The Evolving Role of AI and How to Leverage its True Potential
Artificial Intelligence (AI) and Machine Learning (ML) have been integral components of cybersecurity solutions for over two decades, primarily in threat detection products like EDR (Endpoint Detection and Response), UEBA (User and Entity Behavior Analytics), and SIEM (Security Information and Event Management). These technologies have been adept at identifying patterns indicative of malicious behavior. However, the public’s awareness of AI, particularly generative AI, surged in 2023, introducing new considerations about AI’s role in solving cybersecurity challenges and the threats it might pose.
The Evolving Role of AI in Cybersecurity
Generative AI, exemplified by products like ChatGPT from OpenAI, brings a fresh perspective on how AI can be used to understand the environments organizations defend and streamline collaboration during daily security operations. This evolution empowers defenders by augmenting their capabilities.
However, with these advancements comes the critical need for organizations to integrate AI safely and securely into their corporate environments and protective products. While many cybersecurity vendors claim to leverage AI, few can clearly articulate how they use it to address new challenges safely and responsibly.
Moving from Detection to Prevention
A fundamental shift in cybersecurity involves applying AI to prevention rather than just detection. Understanding your operating environment is crucial for assessing and managing risk. AI can help achieve this by modeling environments, assessing attack surfaces, and even simulating defender behavior, thereby closing gaps and preventing threats before they materialize.
For example, AI can:
- Identify critical assets not properly cataloged in CMDB (Configuration Management Database) or other repositories.
- Build models to assess whether an alert is a benign or true positive.
- Model defender behavior to pinpoint improvement opportunities and automate ripe processes.
When evaluating vendors claiming AI expertise, it’s essential to ask how they use AI – not only to detect – but also to prevent threats and enhance your overall security posture.
Facilitating SecOps Collaboration with AI
Large Language Models (LLMs) have the potential to transform team communication and collaboration in security operations. Access to the right information at the right time is crucial for effective security operations. Traditionally, this has been challenging, especially for organizations using MSSPs (Managed Security Service Providers) and MDR (Managed Detection and Response) providers. While information is available through portals or ticketing systems, there’s often no mechanism for real-time follow-up questions and feedback.
LLMs can address this challenge by enabling chatbots to generate insights from natural language questions, previously answerable only by humans. When combined with models that understand the environment, these AI systems can answer both generic and highly localized questions. For instance, a generic LLM might offer best practices for data ingestion costs, but a localized LLM could provide specific, actionable recommendations tailored to an organization’s data usage.
Enhancing chatbots with LLMs is just one application of this technology. LLMs can streamline various communication aspects during security operations, including incident summarizations, threat hunt outcomes, and security posture recommendations. Traditionally, generating such documentation is manual, time-consuming, and error-prone. AI can automate much of this work, producing summaries in seconds for security operators to proofread and validate.
When considering vendors with AI-based chatbots, inquire about how they tailor the AI’s output to your organization, and how they leverage AI to enhance collaboration and communication across their products and services.
Making Human Intelligence More Effective
Many cybersecurity vendors use ML to detect attack patterns, resulting in numerous alerts sent to security teams without prioritization. This approach can overwhelm already understaffed and under-resourced teams. Effective cybersecurity vendors should help focus efforts by distinguishing and prioritizing genuine threats and identifying vulnerabilities that could negatively impact the organization if not addressed—a concept known as incident conviction.
Organizations should leverage AI to distinguish true positive alerts from false positives more effectively – driving faster incident resolution and reducing customer escalations, and saving valuable time for security teams.
Supercharging Defenders with AI
In a landscape where cybercriminals increasingly use AI, it’s vital to make AI a core component of your security defense strategy. Elite hackers view AI as a tool to augment their abilities, enhancing problem-solving skills and providing a competitive edge. Likewise, AI can supercharge defenders’ capabilities.
Partner with defenders who proactively use AI against real threats. Before committing to a vendor, ensure they can demonstrate how they apply AI to create security efficiencies and protections. Ask for specific results delivered for clients, such as saving work hours for security operations center teams or reducing response times. Additionally, verify their measures to implement AI securely and responsibly.
AI is not a silver bullet for managed security. It must be combined with human expertise to be effective, accurate, and relevant. Clients often express concerns about AI making mistakes. Keeping a human in the loop allows experts to fact-check AI-driven decisions and refine AI models, ensuring they don’t repeat errors. This collaboration ensures AI serves as a valuable tool for defenders, complementing rather than replacing human judgment.
AI is poised to revolutionize cybersecurity. Integrating AI into an organization’s cybersecurity strategy is not just an option anymore. It’s essential for building a robust security posture in today’s increasingly AI enabled threat landscape. As AI continues to evolve, its ability to enhance both preventive and collaborative measures will be crucial in staying ahead of the evolving cyber threat.
