But "a lot of people claim [their product incorporate] AI but don't deliver on it", she observed.
AI is not always the best fit in a security context, suggested Kay. In general, there is a need to automate and manage risk effectively, and doing the wrong thing can be worse than taking no action – you don't want AI to break your business by shutting down a crucial service, she said.
If an automated system detects suspicious activity, a common response is to shut down or isolate that component. That's fine if it is just one PC in your contact centre, because all the other agents can keep working.
|
Weak information leads to more false positives, and each decision made on the basis of weak information increased the risk of a bad outcome, she said.
Machine learning does have a part to play in maintaining security, but it should be "just in there" in much the same way as a driver doesn't think about a car having anti-lock braking.
Traditionally, most of the effort has gone into the prevention part of IT security, said Kay. But there's an increasing realisation that detection and response needs more attention.
Network traffic — if appropriately analysed — can provide useful information for the detection piece, especially as intruders increasingly know how to alter, disable or delete logs.
ExtraHop's approach, which comes from its background in performance management, is to take a copy of network traffic for analysis. That way, "they [intruders] don't know you're there", Kay explained.
This data provides "a strong foundation" for advanced analytics, and in turn those analytics go beyond detection to suggest possible courses of action.
This makes it easier for staff to explore situations, and allows them to investigate a larger number of alerts.
Traffic analysis "makes good business sense" for some organisations, said Kay, but it hasn't been seen as a priority until recently. Now, organisations have a better idea of risks and costs, and "the downside of going down".