Who can remember, as a kid when you fell over in the playground and scraped your knee that the teacher (who probably wasn’t a medical expert) got a wet paper towel and applied some kind of magic that made it much better!?
Sometimes a hug sorted things out emotionally and you were back on the swings like it never happened?
I am not a medical expert, but the wet paper towel probably has not made it into The Lancet as the most effective cure for all ailments. But it is still in operation to this day, and many teachers and parents swear by it.
Gone are the days of leaving an open wound so that the ‘air can get to it’ as we now have all kinds of plasters, creams, lotions and potions that will cure scraped knees and other horrific injuries.
Without sounding too disrespectful to our fantastic doctors and nurses who look after us and bearing in mind that they have studied hard to get to where they are – medical treatment is very much ‘educated guesswork’ in a lot of cases.
Experience helps, advancements in technologies help but also knowing the traditional way of doing something and the root cause of the problem is probably the most important part of trying to keep somebody safe and well and to protect them from further harm.
It is just educated guesswork.
There are not many meetings, conferences and training events that I attend that don’t drop a conversation about AI into the mix and away from the advancements of generative AI solutions to enhance businesses – the big question I tend to get asked is about how does it impact security?
I have to admit that over the past few years – I have got weary about the subject and the inevitable questions I get asked about or for people to assume that I am some kind of AI security expert. Which I am not.
I get ‘weary’ because it is often people who have no idea what they are asking or any idea what your response means that pose the questions. If you try to counter their questions with “what do they mean by AI?” Or even “what is cybersecurity to you?” You often get very half-arsed responses.
But they need to speak about AI because everybody else is.
Don’t get me wrong – It fascinates me. I am definitely onboard with the technical advances in the world of AI and I have taken courses in the subject. But let’s take a look at the facts as I see them.
‘We’ have been using AI and in particular machine learning for some time. I remember working with intrusion detection systems about 10 years ago that had some form of ML built into them which would detect anomalies, behavioural trends and learn stuff (often over months of operation) which could then feed through to the SOC or trigger some form of report.
So all of a suddenly over the past couple of years – the world has gone crazy for AI! Admittedly the world has gone crazy over the use of generative AI and underlying systems which are amazing (but again not necessarily new).
What is new of course, is the fact that (like all things in technology) they have got better, faster, more flexible and engineers are now finding more and more great uses for the implementation of AI systems into day-to-day operations. And long may that continue.
AI is now a fundamental part of our security solutions too. Not just in the form of IDPS systems – which have improved as the technology has advanced but in the use of some great systems such as, cyber threat hunting and analysis, data loss prevention systems, data classification systems and other risk controls which are mostly implemented in cloud-security solutions.
Of course, the cloud is another huge technical improvement over the past 10 years or so and continues to evolve at a rapid pace. It is difficult to keep up with the advances in cloud technologies, AI (in all its forms), data analytics, quantum computing and general technology advancements. And I defy anybody to stand up and tell me that they are an expert in all of it.
On the flip side – AI also plays into the hands of the adversaries we are trying to protect against. You no longer need to be skilled in coding or scripting to create great vulnerability scanning tools or bypassing defensive measures and even tools such as Co-Pilot will provide a would-be attacker with the right starting points to mount an attack:
This simple prompt comes with the caveat that you should take care with such scripts but then also asks if you want to take it to the next step and include it into more advanced tools which will help you get a better foothold into the system.
We also hear how AI is used to make social engineering attacks more realistic with the use of deepfake technologies – this is becoming increasingly more sophisticated and let’s face it – quite scary.
But recent attacks (such as Marks & Spencer and Co-op) show how groups that are effectively ‘guns for hire’ on the Dark Web are using the availability of cloud-based services such as Ransomware as a Service and Denial of Service as a Service and can be easily bought and sold. These are pretty much untraceable in the right hands.
We defend these attacks with better technology, but they still only need to get lucky once to make a huge impact. Which – has always been the case.
So in essence – the increased use of AI and cloud technologies that our adversaries are using is met with the increased use of AI and cloud technologies our defenders are using. But the basic concepts of attack techniques, tactics and procedures and capability with motivation remain the key components of a cyber threat.
So who thinks that they are an ‘expert’ these days? I think that layering in all of the elements that a modern-day cybersecurity professional has to contend with – the use of ‘educated guesswork’ probably is a good fit.
Experience helps, advancements in technologies help but also knowing the traditional way of doing something and the root cause of problems is probably the most important part of trying to keep information systems safe and well and to protect them from further harm.
But at the end of the day it is just educated guesswork.
I wouldn’t blame you if you now felt a little insulted by me suggesting that we use educated guesswork to protect our systems. So don’t use that term next time you are reporting to the board or justifying your decisions. But isn’t everything we do – based on responding to a dynamic situation using the tools and skills that we have available at that time?
If a wet paper towel and a hug fixes the problem and gets the kid back ‘happy and smiley’ then that traditional technique is perfect. If the situation requires a bit more advanced technology, then know when, where and how to use it.
And that brings me on to the ‘educated’ bit.
You get educated by experience. Learn from your mistakes, learn from your successes and learn from others, but also understand that not every situation is the same. We need to keep up with trends, technologies and techniques. We need to keep up with standards and regulations as they constantly evolve and this also means we need to constantly evolve our policies and procedures.
These are a few of the great takeaways which I recently had sight of from a colleague who attended a webinar on ‘Harnessing AI for a safer digital world’.
- AI is supercharging existing threats – not inventing new ones.
- Unknown unknowns are the greatest risk.
- The human factor still matters.
And the practical solutions quoted were:
- Strengthen the foundations
- Adopt a responsible AI strategy
- Upskill continuously
- Prepare for the unknown
- Push for governance and collaboration
For those of us that have been working in the security sector for a while – will hopefully read the above bullet points (especially the practical solution suggestions) and think “so what’s new?”. Absolutely nothing!! Apart from including ‘AI’ into the mix.
Experience and training are key in the provision of a cyber defence.
Cybersecurity is no longer (and this has been the case for a long time) a nice-to-have but is a fundamental requirement for all organisations – regardless of size or industry sector.
Get a training strategy in place. Find the gaps in your organisations knowledge and skills and work out how to plug them.
Here are some key questions to answer:
- Can you do this internally with the skills already in place or do you need to invest in external training to an approved standard?
- Do you need bespoke training to fill those gaps?
- How can you future proof yourself?
- How quickly do you need to get this in place?
- Are there particular standards or frameworks that you need to adopt?
- Is certification a requirement?
- Where, when and how can I get this training?
- Who can I talk to in order to get some advice and guidance?
Make sure that your training provider cares about your needs and is not just in the market to sell you a course which doesn’t meet your objectives.
Speak to them and get them to do a training needs analysis with your technical teams so that you get the right fit for you.
Make sure that your provider is flexible in the modalities that fit your needs.
From wet paper towels to more advanced technologies – find the right fit for your organisation.
AI is a fundamental part of most IT systems and organisations are rightly embracing these technologies. Like all changes in technology and working practices – this comes with risk. Strategic policy, governance and controls are a key factor in mitigating risk and even though AI is an increasingly evolving factor – get the foundations right and you are heading in the right direction.
There are several great foundational AI courses on the market and some more advanced offerings in the art of auditing and security management. It is well worth checking these out as a starting point.
As a side note – when I was at school, I had to attend classes in ‘Rural Science’ which involved the use of AI. This was however, used to get pigs and cows pregnant and is a slightly different technology to the AI that everybody is now talking about. Never confuse the two. Although I now understand that AI is used in AI on modern farms!
Machine learn long and prosper!
