Marlon Ortiz


Not too long ago it was possible for a security engineer – based on his or her knowledge and expertise – to manually review logs and monitor network traffic to identify anomalous patterns that may have indicated a threat or a breach in the information security infrastructure. Since then, the size of security logs and network traffic has exploded exponentially. In addition, the threat level is now more sophisticated, to the point that it is not possible or effective to dedicate manpower to these tasks.

Over time, security tools that help with these tasks have been developed in an attempt to keep up with the ever-changing security landscape. First, we had log aggregation/event analyzer tools, followed by security information and event management systems (SIEM),signature-based detection applications, Heuristic-based scanning, sandboxing environments, and the list goes on. All were designed with a goal of helping us free our time from the mundane tasks of reviewing logs and monitoring traffic to instead focus our efforts on continuous improvement of our defense in depth.

Lately we’ve been hearing about a new type of tool based on synthetic intelligence, better known as Artificial Intelligence (AI). Some of these technologies are: Machine Learning Algorithms, Intelligent Agent Programs, Dynamic Neural Network, Natural Language, Synthetic Vision, Speech Recognition, Autonomous Robotics, etc. The hope is that these technologies help us become more efficient, productive, and creative in our daily interactions with the world.

In this short article, I’ll focus on a specific set of security tools called Intelligent Agent Programs. These are the newest tools we need to add to our bag of tricks. They’ll help us improve our situational awareness of our Information Technology infrastructures.

First, let’s try to understand how these tools work. The core components are the Machine Learning Algorithms. The design goal of these algorithms is to develop software applications that can create statistical models (by processing large amounts of properly conditioned datasets) that will help the application make decisions based on desired outcomes.

Let’s try to visualize one technique these tools use. Let’s say we need to develop a software program that is going to identify all photos of cats from the National Geographic image collection. Now let’s make it a bit more complicated by not using the labels on these images – we’re just using the image itself.

So how do we accomplish this query? First, we need an algorithm that is going to create a mathematical model of a cat. This is the baseline model we are going to compare against. In order to accomplish this, we need to compile a large dataset of cat pictures. This will be the input to our algorithm. The machine will process these images and create an aggregated representation of a virtual cat. The larger the input dataset, the better our mathematical model will approximate the representation of a real cat. In other words, it will “learn” what a cat should look like.

The next step is to test the accuracy of the algorithm by feeding our application an expanded image dataset and reviewing the end results. The application may have discarded images not representing a cat, such as an ostrich or a turtle. The application may also have flagged an image of a tiger with less certainty, but in the realm of possibility as passing for the image of a cat. Since tigers share a lot of physical characteristics with cats, now we can use those results to create the tiger category, a separate category from cats, so that now our application should be able to recognize a tiger.

Courtesy of iStock

Obviously, this is a very simplistic example, but it helps us understand some very important concepts of the process. First, this type of Machine Learning software requires a large, properly conditioned input dataset in order to better recognize a pattern. Second, the algorithms require progressive enhancements. In our example, we need to tweak our algorithms so the program can better separate Abyssinian cats from Balinese cats, or segregate cats by size, color, weight, etc. Third, and this is an important concept, the model of our virtual cat should help us if we decide to search for exceptions which resemble a cat but have a high enough probability of meeting many other attributes of a cat. We want the application to have a reference model that is close enough that it should be able to match any feline species, such as a tiger or lion.

For more context, let’s move away from the cat example and talk about a malicious threat. What if there’s a malicious program that has several of the same attributes as an already recognized malicious program but with new features we haven’t seen before (zero-day exploits) – features that have not been input into the machine during the learning process? We want to teach the application to recognize all malicious programs. Specifically, it’s important for the application to recognize anything resembling a malicious program. Therefore, it is important that the application flags the questionable program as a relatively high probability of a malicious program – despite having unidentified attributes – so it can be further evaluated by the security team.

Now, with these concepts in hand, we should be able to understand where to deploy an intelligent agent, while recognizing the innate strengths and weaknesses of these tools. Ideally, these solutions should be implemented in areas that require real-time monitoring and decision making of events on large volumes of information. For example: transactional information, real-time decision systems, network traffic, etc. Any place where it is not effective to have a dedicated human(s) resource is a potential candidate. What are the benefits of purchasing an intelligent agent product? First, out-of-the-box solutions already have a library that can immediately identify known threats (cats) and are smart enough to be able to analyze traffic to determine which ones share common characteristics with known threats (other felines), adding to their existing model. In other words, the solution is learning and improving its accuracy over time.

What are the weaknesses? The easiest weakness to point out is the quality of the algorithms. Companies don’t share their intellectual property (IP), so there is no peer review to determine how good the tools are that we purchase. The other weakness is the narrowness of the intelligence. Eventually these tools are going to be exposed to new threats it has not experienced, such as not being aware of the existence of dogs in addition to cats. In this case, the learning process starts from scratch to understand a totally new threat. Finally, and this applies to any Artificial Intelligence technology, we haven’t figured out how to program common sense in the face of unknowns or how to anticipate every possible event to make human intelligence decisions.

Overall, it is important to have more than one tool to protect our environments. Intelligent agent tools are no more than another layer we need to seriously consider implementing in our never-ending quest to improve our security posture.

Marlon Ortiz, Information Technology Professional. Creative professional with 20+ years of information technology knowledge in the gaming and hospitality industry. Highly skilled in information security, project management and planning with a strong background in data management, security, analytics and technical strategy. A proven leader who understands that the value of IT lies in delivering solutions to complex business problems within the Gaming and Hospitality Industry. A leadership style that emphasizes the development of people, processes and tools to achieve specific strategic business goals. Focused on connecting IT to other departments within the corporation and delivering effective solutions for business costs and operations. An executive who excels in a fast-paced organization and is ready to take on the challenges that comes with that environment. Marlon possess a Master’s in Cybersecurity and Information Assurance from The Pennsylvania State University. Previously held high level IT Management positions at American Casino and Entertainment Properties, the Morongo Casino Resort & Spa, Harrah’s Entertainment and Aztar Corporation. Contact Marlon.