The document provides an overview of the role and challenges of artificial intelligence (AI) in cybersecurity, aimed at helping Chief Information Security Officers (CISOs) navigate the complexities and hype surrounding AI solutions. It discusses the types of AI used, potential applications in cybersecurity, machine learning challenges, and the need for integration within existing systems while emphasizing that AI is not a silver bullet for cybersecurity issues. Additionally, it highlights the importance of careful evaluation of AI's effectiveness and its associated risks for informed decision-making.

1. OVERVIEW OF
ARTIFICIAL INTELLIGENCE
IN CYBERSECURITY
Helping CISOs to navigate the AI hype,
and make informed decisions
Olivier Busolini
Geneva, June 2019

2. © Olivier Busolini
WHAT ARE WE TALKING ABOUT ?1
| June 2019 |Overview of AI in Cybersecurity 2

3. © Olivier Busolini
Artificial Imitation
Augmented Intelligence
| June 2019 |Overview of AI in Cybersecurity 3
Cybersecurity use case
sifting through events, correlating them with other events, and presenting analytics for
a human analyst to determine the next actions
Orchestrate and Automate tasks
that humans can perform without a problem to a much larger volume we could ever handle
Process and structure huge volumes of data
including analysis of the complex relationships within it

4. © Olivier Busolini
Types of ai mostly used
| June 2019 |Overview of AI in Cybersecurity 4
Source: Saagie
SUPERVISED
Classification problems
Labelled data to train model
Volume, velocity and variety of data
UNSUPERVISED
Optimisation problems
Associate and Cluster "normal" and "abnormal” data without
explicit outputs
REINFORCEMENT
Maximization problems
Learning to perform a task by
maximizing reward signals about
how well it is performing
DLP level 1 monitoring
Event logs extraction

5. © Olivier Busolini
Careful of the hype
 Cloud, Blockchain, and now AI ?
 “Cool” products have to have AI
Difficulty to develop AI solutions
 AI is Math (advanced and new application of Statistics) not software
 Rely on the qualifications of people developing the models
• Data scientists, often PhDs in Math and Computer Science, sometimes with (pending) pattent
• And Cybersecurity experts, with knowledge of CyberThreats and the most appropriate types of defenses
 Hiring and retaining is a major challenge
• Industry, projects and compensation (incl. equities) are key
• Salaries for Data scientists are sky rocking, and not all companies can compete
• Start-up are more able to provide equities to top talent but less able to
 Develop mature piece of software with this cutting edge technology
Have access to big data for training and testing
AI software are a quantum leap ?
| June 2019 |Overview of AI in Cybersecurity 5

6. © Olivier Busolini
Machine Learning challenges
| June 2019 |Overview of AI in Cybersecurity 6
Explainability
Understand what DL
actually learned
Legal challenges
Verifiability
Verifiability of
detections
Interpretation of
output
Data Quality
and Bias
Not enough or no
quality labelled data
Data cleanliness
issues
timestamps, normalization
across fields, etc.
Bad understanding of
the data to engineer
meaningful features
Knowledge
Qualifications of
people developing
the models
Understanding the
business, the maths,
and IT

7. © Olivier Busolini
AI IN CYBERSECURITY2
| June 2019 |Overview of AI in Cybersecurity 7

8. © Olivier Busolini
 I am still running after more than 20 years in the field
 (Sterile ?) race to arms
Key flaws of cyber security
| June 2019 |Overview of AI in Cybersecurity 8
Defense paradigm based
on previous knowledge of
attacks
 Inefficient against zero-day
and variations
Promess of AI/ML/DL:
Identify attacks as
deviations of « normality »

9. © Olivier Busolini
Defensive AI
| June 2019 |Overview of AI in Cybersecurity 9
Malware detection
Multi layer, multi ML engine
defense
SOC, IDS/IPS
& Honeypots
Self learning ML and
DL
Antispam
Vulnerability Mgt
Identify and prioritize
remediation
Data Classification
Track data to identify,
classify and protect
Threat Intelligence
Categorize behavior forTI
ML to monitor Dark Web

10. © Olivier Busolini | June 2019 |Overview of AI in Cybersecurity 10
CISO’s loooong shopping list

11. © Olivier Busolini
CISO’s even loooonger shopping list
| June 2019 |Overview of AI in Cybersecurity 11
Source: CB Insights
 Anti Fraud & Identity Management: secure online transactions by identifying
fraudsters, e.g. ML proactively detects fraud in financial transactions or fraudulent
users on websites and in mobile
 Mobile Security: e.g. identify and grade risky behavior in mobile apps including
known and unknown malware, new malware used in targeted attacks, corporate
data ex-filtration, and intellectual property exposure, mostly cloud based
 Predictive Intelligence: e.g. predictive and preventive security against advanced
cyber threats with predictive execution modeling
 Behavioral Analytics / Anomaly Detection: detect anomalous behavior from
insiders and external threats in organizations’ systems and networks in order
detect cyber-attacks, e.g. with digital fingerprints from an end-user’s behavior
through monitored keystrokes, mouse behavior, and anomaly detection
 Automated Security: e.g. automate security tasks across 100+ security products
and weave human analyst activities and workflows together
 Cyber-Risk Management: More focus on defining cyber risk appetite and cyber
risk tolerance, to better enable business considering the cost of security controls
 App Security: securing applications e.g. By helping developers secure
applications by finding, fixing, and monitoring web, mobile, and networks against
current and future vulnerabilities, with formal analysis and machine learning
 IoT Security: e.g. AI-powered asset-protection software for the safety, security,
and reliability of the IoT; machine learning to identify hidden recording devices or
transmitters in a conference room, and allow for a preemptive response to data
theft.
 Deception Security: e.g. proactively deceiving and disrupting in progress attacks
by detecting and fighting cyber attacks by creating a neural network of thousands
of fake computers, devices, and services that act like a fog and work under the
supervision of machine learning algorithms.

12. © Olivier Busolini
Offensive AI
| June 2019 |Overview of AI in Cybersecurity 12
Malware
creation
Speed up creation
Enhance evasive
capabilities
Smart botnets
Self learning botnets
Smarter zombies
Spear phishing
Smarter social
engineering
More convincing scams
Adversarial AI
GAN: discover and
poison ML to produce
false, and controlled,
results
Poison datasets
Conditional
attacks
Cyberattacks using
Blockchain based
smart contracts
Classify victims
Optimize return on
investment of attacks

13. © Olivier Busolini
Adversarial AI
| June 2019 |Overview of AI in Cybersecurity 13
Adversarial
inputs
Artefacts designed to
fool Defensive AIs
Data poisonig
Feed poisoned
training data to
cybersecurity tools
Feedback
weaponization
Poison ML to DoS AI
users with False Alarm
Model stealing
To enhance abilities
of adversarial inputs
Source: 2018 DEFCON “AI Village”

14. © Olivier Busolini
An AI risk framework
| June 2019 |Overview of AI in Cybersecurity 14
Source: Deloitte. “Managing algorithmic risks - Safeguarding the
use of complex algorithms and machine learning”

15. © Olivier Busolini
TAKEAWAYS FOR THE
ORDINARY CISO
4
| June 2019 |Overview of AI in Cybersecurity 15

16. © Olivier Busolini
 Asses your threats and risks – are AI based solutions the best answers to
some of them ?
 What is your current maturity in cybersecurity ? Up to where can you climb
the ladder from detective, preventative or even predictive controls?
A few points to look at
| June 2019 |Overview of AI in Cybersecurity 16
Do you need AI ?
 How does it learn ?
• Learning ‘on the job’ within the user’s environment or the provider’s ?
• What volume of data is required ? How often is retraining needed ?
 What's the mechanism for collaboration with human ?
 What are the error rates ?
• False positive, and false negative
• Is the error rate acceptable to achieve detection ? Automatic remediation ?
What AI ?
 Have you defined AI’s RoI ?
 Can it detect, cluster, classify and make predictions that
• would not have been possible by humans alone ? (complexity)
• reduce the amount of human intervention and analysis required ? (scale)
• in a timeframe not achievable by humans only ? (latency)
Will you benefit
from AI ?

17. © Olivier Busolini
• Stressed and stretched IT security teams look to automation of cybersecurity tasks
for relief
• Orchestration and integration of existing cybersecurity solutions is also necessary
• Scarcity of cybersecurity experts look for support from augmented (AI to support
humans) if not autonomous intelligent (AI without humans) to increase
efficiency, and be able to meet more complex, massive and time sensitive threats
• Human intervention will most probably be required to provide specific expert
knowledge or when an action can have severe consequences
What conclusion for a CISO ?
| June 2019 |Overview of AI in Cybersecurity 17
CISOs need more
(and more)
efficiency&
effectiveness
• AI solutions should be fully integrated and consistent with the existing
Cybersecurity and IT processes to be efficient
• Change management might be required to benefit fully from the expected
innovation, quality improvement and cost reduction
• AI cybersecurity systems bring new risks. Can we compensate with existing controls
or do we need to develop new ones ?
Yes, AI is useful
for CISOs but,
sorry, no silver
bullet (yet ?)

18. © Olivier Busolini
AI
• Understand skills and training that are going to be necessary
• Enable responsible widespread use of training data by defining a framework of interoperable anonymized data
• Define a framework to assess and testAI safety
AI in cybersecurity
• Define an agreed upon AI security risk framework and associated set of AI security controls
• AI as a tool
• AI as a target
• Define a framework to assess use of AI by cybersecurity threat actors
• Define a framework to assess and testAI based cybersecurity solutions
• Define an implemental maturity model for AI based cybersecurity solutions
Further work should focus on
| June 2019 |Overview of AI in Cybersecurity 18

19. © Olivier Busolini
Olivier Busolini
busolivier@protonmail.com
This presentation was created in my personal capacity. The opinions expressed in this
document are mine only, and do not necessarily reflect the view of my employer.
All right reserved to the author.
Additionnal sources
Accenture
Autonomous Research
Cybersecurity intelligence
CSO Online
Defcon 2018 AI Village
Microsoft
NIST
Raffael Marty
Rodney Brooks
Thanks to
Reto Aeberhardt (EY)
Jan Tietze (Cylance)
Godefroy Riegler (ICON ONG)
David Doret
Fabian Gentinetta-Parpan (Vectra)
Pierre-Alain Moellic (CEA)
Challenge my views with questions !
| June 2019 |Overview of AI in Cybersecurity 19
Icons
Flaticon.com