Islands of Data - Best of Breed in the Age of AI

The "best of Breed" design principle has been a school of thought which suggested that by combining a myriad of security solutions (the best VPN, the best EDR, the best Firewall, the best Proxy, etc.), the result was the optimal security implementation. This school of thought, however overlooked the myriad dashboards and alerts that came with this. In October of 2017, I advocated for More Mortar and Fewer Bricks in an attempt to address this operational complexity of Best of Breed. Today, I would like to revisit this philosophy in light of AI.

I took my first college course in AI in 1992, when I was working toward my Master's Degree. By 1992, AI had been around for over 35 years, since its inception as a summer project at Dartmouth in 1956. This brings to question: why all the buzz about AI now? AI is finally coming of age because computing capacity have finally made it commercially feasible.

In the realm of security, AI greatly improves the fidelity of detection. As Forbes states, AI can "better analyze activity and identify false positives so that the cybersecurity system presents to humans only those issues that require human review." This is critical to address problems from alert fatigue. IBM states "The average savings for organizations that use security AI and automation extensively is USD 1.76 million compared to organizations that don’t." Moreover, when AI moves from detection of malicious activity and reporting it to the human with suggested actions, to the place where the malicious activity is detected and remediated automatically, I predict the savings touted above by IBM will increase 10 fold or more. Does this mean AI makes Best of Breed viable? Sadly, no. Allow me to explain.

AI/ML tools are only as good as the data lakes which train them as these 10 examples show. The best engine can reduce the learning time, but it cannot overcome anemic or deficient data lakes. The old IT adage of garbage in/garbage out is as true now as ever. Thus, for AI to be useful in the world of security, it needs a good dataset. As a matter of fact, the more good data the better.

When this is applied to the world of Best of Breed, that means each tool's AI dataset is only one slice of the whole picture. This means that (at best) each ML is building its own picture of the whole, with varying degrees of accuracy, or a (at worst) the tools may have conflicting views of the whole. As we move towards automated SecOps to effectively counter Zero Day attacks, these problems will become magnified as tools may act against each other due to inaccurate views. Thus, tool consolidation becomes critical in order to have a coordinated response to events. Each layer of application delivery: application, infrastructure, and endpoint should have its own resilient and scalable security orchestrator which controls actions in its layer and provides feeds to the other layers.

Clearly, prompting for consolidation requires strong Business Continuity Practices which are tested on a continuous basis. But, that is a topic for another article, coming soon.