Kevin Kennedy: Applied AI is Vectra’s ‘North Star’

With more than 27 years in technology product management, and more than half of those spent in security, Vectra’s Senior Vice President of Products Kevin Kennedy has seen it all. 

Today leading the Threat Detection and Response product vision and strategy for Vectra, Kennedy launched his career in threat intel at IronPort and has also held roles at Juniper, Cisco, and Agari Data.

“At Vectra, the thing that we do best in the world and why our customers invest, is we give real-time attack signal intelligence using AI,” Kennedy told AI Magazine. “Most organisations are in a digital transformation: they are moving to the cloud, and they will be hybrid forever. We give them a consistent view of detection and response across that, and really the clarity of signal that we give is why they choose Vectra.”

As Kennedy describes, Applied AI is central to Vectra’s approach. “The company's a little over 10 years old and our technical North Star, from day one, has been using AI, and we've had to do a lot of innovation to figure out how to apply it best to this problem set.

“While there's ChatGPT, most of the AI that is used today is applied AI, so you really have to understand your domain.”

‘The Windows XP days for cloud’

“If you look at the threat landscape today, there are a few things going on,” Kennedy says. “One is that there is more of it. So if you think about the typical enterprise going through a digital transformation, they've got their data centre, public cloud identity, workers outside, and it's very difficult. 

“With things like the cloud, the understanding of how that will be attacked is really nascent. You can think all the way back to Windows XP days. We're in those days for the cloud, because we're just discovering how people will use the cloud to attack itself.”

Another issue, Kennedy explains, is the increasing accessibility of certain tools that used to be reserved for nation states.

“If you think about that threat landscape, tools that used to be reserved for nation-states are now available in tool kits that anyone can use. They're automated. On the AI front, I’ve seen some interesting things about ChatGPT, and people asking questions about how to hack. Anyone can have access to it. That's what defenders are up against.”

As Kennedy describes, solving problems with legacy tech signatures will still have a role to play, but utilising AI is key. “You're never going to solve the problem though, because we're just burning out defenders. AI is the only way to get a good signal, both in individual attack surfaces and then pulling the narrative together.

“It’s one of our guiding principles that you've got to use AI. But it's just a tool, especially in applied AI, and it's all about how you use it. The methodology for using it is what defines success versus failure from the customer outcome standpoint. So that's been our focus: it's not just AI, but how you use AI in the right ways to solve the problem.”

Pushing the envelope of data science techniques

When it comes to detecting threats with AI there are a couple of philosophies, Kennedy explains.

“We've definitely placed our bet, and we believe it gives better outcomes,” he describes. “There's one school of thought that says, ‘You learn about an environment, and you do lots of counts and metrics, and then you flag what's unusual’; the bet is that in the unusual you'll find the threat. 

“The challenges with that are that when you look at especially large enterprise environments, there's so much happening every day that lead to a lot of noise and alerts for the security teams to deal with.”

The other problem, Kennedy describes, is that attackers are good at blending in. “They're good at making themself look pretty close to normal,” he says. “So you actually miss a lot of the relevant signals.”

“So we said, ‘That doesn't really work well’. Rather than thinking about it as more of a pure data science problem, it's in reality a security problem. 

“We are constantly pushing the envelope of data science techniques. Four or five years ago, there were lots of breakthroughs around Google Translate, and the use of recurrent neural networks, and long short-term memory (LSTM) models. And we said, ‘Okay, that works really well for translation. It's actually the right technical approach for command and control tunnels’, and so we then applied that. We took the latest learnings from that domain and applied them to security, and we were the first to do that. And so we're always keeping up on data science. 

“We're always keeping up with breakthroughs in security research,” Kennedy concludes. “We have to continue doing that work, and then bringing them together to deliver the best outcomes for our customers.”