Artificial intelligence — as embedded within network security — plays a critical role in enabling organizations to stay cyber secure. In this interview security engineer Gergana Kungalova describes the network security problems that AI addresses and the risks involved in using AI within this area.
Q: Can you describe the role of artificial intelligence in network security?
A: Cyber security and AI have been interconnected for some time now. The demands of digitalization/digital transformation require an agile cyber security strategy - the threat landscape is increasing and response time is more crucial than ever before. The usage of AI in cyber security is allowing companies to focus on a proactive approach instead of a reactive one.
The high demand for AI in network security stems from the fact that we have to maintain a high level of security at any/every entry point and simultaneously reduce the administrative burden. AI can ease the complexity of managing security policy by automating policy changes, tasks, logs analysis, optimization etc. It can also provide higher levels of protection, enabling organizations to use modern security mechanisms and perform deep traffic inspection.
At its core, AI in network security is a tool or set of tools that perform automatic actions based on certain requirements. It may operate with a database or via predefined conditions. The main role of AI in network security is to enable the operation teams to do more in less time.
Q: What are some common challenges in network security that AI helps to address?
A: Network security has shifted from policies based on networks and ports, to policies based on identities and applications. There is no longer such a thing as a network defined perimeter - the applications can be hosted on-premises or in the cloud; the users can be located in the internal network or can access the internal services from home or from a public place. This change has introduced the requirement for a granular rule set, for which the goal is to limit network access based on zero trust principles – ‘who can access what’. This approach means that the polices are no longer static, they have to be maintained on a regular basis. Using AI for policy management and optimization can address the overhead challenge and provide a way to maintain this dynamic policy without affecting the team’s utilization.
I would like to emphasize that a well-maintained security policy by itself cannot provide a sufficient level of protection, no matter how granular it is. We have to look at the next layer - the threat protections that are used to inspect the traffic. The traditional stateful inspection and static packet inspection are not enough to protect the network. Efficient network security is using dynamic mechanisms that can provide deep packet inspection like intrusion prevention, DNS security, anti-virus etc.
Another common challenge that network security teams are facing includes dealing with very high numbers of logs – traffic information. An AI tool integrated within the network security products can significantly improve the time for fast incident response and root cause analysis. Also, it enables the administrators to have proactive insights into the current security posture.
Q: What are the risks involved in using AI within network security?
A: The implementation and usage of AI within network security has to be a well-defined and strict process. Otherwise, there is a risk that may lead to compromise and ethical complications, as the proper AI functionality relies on the data that it operates with. The proper ‘feeding’ and regular audits are important for the decision-making process. If, for some reason, the information is not clear or incorrect, there is a risk of making wrong decisions, which may result in operational impact or security incidents.
Q: Can you share a real-world example of where AI has significantly improved network security?
A: Well, I will start with the tiniest example but one with huge impact: dynamic objects and applications. The usage of cloud applications added huge overhead for network security teams. If a given organization is using O365, then it means that the traffic should be allowed from all users and move towards all IP addresses and ports used by Microsoft. Thousands of ranges that are constantly changing - in manual work those are thousands of hours and changes in the policy. I saw companies allowing access to whole Internet just to keep up with those changes. Can you imagine the risk they are taking? With dynamic objects, all work is done automatically without the need of intervention. When Microsoft pushes changes, they are automatically implemented with all necessary rules, without any risk for allowing unnecessary communications.
Another great example is autonomous threat prevention, which eliminates the gap between releasing new protections and implementing them within the environment. When there is a new vulnerability or new zero-day attack, all protections are automatically updated based on the customer’s environment. In traditional threat prevention, it could take up to two weeks, in some cases even more, to implement protections that will leave the environment vulnerable and allow bad actors to explore their options.
Q: Do you think that artificial intelligence has the potential to completely replace human involvement in network security? Why or why not?
A: Hmm, I have heard a lot of theories that the AI will replace the human involvement 100 percent, but this is not the way I see things. For me, AI is just a tool to assist us with our daily tasks. There are many ways that AI can improve the way we do network security and automate whole processes, but AI cannot replace the strategic thinking. The human role in network security will be more focused on advisory tasks in collaboration with the AI.
Q: In terms of network security, how do you expect that AI will evolve in the next 2-3 years?
A: There is no doubt that the AI will continue to evolve together with network security. We should expect more sophisticated protections, better automation, but also new cyber challenges. AI is a powerful tool that can be used by both sides - cyber warriors and cyber criminals.
Gergana Kungalova is a security engineer at Check Point.