When AI Gets Involved in Security

I think more and more we’ll see some really cool things happening with the integration of machine smarts into the flow of work and operations… There is real leverage to be had by an always-on watchful eye on our systems. Things can start to be detected in process, things like unwanted access, breaches, runaway code, etc.

By looking at what “normal” is on our systems, at a very detailed level, and then working to compare operations to “normal” operations, we can start to be much more proactive in responding to (today) and preventing (tomorrow) unwanted or unexpected activity.

What in the world am I talking about? Azure SQL Database Threat Detection, of course. This is a very big deal. Not because of what it does, even. Rather, it’s a huge step forward to having our systems look after themselves. Sure, it’s a little “Space Odyssey” type thing, but we’re not talking about Hal type operations here.

No matter how unique our applications and environments are, it’s impossible for them ot fall into a “normalcy” of operation – things that are expected, done in a specific way, etc. These are valuable insights when looking for unexpected operations or activity. If we’re not normally updating more than one payroll row at a time, if all of a sudden a large update is completed (for example), perhaps some bells and whistles can make some noise. Alert someone. Let them know something is not right. Or at least potentially not right.

As we get more and more confident at recognizing issues, I think we’ll see more and more proactive type work by systems too. Probably in a phased approach, but perhaps we’ll start to see cases where pre- and post-data images are automagically stored if a weird operation is going on. This could possibly allow more information about what was going on, better recovery options, and more. Things get dicey of course because you have to deal with subsequent updates and the like, but it I suspect as our prediction and operational normalcy recognition processes get better, we’ll have more confidence to press a pause button.

If you remember during the Jeopardy Watson games, Watson would evaluate the question, pick a series of answers, then try to determine the likelihood of the answers being the correct answer based on what it could understand in terms of context, knowledge, etc. This same type of thing will need to eventually happen where automated systems will be able to step in and close the proverbial door.

For now, it’s alert based. “Hey, you may have an issue over here…” and then log reviews and the like. This is excellent. Responding to an issue after the fact, especially WAY after the fact, can be bloody on the best of days. If you have an issue that has festered for a while, updates piled on top of it, all of that – it can be pretty horrible.

This alert capability is a great service – and setting it up to run in such a simple way is key. It’ll be very interesting to see what issues are exposed as the tool is generally available. It’ll also be cool to see what patterns of operations are learned to show the biggest attack vectors and success rates of detection.

Now we just need that big red eye when you login to your Azure console. “I’m sorry, Steve. We can’t let you attempt that update. There was no WHERE clause…”