Artificial Intelligence in Cybersecurity: Hype vs. Reality

To stay ahead in a hyperconnected world with more sophisticated and well-funded threats constantly emerging, financial institutions are exploring how to harness cutting edge technologies for cyber defence. Insights spoke with ING CISO Beate Zwijnenberg about the opportunities and challenges of applying technologies like artificial intelligence and machine learning to cybersecurity.

As financial institutions race to digitise products and services, how should they think about applying new technologies to cybersecurity?

In the race of financial institutions to digitise products and services, ING believes that applying new technologies enables us to further foster our cybersecurity capabilities, so we can continue to bring business value and improve risk management for the bank.

As it is easy to get distracted by the huge dynamics within the cybersecurity profession, we try to keep focus on exploring the value of new technologies. However, this is a continuous challenge, as:

1. There are always more vulnerabilities to address and protections to consider.
2. It is difficult to be proactive as new threats arise regularly and the number of incidents to be handled continues to grow.
3. Finally, there is only so much change an organisation can absorb.

To keep up with the latest trends, we invest in ING innovation labs, collaborative cybersecurity innovations with industry peers, share knowledge among the ecosystem and look closely at new technology operating platforms that combine e.g. agile approaches, robotics and cloud.

How do you incorporate AI/ML into cybersecurity programs? How has this evolved recently and where is it going?

We try to incorporate AI/ML into our cybersecurity programs where possible. We believe there are three important conditions necessary to make AI/ML work well:

• • First, you need high quality data. When data is disorganized or inconsistent, it is difficult to accurately interpret it. Though we have a lot of data, it is not always the quality needed. For network traffic scanning, most of the data is quite consistent and the taxonomy documented, so this is an example of where we use it.
    
  • A second condition for using AI/ML is the need of a good model. Exploring AI/ML techniques is time and process consuming. When working with algorithms you need to fully understand what is going on, what different learning scenarios would be, in which areas you want it to be developed and what is the model you start from. Companies are investing a lot in modeling and there are successes in deep learning and neural networks, but for cybersecurity an architecture model and how to interpret different data (with the right bias and weight) is something that requires more time and investment.
    
  • The third condition is to have sufficient processing power. Processing of large data sets is a huge effort, and that is where the modeling architecture comes in. If you have proper models it means you are using less energy and less processing power and – though processing power is evolving rapidly – having such large amounts is still a challenge.
    What problems can AI/ML solve that older modalities cannot?

AI/ML can potentially solve issues with scalability in human analysis. Though it is working now for e.g. network tracking through cyber defence platforms, we do see challenges with AI/ML models that trigger on wrong assumptions. This results in many false positives in the security detection process, which need to be investigated by humans. We are optimistic about what AI/ML can do, but it will take some time.

What are other use cases besides fraud?

In processes where we do understand the models, modus of operation and we have high quality data and processing power we use some forms of AI/ML. For example, this is in network anomaly detection, malware detection, for automating repetitive tasks and some features in the anti-phishing domain e.g. recognition of the ING logo. New threats emerge though, of which the recent SolarWinds hack with the Sunburst malware is an example. In this case, the anti-malware detection was fooled and the hack was executed well within boundaries so that no one noticed it.

Where are humans still required in the cybersecurity value chain? What does AI/ML not solve?

Humans will continue to be important for the cybersecurity value chain even with evolving AI/ML technology. The challenge with security and fraud is that AI/ML needs to be extremely precise. This in contrast to, for example, social media companies that facilitate customer recommendations. If, for instance, there is a 50 percent match between their target audience and the recommendations, this is still good in terms of return on their investment. That is one of the issues many vendors still face, as most of the available software can detect almost all positives, but it also detects a lot of false positives. The challenge herein lies in how to fine-tune the level of preciseness.

Cybersecurity AI/ML technologies are not mature enough at deep analysis and therefore the use of humans for this part in the cybersecurity value chain will still be needed. It is interesting to see that large tech companies are employing neural scientists. What can we learn from evolution? Can we ever mimic human thinking and remove the human flaws in behavior related to cybersecurity threats?

Do you focus on building these capabilities in-house, or do you use third parties? How do you assess third party risk with security providers, especially when they are offering such cutting-edge technologies that in-house teams may not understand?

Of course, we do build our own specific AI/ML models, but for the underlying technology we - as virtually all organizations - depend on the specialists from the tech sector as well as collaboration with academic researchers. Outside highly specialized boutiques and Big Techs, very few organizations would have the critical mass to develop its full AI/ML stack, let alone with a viable business case.  

The intricacies of third-party security are emphasized again in the SolarWinds case. It is extremely difficult to assess the entire supply chain even superficially, which is largely based on trust and legal agreements. It really does not matter if the technology is cutting-edge or not. Ask yourself the question: would anyone in a company understand the full source code of a SIEM or an IPS system line by line? Of course, you can ask for paper evidence and do as many penetration tests as you can afford, but 100% assurance is physically impossible. This is an industry-wide problem for which good answers have yet to be given.

With cyber criminals now targeting wholesale banking as opposed to just consumers, does this change the calculus for investing in advanced technologies to combat cyber fraud, since the amounts involved may be much larger?

We have for a number of years seen that the modus operandi of the consumer world is seeping into wholesale banking. Criminals usually like to take the path of least resistance when it comes to detection. They do not hesitate to hide for a long period. We do not invest in specific technology for this, however we focus on cross-departmental collaboration and connecting the dots between the organization silos. In doing so, we try to anticipate the structures of potential criminal attacks (kill chain), as criminals do not think in silos.