What type of machine learning algorithms does your product use?
There is an age-old quote that says, “When all you have is a hammer, all problems look like a nail.” Rather than relying on one tool, having a rich AI tool kit that blends supervised and unsupervised machine learning models with deep learning technology provides broader coverage, detection speed, and security efficiency.
How many machine learning algorithms does your product have, and how are they categorized? How frequently do you update them and release new algorithms?
You want an AI vendor that provides broad coverage for attacker behaviors (e.g., C&C, reconnaissance, lateral movement, exfiltration) and depth of coverage for each behavior. This enables you to change the rule that security needs to work perfectly 100% of the time and cyberattackers just need to succeed once. AI with several algorithms across a broad set of attacker behaviors forces the attacker to be perfectly hidden at all times.
How long until machine learning algorithms can trigger detections in a new environment? How many algorithms require a learning period, and how long does that take?
You should expect immediate answers from your AI vendor. Not all machine learning requires an extended period of time to learn and provide answers. If all algorithms require an extended learning period, it is an indicator of unsupervised learning only, which only detects anomalies and will produce a higher volume of alerts that will require manual triage. By leveraging the appropriate forms of machine learning models for attack behavior detection, you will receive both immediate results as well as better signal to noise which will do the most to reduce the workload for your security operations team.
How does your product prioritize critical and high-risk hosts that require immediate attention from an analyst?
Deciding on where to focus an analyst's time and how to respond requires an understanding of the assets impacted and the risk to your business. You want your vendor’s solution to prioritize risk level of hosts, including workloads, servers, and IoT. This ensures that analysts are responding to the highest risks first to reduce the total cost and risk of a breach.
Does your product integrate seamlessly into existing detection, alerting, and incident response workflow?
You already have incident response processes that includes people, process, and technology. AI should integrate with your incident response process rather than work in an isolated silo. The intelligence from AI products should provide the starting point for further investigation within existing tools and make your entire security infrastructure smarter, improving the efficiency of your existing investment.
What firewall, endpoint security or NAC integration does your product provide to block or contain detected attacks? How does your product integrate with these platforms?
Not every attack is the same and not every response should be the same either. An AI platform should provide intelligence to existing infrastructure to reduce the time to respond. More importantly, you should expect the product to enable the correct response.
You should expect integration to be simple and straightforward, or it will most likely not happen, defeating any benefits due to a complex deployment. Integration can occur through APIs, outbound events or automation platforms that provide standardization between products.
What is the workload reduction your product provides for security analysts? What kind of efficiency increase can be expected?
You should expect AI to augment human analysts, making them smarter and more efficient at their job. This means reducing the workload so an analyst focuses on the events that matter most. Part of that means providing human readable output from machine learning algorithm detections, including guidance on what a detection means and what next steps an analyst should take to verify and respond.
If the output of the product is complex, and if it increases the manual load on the analyst because it requires more work to decipher and investigate, then it really isn’t artificial intelligence.
Does your product support running red team exercises to prove the value of machine learning algorithms and AI in real-world scenarios? Will you pay for the red team if your product doesn’t detect anything?
You should always test detection tools in real-world scenarios to ensure they really work when it really needs to.
Any detection product should understand all the tricks used by an attacker, thus understanding how real attacks work. If, in a live exercise, the detection technology fails to spot the attacker’s behavior as it happens, how useful is it? Shouldn’t the vendor be responsible for the costs of testing their own product if it turns out be snake oil? If the vendor is confident, this type of guarantee will not be a problem.
Do you recommend that human analysts have remote access to the product during the evaluation? Why?
Vendors like to collect metadata from customers for long term tuning of their technology. This metadata provides the vendor a great feedback loop. However, some vendors have been known to use human analysts during product evaluation to perform manual threat hunting and analysis. Their goal is to ensure you receive a report that demonstrates product value, but shouldn’t the AI work on its own? What happens when the analyst is gone after the product is deployed? The goal of AI should be workload reduction and increased efficiency to reduce the time to detect and respond to cyberattacks, not a remote analyst employed by the vendor to make the evaluation look great.