labels. But, that has considerable downsides.<\/p>\n
<\/a> Two \u2014 Anomalous Is Not Malicious<\/h3>\nFollowing up on the last point, many approaches use anomaly detection and clustering to detect suspicious activities. While these techniques have some merit, they have the unfortunate secondary effect of detecting many benign activities.<\/p>\n
Reviewing any mature network environment will present many assets and activities that are anomalous by design, like vulnerability scanners, domain controllers, service accounts and many more. These assets create considerable noise for anomaly detection systems, as well as alert fatigue for a SOC analyst reviewing the alerts generated by such systems. Whereas attackers, most of the time, will remain below the threshold and can remain undetected by such systems as the level of anomalous activity to achieve their goals is often considerably lower than what is done by the aforementioned assets.<\/p>\n![\"Chart]()
<\/span><\/div>Visualization of simplistic anomaly detection algorithms to detect port scans.<\/figcaption><\/figure>\nOn the other hand, supervised learning systems can remediate this issue and filter out anomalous by design activities and assets, even when using unsupervised techniques as part of the model. But, they require labels, and we\u2019ve established that those are hard to find.<\/p>\n
<\/a> Three \u2014 Domain Adaptation and Concept Drift Are Abundant<\/h3>\nDomain adaptation and concept drift are key issues in data science. Models are usually trained on a subset of data many times in a simulation of the real world. When that model is losing touch with the real-world data, leading to poor precision and recall, you would call this \u201cConcept Drift.\u201d Alternatively, if the model doesn\u2019t provide the same result across multiple situations, you would call that \u201cDomain Adaptation.\u201d<\/p>\n![\"Original]()
<\/span><\/div>Visual representation of the concept drift.<\/figcaption><\/figure>\nIn the cybersecurity space, the world is always changing as both attackers and defenders try to stay ahead of one another, leading to considerable concept drift. By reviewing the MITRE definition of process injection<\/a> we can see that the meaning of the term has changed considerably in the last couple of years with new subtechniques being added all the time. That will probably change again as attackers evolve. Models trained to detect such activity require retraining, or they become obsolete.<\/p>\nAdditionally, models trained in one environment don\u2019t necessarily generalize well for others. Due to the large set of configurations in real-world environments, models trained for cybersecurity issues tend to have considerable domain adaptation issues. Imagine a model trained on a lab environment, that model has never been fed with examples of the myriad of configurations applicable to a specific application, let alone how different applications might change the behavior due to other installed applications.<\/p>\n
<\/a> Four \u2014 Domain Expertise Is Critical and Hard to Find<\/h3>\nUnlike many other domains, validating models requires unique cybersecurity expertise. Classifying if a traffic light is green or red doesn\u2019t need a specialist, whereas classifying if a file is malicious requires a malware analysis expert. Building AI models for cybersecurity requires trained experts that can validate the results and label cases to assess key performance indicators (KPIs). As there\u2019s a scarcity of those experts and doing supervised learning is the golden path for cybersecurity AI, that creates another key challenge to doing AI correctly in this space.<\/p>\n
<\/a> Five \u2014 Explainability Is Key for Successful Incident Response<\/h3>\nEven if you can train the best model that has high precision and recall but the output isn\u2019t clear, it\u2019s not a good model. Incident response requires a clear understanding of what actually happened to properly respond to the threat at hand. Models are just tools that help reach the goal of detecting the attack, but without explaining what happened, those don\u2019t translate into actual security value for analysts. This creates challenges for unsupervised learning as it\u2019s harder to explain the model behavior. It also creates a high bar for any supervised model that must provide a proper explanation on what happened, why it\u2019s important, and how it\u2019s detecting the activity.<\/p>\n![\"SmartScore]()
<\/span><\/div>Explainability in Cortex SmartScore helps an analyst understand why a priority score was given.<\/figcaption><\/figure>\n<\/a> Cortex \u2014 Cybersecurity AI Applied in Scale<\/h2>\nCortex has applied solutions for unlabeled data that is leveraging a patented, semi-supervised learning technique<\/a> and multiple other techniques to leverage the scale of data that the Cortex platform collects. Our entire stack of prevention, detection and prioritization systems, including Local Analysis, Cortex Analytics<\/a> and SmartScore<\/a>, are leveraging supervised learning that aims to detect malicious data and ignore the anomalous by designing data that is benign. Furthermore, we have invested considerably into explainability and transparency with documentation<\/a> and explainability models<\/a> where needed.<\/p>\n<\/a> Key Takeaways<\/h3>\nSpecialization Is Pivotal:<\/strong> Understand that applying AI in cybersecurity requires specialization in the specific field and use case. Each use case has unique challenges, and a one-size-fits-all approach doesn't work. Tailor your AI solutions to the specific cybersecurity challenges you face.<\/p>\nLack of Labeled Data:<\/strong> Unlike many other fields, cybersecurity often lacks labeled data, making supervised learning challenging. Embrace unsupervised learning techniques, like clustering and anomaly detection, but be aware that they can generate false positives, contributing to alert fatigue.<\/p>\nDomain Adaptation and Concept Drift:<\/strong> Recognize that the cybersecurity landscape is evolving, leading to concept drift and domain adaptation issues. Models trained on outdated or limited data may become obsolete. Regularly retrain models and consider the dynamic nature of the threat landscape.<\/p>\nDomain Expertise Is Essential:<\/strong> Building AI models for cybersecurity requires domain expertise. Validate models with cybersecurity experts who can assess key performance indicators. Scarcity of such experts can be a challenge, but their input is crucial for effective AI implementation.<\/p>\nExplainability Matters<\/strong>: In incident response, explainability is crucial. Models must not only detect threats but also provide clear explanations of what happened, why it's important, and how they detected the activity. Invest in AI solutions that prioritize explainability for successful incident response.<\/p>\nLike What You Read? Stay Up-to-Date by <\/b>Subscribing<\/b><\/a> to our SecOps Blogs<\/b><\/p>\nLearn More About AI\u2019s Impact on Cybersecurity<\/b><\/p>\n
![\"Chart](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/03\/word-image-315863-1.png\")
<\/span><\/div>On the other hand, supervised learning systems can remediate this issue and filter out anomalous by design activities and assets, even when using unsupervised techniques as part of the model. But, they require labels, and we\u2019ve established that those are hard to find.<\/p>\n
<\/a> Three \u2014 Domain Adaptation and Concept Drift Are Abundant<\/h3>\nDomain adaptation and concept drift are key issues in data science. Models are usually trained on a subset of data many times in a simulation of the real world. When that model is losing touch with the real-world data, leading to poor precision and recall, you would call this \u201cConcept Drift.\u201d Alternatively, if the model doesn\u2019t provide the same result across multiple situations, you would call that \u201cDomain Adaptation.\u201d<\/p>\n![\"Original]()
<\/span><\/div>Visual representation of the concept drift.<\/figcaption><\/figure>\nIn the cybersecurity space, the world is always changing as both attackers and defenders try to stay ahead of one another, leading to considerable concept drift. By reviewing the MITRE definition of process injection<\/a> we can see that the meaning of the term has changed considerably in the last couple of years with new subtechniques being added all the time. That will probably change again as attackers evolve. Models trained to detect such activity require retraining, or they become obsolete.<\/p>\nAdditionally, models trained in one environment don\u2019t necessarily generalize well for others. Due to the large set of configurations in real-world environments, models trained for cybersecurity issues tend to have considerable domain adaptation issues. Imagine a model trained on a lab environment, that model has never been fed with examples of the myriad of configurations applicable to a specific application, let alone how different applications might change the behavior due to other installed applications.<\/p>\n
<\/a> Four \u2014 Domain Expertise Is Critical and Hard to Find<\/h3>\nUnlike many other domains, validating models requires unique cybersecurity expertise. Classifying if a traffic light is green or red doesn\u2019t need a specialist, whereas classifying if a file is malicious requires a malware analysis expert. Building AI models for cybersecurity requires trained experts that can validate the results and label cases to assess key performance indicators (KPIs). As there\u2019s a scarcity of those experts and doing supervised learning is the golden path for cybersecurity AI, that creates another key challenge to doing AI correctly in this space.<\/p>\n
<\/a> Five \u2014 Explainability Is Key for Successful Incident Response<\/h3>\nEven if you can train the best model that has high precision and recall but the output isn\u2019t clear, it\u2019s not a good model. Incident response requires a clear understanding of what actually happened to properly respond to the threat at hand. Models are just tools that help reach the goal of detecting the attack, but without explaining what happened, those don\u2019t translate into actual security value for analysts. This creates challenges for unsupervised learning as it\u2019s harder to explain the model behavior. It also creates a high bar for any supervised model that must provide a proper explanation on what happened, why it\u2019s important, and how it\u2019s detecting the activity.<\/p>\n![\"SmartScore]()
<\/span><\/div>Explainability in Cortex SmartScore helps an analyst understand why a priority score was given.<\/figcaption><\/figure>\n<\/a> Cortex \u2014 Cybersecurity AI Applied in Scale<\/h2>\nCortex has applied solutions for unlabeled data that is leveraging a patented, semi-supervised learning technique<\/a> and multiple other techniques to leverage the scale of data that the Cortex platform collects. Our entire stack of prevention, detection and prioritization systems, including Local Analysis, Cortex Analytics<\/a> and SmartScore<\/a>, are leveraging supervised learning that aims to detect malicious data and ignore the anomalous by designing data that is benign. Furthermore, we have invested considerably into explainability and transparency with documentation<\/a> and explainability models<\/a> where needed.<\/p>\n<\/a> Key Takeaways<\/h3>\nSpecialization Is Pivotal:<\/strong> Understand that applying AI in cybersecurity requires specialization in the specific field and use case. Each use case has unique challenges, and a one-size-fits-all approach doesn't work. Tailor your AI solutions to the specific cybersecurity challenges you face.<\/p>\nLack of Labeled Data:<\/strong> Unlike many other fields, cybersecurity often lacks labeled data, making supervised learning challenging. Embrace unsupervised learning techniques, like clustering and anomaly detection, but be aware that they can generate false positives, contributing to alert fatigue.<\/p>\nDomain Adaptation and Concept Drift:<\/strong> Recognize that the cybersecurity landscape is evolving, leading to concept drift and domain adaptation issues. Models trained on outdated or limited data may become obsolete. Regularly retrain models and consider the dynamic nature of the threat landscape.<\/p>\nDomain Expertise Is Essential:<\/strong> Building AI models for cybersecurity requires domain expertise. Validate models with cybersecurity experts who can assess key performance indicators. Scarcity of such experts can be a challenge, but their input is crucial for effective AI implementation.<\/p>\nExplainability Matters<\/strong>: In incident response, explainability is crucial. Models must not only detect threats but also provide clear explanations of what happened, why it's important, and how they detected the activity. Invest in AI solutions that prioritize explainability for successful incident response.<\/p>\nLike What You Read? Stay Up-to-Date by <\/b>Subscribing<\/b><\/a> to our SecOps Blogs<\/b><\/p>\nLearn More About AI\u2019s Impact on Cybersecurity<\/b><\/p>\n
![\"Original](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/03\/word-image-315863-2.png\")
<\/span><\/div>In the cybersecurity space, the world is always changing as both attackers and defenders try to stay ahead of one another, leading to considerable concept drift. By reviewing the MITRE definition of process injection<\/a> we can see that the meaning of the term has changed considerably in the last couple of years with new subtechniques being added all the time. That will probably change again as attackers evolve. Models trained to detect such activity require retraining, or they become obsolete.<\/p>\n Additionally, models trained in one environment don\u2019t necessarily generalize well for others. Due to the large set of configurations in real-world environments, models trained for cybersecurity issues tend to have considerable domain adaptation issues. Imagine a model trained on a lab environment, that model has never been fed with examples of the myriad of configurations applicable to a specific application, let alone how different applications might change the behavior due to other installed applications.<\/p>\n Unlike many other domains, validating models requires unique cybersecurity expertise. Classifying if a traffic light is green or red doesn\u2019t need a specialist, whereas classifying if a file is malicious requires a malware analysis expert. Building AI models for cybersecurity requires trained experts that can validate the results and label cases to assess key performance indicators (KPIs). As there\u2019s a scarcity of those experts and doing supervised learning is the golden path for cybersecurity AI, that creates another key challenge to doing AI correctly in this space.<\/p>\n Even if you can train the best model that has high precision and recall but the output isn\u2019t clear, it\u2019s not a good model. Incident response requires a clear understanding of what actually happened to properly respond to the threat at hand. Models are just tools that help reach the goal of detecting the attack, but without explaining what happened, those don\u2019t translate into actual security value for analysts. This creates challenges for unsupervised learning as it\u2019s harder to explain the model behavior. It also creates a high bar for any supervised model that must provide a proper explanation on what happened, why it\u2019s important, and how it\u2019s detecting the activity.<\/p>\n Cortex has applied solutions for unlabeled data that is leveraging a patented, semi-supervised learning technique<\/a> and multiple other techniques to leverage the scale of data that the Cortex platform collects. Our entire stack of prevention, detection and prioritization systems, including Local Analysis, Cortex Analytics<\/a> and SmartScore<\/a>, are leveraging supervised learning that aims to detect malicious data and ignore the anomalous by designing data that is benign. Furthermore, we have invested considerably into explainability and transparency with documentation<\/a> and explainability models<\/a> where needed.<\/p>\n Specialization Is Pivotal:<\/strong> Understand that applying AI in cybersecurity requires specialization in the specific field and use case. Each use case has unique challenges, and a one-size-fits-all approach doesn't work. Tailor your AI solutions to the specific cybersecurity challenges you face.<\/p>\n Lack of Labeled Data:<\/strong> Unlike many other fields, cybersecurity often lacks labeled data, making supervised learning challenging. Embrace unsupervised learning techniques, like clustering and anomaly detection, but be aware that they can generate false positives, contributing to alert fatigue.<\/p>\n Domain Adaptation and Concept Drift:<\/strong> Recognize that the cybersecurity landscape is evolving, leading to concept drift and domain adaptation issues. Models trained on outdated or limited data may become obsolete. Regularly retrain models and consider the dynamic nature of the threat landscape.<\/p>\n Domain Expertise Is Essential:<\/strong> Building AI models for cybersecurity requires domain expertise. Validate models with cybersecurity experts who can assess key performance indicators. Scarcity of such experts can be a challenge, but their input is crucial for effective AI implementation.<\/p>\n Explainability Matters<\/strong>: In incident response, explainability is crucial. Models must not only detect threats but also provide clear explanations of what happened, why it's important, and how they detected the activity. Invest in AI solutions that prioritize explainability for successful incident response.<\/p>\n Like What You Read? Stay Up-to-Date by <\/b>Subscribing<\/b><\/a> to our SecOps Blogs<\/b><\/p>\n Learn More About AI\u2019s Impact on Cybersecurity<\/b><\/p>\n<\/a> Four \u2014 Domain Expertise Is Critical and Hard to Find<\/h3>\n
<\/a> Five \u2014 Explainability Is Key for Successful Incident Response<\/h3>\n
![\"SmartScore](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/03\/word-image-315863-3.png\")
<\/span><\/div><\/a> Cortex \u2014 Cybersecurity AI Applied in Scale<\/h2>\n
<\/a> Key Takeaways<\/h3>\n