Experts say the cybersecurity problem is too vast and complex to be solved by traditional approaches alone. Artificial intelligence (AI) can offer a lifeline to organizations overwhelmed by massive volumes of information technology (IT) and OT data as they try to stay ahead of the next big threat. MeriTalk recently sat down with two cybersecurity and AI experts at NVIDIA – Bartley Richardson, director of cybersecurity engineering, and David Reber, the company’s chief security officer, to discuss how AI can help solve the thorniest cybersecurity challenges.
Previously at the Defense Advanced Research Projects Agency, Richardson applied data science and machine learning algorithms at scale to solve large cybersecurity problems, while Reber served more than a decade as a senior staff officer addressing enterprise security in the U.S. intelligence community. In our interview, they evaluate cyber readiness at Federal agencies – and how AI technologies can enable developers to build solutions that work with human cyber professionals to upgrade the collective cyber defense as we begin the new year.
MeriTalk: We’ve seen statistics that say anywhere from 50 to 80 percent of an enterprise’s data goes untapped – it’s inaccessible or unknown, and unanalyzed. What’s the real-world impact on cybersecurity of that lack of insight?
David Reber: One of the expressions I’ve always liked is that the attacker only has to be right once, but the defense has to be right every time. That’s becoming truer every day. In most breaches you find that the attacker sneaks into a little area you’re not looking at. That impact requires us to think differently. It requires the prioritization of data.
The more we can partner with cyber professionals, IT professionals, and with engineering and cloud operators, the more we can ensure that all of the data across any organization is rapidly analyzed and leveraged in defense of our joint networks.
MeriTalk: As we look at tech priorities for 2023, what is needed to change that situation – that lack of insight and its impact on cybersecurity – for Federal agencies specifically?
Bartley Richardson: People are realizing that we’re not going to hire our way out of the gaps in the cyber workforce, especially in the Federal government. We need other solutions – and AI is one of them. When people hear AI and cybersecurity, their immediate thought goes to analytics – I want to find a bad guy doing bad things. But AI really addresses the entire pipeline of the problem, from data collection, data transport and data storage, to data validation.
We tend to think of cyber as being its own entity, but it’s still a data problem. Viewed from a data lens, the problem is way too large and sprawling for any one organization to devise a 100 percent, end-to-end solution. That means we need more open platforms, more open architectures, and we need to start breaking down the silos and compartmentalization of tools and tradecraft. And we can address the problem using tools that we’re using in next-generation architectures for data centers. That means the introduction of accelerated computing and AI to address this at the scale and speed required.
MeriTalk: You mentioned that you can’t hire your way out of this problem. How can we put cybersecurity professionals to work in a way that has the most impact on cyber defense?
Reber: The human analyst can no longer effectively defend against the most sophisticated attacks because the speed and complexity of attacks and defense have exceeded human capacities. AI can help the human analyst be smarter, faster – get them the information they need to help render a decision when the human brain is required.
We should also reassess how we use different types of professionals, with different skillsets, to help with cyber defense. The traditional cybersecurity professionals are penetration testers or hackers, or they’ve been doing cyber defense for decades. We need to partner them with data scientists who know how to create solutions that leverage AI to analyze everything that’s happening across our networks and elevate the most important facts over all the noise. I hope that as AI grows in cybersecurity, humans are used a lot less in grinding, specific roles – like running playbooks. You can automate all of that.
We also need to figure out how to share the most important facts so that humans can work in collective defense with one another, within their organizations and within their larger ecosystem.
MeriTalk: So, we can use AI and other emerging technologies to help make sense of the data and then figure out how to share it?
Richardson: Yes. We have to let AI do what it’s really good at. Let’s be honest: Humans are not equipped to manually sift through and make sense of massive amounts of data. We make all kinds of mistakes. So, let’s feed that data to something that is really good at processing it so we can free ourselves up to do much more critical thinking and forward-thinking tasks.
MeriTalk: How do you recommend organizations get started with AI in cybersecurity, and how can we help them get better equipped to fully utilize AI’s benefits?
Richardson: It will always be a multi-pronged approach. One especially important part is involving the whole team from the beginning. We still tend to have the data scientists and the security professionals working in silos, and they toss things over the wall to each other. It’s like the world’s worst game of badminton. It’s much better to take a common, one team approach. Also, you have to be extremely honest about the capabilities of AI, what the expectations are, and where there is room for improvement. There has been a history of overpromise, underdeliver when it comes to AI, especially in cybersecurity. We are changing that.
Reber: It’s also important to recognize that cybersecurity is a layered defense problem, and AI is one part of that defense. Many times, organizations haven’t done the basics of cybersecurity, such as asset management, yet they want to buy a box and fill those gaps with the magic of AI. And people think, ‘Well, I can trust AI as my single line of defense.’ That’s unrealistic. With defense in depth, however, I can layer on AI technologies to create automations that fill some of those voids.
MeriTalk: Federal agencies need real-time threat detection at scale, and they need it now. Government agencies also generate terabytes of data every day. Is it really possible to access all of that data and do rapid data analysis at scale?
Richardson: Absolutely. I think a commonly held fallacy is that you have to collect, store, catalog, index all of that data and share it back to a centralized location. NVIDIA Morpheus is designed exactly for this problem. It’s a cybersecurity AI framework that is not only open source and free, but via APIs it leverages all of the possible compute resources in your modern data center for real-time performance at scale. That includes GPUs, CPUs, and ARM processors. And it’s designed to run anywhere, so it can run at the edge, at the gateway level, and centrally. The design is very flexible and can make use of whatever compute is there, while also being completely asynchronized. You can put models and detection capabilities directly at the edge, so you’re not moving terabytes of data across your network. Instead, you’re capturing a model that represents all of your data.
MeriTalk: Let’s switch gears a little bit and talk about zero trust, which will continue to be top of mind for agency IT staffs in 2023. How does data analysis play into zero trust?
Reber: Zero trust is nothing more than making sure you have strong identities, that you authenticate them on the greatest number of attributes possible within your enterprise, and you continuously validate that asset. One of the analogies I like to look at is the evolution of the credit card industry. Back in the ’90s, when you traveled you had to call your credit card company in advance so your credit card didn’t get denied. Now, I don’t have to call them because more data is available. They can look at my patterns, my history, and determine the probability of me swiping in at Dulles airport, then in San Francisco five and a half hours later. It’s very possible. And they make those decisions in real time.
In Federal agency zero trust efforts, this type of scenario plays out in the form of automated data collection of user behavior, which forms a real-time base of information that can be analyzed and acted upon. It replaces repeated identity verification requests, reducing the fatigue that users feel when they are asked to authenticate over and over again. Morpheus and other AI frameworks allow agencies to set parameters for using available data and build in multiple variables for context clues, and then over time humans can assess and tweak the model.
MeriTalk: For example, if someone got booted off the network, they would presumably make a call to the help desk and explain what they needed to do, where they were physically located, and what machine they were using, and then the human would determine whether that was okay. And that information would inform the next update to the AI model?
Reber: Yes. Here’s an example: We see GeoIP improbable logins – could this person be logged on in D.C. and in Europe at the same time? Right now, on the Internet, that could happen. Over time, as we start seeing use cases like this pop up, we’re adding this information, which makes a better model and a better prediction analysis for rendering user authentication decisions.
MeriTalk: We talked a bit about Morpheus, and I’m curious about the name. In Greco-Roman mythology, Morpheus is the God of Dreams; he’s also a character in the comic book series The Sandman, and of course we know Morpheus as a character in the Matrix movies. What was your inspiration for the Morpheus name?
Reber: It’s based on the God of Dreams. In the mythology, Morpheus will help you see the future. In other cultures, they’ll talk about how those with Morpheus can sleep soundly. So being able to predict a breach before it happens – and finally giving security people some rest.
Richardson: We also just thought it sounded cool.
Reber: Yeah, it sounds cool, too.
MeriTalk: What specific aspects of cybersecurity is Morpheus designed to address?
Richardson: It’s not what I would consider a traditional solution. It’s an open SDK that can also be used as an API, so what you do with it is really up to your imagination. There are a lot of use cases, including some that we have proven ourselves to demonstrate what can be realized today, right now. One of the big use cases you may have heard of is digital fingerprinting to detect cyber threats, and that factors into zero trust for us. Digital fingerprinting is all about creating a very specific, highly nuanced model of every individual on an enterprise network. With digital fingerprinting, we’re not looking for someone deploying ransomware or doing other types of attacks. We’re differentiating between patterns and anti-patterns. We create patterns – or models – for every user on a network, so we can identify activity that doesn’t align with the user’s typical patterns. At NVIDIA, more than 20,000 of these patterns are created and updated in real time.
We’ve made digital fingerprinting available as a workflow via our NVIDIA AI Enterprise software offering in NVIDIA NGC, so developers can use it as a reference to quickly get started in implementing this solution. We also enable them to see the code and pull it apart. I think digital fingerprinting is a great example of the benefits Morpheus can bring to an enterprise because it speaks to the scale. However, this is just one example – the use cases that Morpheus can enable are almost limitless. Some examples we have made available on GitHub include sensitive information detection, phishing detection, and ransomware detection, for example.
MeriTalk: Looking ahead to the NVIDIA GTC in March, can you give us a preview of the event and what will be of most interest to Federal cyber and data professionals?
Reber: With our GTCs, we want to share our knowledge, our expertise, and our innovations. I tell people to look beyond the cyber use cases. Go look at what we’re doing with autonomous vehicles, look at what’s going on around natural language processing, because at the end of the day, cyber is in every industry. See how AI is being applied and how it could potentially help defend those industries. Take a broader view. There is a ton of learning that can happen, so I encourage everyone to just dive in.