This image was generated with the assistance of AI.
Welcome to the first instalment of this blog series, where we will be sharing our thoughts on the landscape where Cybersecurity and AI converge.
The advent of Generative AI has brought new attention to AI and unleashed a tidal wave of innovation across various areas, with cybersecurity being no exception. One critical domain in this field is that of defensive platforms employed by Security Operation Centres (SOCs). These platforms play a pivotal role in continuously monitoring, detecting, and responding to cyber threats, thereby protecting organizations against evolving risks.
In recent years, industries reliant on machine-machine networks – ranging from renewable energy infrastructures to automotive manufacturing facilities – have started facing a relentless onslaught of cyber-attacks. This escalation, both in frequency and sophistication, underlines the need for robust, automated defence mechanisms to bolster SOC capabilities and safeguard the companies’ infrastructure and production.
Now, let's look a bit deeper into some fundamental vectors through which AI may revolutionise the cybersecurity landscape in the coming years.
Automatic threat and attack detection are fundamental components of any robust defensive system. Traditionally, detection mechanisms have relied on signature-based approaches, which identify known malicious patterns such as blacklisted IP addresses or network scans. Moving on from these methods, the next step is Behaviour Analytics—a broader approach aiming at modelling the typical behaviour of system components, such as machines or human hosts within a network. By identifying statistically significant deviations from standard behaviour, Behaviour Analytics can flag anomalies, indicative of potential cyber threats, such as the presence of new components or the onset of malicious intent.
While statistical and machine learning techniques have been integral to Behaviour Analytics mechanisms, they often suffer from limitations. These detection systems can and do generate an overwhelming number of false positive alarms, overwhelming human operators and potentially causing genuine alerts to go unnoticed. Additionally, they often lack adaptability, becoming too tied to specific attack patterns by, for example, relying on supervised learning, training contexts or even communication details, such as specific networking protocol details, rendering them much less effective in dynamic environments.
The advent of modern AI models presents an opportunity to overcome these challenges. Advanced deep learning architectures offer efficient ways to encode complex networks and their behaviour more accurately, promising improvements in both true positive and false positive rates. Large language models (LLMs) excel at parsing diverse communication channels and protocols, facilitating the generalization of information into a unified framework. Pre-trained LLMs are particularly adept at synthesizing information from various sources and event types, enabling the assessment of combined events’ evidence relevance. Moreover, these models can be specialised for specific tasks and contexts using techniques such as prompt engineering, retrieval-augmented-generation, or model fine-tuning, enhancing their adaptability and effectiveness in real-world scenarios.
Explainability is key in cybersecurity, especially as attacks grow in complexity. A threat flagged by a sophisticated machine learning algorithm within a Behaviour Analytics framework, is an event with an high anomaly numerical score, signalling a potential security incident. However, cybersecurity operators often find themselves struggling to understand the context, lacking further insights into the rationale behind the score relative to a given threshold.
The cybersecurity analysis and response process often starts here. It's crucial to delve deeper into why the event was labelled as a security incident and which features contributed most significantly to its decision. Understanding these factors is essential not only for identifying potential threats and suspicious patterns, but also for placing the behaviour in a broader context. The detection event as a pivotal point enables the operator, or an AI system, to reconstruct the attacker's steps leading to the incident, such as lateral movement within the network, as well as subsequent actions post-incident, such as data exfiltration.
Armed with this comprehensive information, AI systems can correlate events, discern attack patterns, pinpoint vulnerabilities, and offer suggestions for security improvement. By supplying Generative AI with this wealth of data, the operator can pose precise questions and even replay the attack sequences to the network. This capability adds tremendous value to a Security Operation Centre (SOC), empowering it to transcend merely flagging security events and incidents to elucidating the underlying reasons behind them.
The topics above leverage modern AI to automate the processes of precise detection and explanation of threats and attacks within networks. However, effective interaction between defensive cybersecurity systems and humans remains indispensable. This is where AI Assistants, also known as Copilots, come into play.
While early iterations of interaction technology, like chatbots, have been around for some time, the advent of LLM-powered Generative AI bots, such as ChatGPT, marks a significant advancement. These tools, when engineered for cybersecurity demands, offer a wide range of capabilities to analysts and SOC operators, such as conversational data querying, allowing them to interact with data in a natural language format. Additionally, LLMs excel at summarizing incidents from vast amounts of information, correlating data from multiple sources to provide a comprehensive understanding of threats, and conducting on-demand analysis with seamless integration of external data sources. Furthermore, they can suggest pre-emptive measures and guide responses in real-time, enhancing the overall efficiency and effectiveness of cybersecurity operations.
Such AI assistants are designed to provide user-friendly experiences by understanding the context of the cybersecurity environment, while prioritising data security. By catering to diverse use cases and offering intuitive interfaces within cybersecurity platforms, these assistants significantly enhance the capabilities of analysts and SOC operators, ultimately bolstering the organization’s cybersecurity posture.
Naturally, these trends are not the only relevant development vectors in AI for Cybersecurity, and they must be weighted with topics such as the paramount necessity for data security and privacy, how automated AI responses to attacks should be, or even the ongoing automation and usage of AI by cyber attackers. These are all topics I may come back in future posts.
We believe that the above trends, incident detection automation, threat and attack explainability and efficient human interaction, are such important trends that they have served as guiding principles for the design and development of Sentryonics, our platform aimed at defending networks from cyberattacks.
Get in touch with us to know more.