In the world of cybersecurity, speed kills. In less than 20 minutes, a skilled adversary can break into an organization’s network and start exfiltrating critical data assets, and as the volume of data modern companies produce increases, it’s becoming ever more difficult for human analysts to spot malicious activity until it’s too late. This is where cybersecurity AI can come to the rescue.
This hostile threat landscape has led organizations such as Microsoft to use AI as part of their internal and external cybersecurity strategy. “We’re seeing this incredible increase in the volume of attacks, from human-operated ransomware through all different kinds of zero-day attacks,” said Ann Johnson, corporate vice president of security, compliance, and identity at Microsoft.
Given the complexity of modern attacks, “there is absolutely no way that human defenders can keep up with it, so we must have artificial intelligence capabilities in the technologies and solutions we’re providing,” Johnson said. For modern organizations, AI is now vital for keeping up with the fast-moving threat landscape and offers a variety of use cases that enterprises can leverage to improve their security posture.
Shutting down attacks early with IR
Perhaps the most compelling use case for AI in cybersecurity is incident response. AI enables organizations to automatically detect anomalous behavior within their environments and conduct automated responses to contain intrusions as quickly as possible.
One of the most high-profile uses of AI this year occurred at the Olympic Games in Tokyo, when Darktrace AI identified a malicious Raspberry Pi IoT device that an intruder had planted into the office of a national sporting body directly involved in the Olympics. The solution detected the device port scanning nearby devices, blocked the connections, and supplied human analysts with insights into the scanning activity so they could investigate further.
“Darktrace was able to weed out that there was something new in the environment that was displaying interesting behavior,” Darktrace’s chief information security officer (CISO) Mike Beck said. Beck noted there was a distinct change in behavior in terms of the communication profiles that exist inside that environment.
When considering the amount of data the national body was processing in the run-up to the Olympics, it would have been impossible for a human analyst to spot such an attack at the same speed as the AI, Beck said.
“In 2021, and going forward, there is too much digital data. That is the raw reality,” Beck said. “You have to be using intelligent AI to find these attacks, and if you don’t, there’s going to be a long period of dwell time, and those attackers are going to have free rein.”
Charting and labeling protected data
Keeping up with the latest threats isn’t the only compelling use case that AI has within cybersecurity. AI also offers the ability to automatically process and categorize protected data so that organizations can have complete transparency over how they process this data; it also ensures that they remain compliant with data privacy regulations within an ever-more-complex regulatory landscape.
“Our regulatory department tells me we evaluate 250 new regulations daily across the world to see what we need to be in compliance, so then take all of that and think about all the different laws that are being passed in different countries around data; you need machine-learning capabilities,” Johnson said.
In practice, Johnson said, that means “using a lot of artificial intelligence and machine learning to understand what the data actually is and to make sure we have the commonality of labeling, to make sure we understand where the data is transiting,” a task too monumental for even the largest team of security analysts.
“It’s up to AI to decide: Is this a U.S. Social Security number, or just [nine] characters that are something else?” Johnson said.
By categorizing and labeling sensitive data, AI makes it easier for an organization to take inventory of what protected information is transiting where, so admins can accurately report to regulators on how that data is handled and prevent exposure to unauthorized individuals.
Building zero-trust architectures
At the same time, the ability to build automated zero-trust architectures and to ensure that only authorized users and devices have access to privileged information is emerging as one of the most novel use cases of AI. AI-driven authentication can ensure that nobody except authorized users has access to sensitive information.
As Ann Cleaveland, executive director of the Center for Long-Term Cybersecurity at UC Berkeley, explained, “One of the most powerful emerging use cases is the implementation of so-called zero-trust architectures and continuous or just-in-time authentication of users on the system and verification of devices.”
Zero-trust AI systems leverage a range of data points to identify and authenticate authorized users at machine speed accurately. “These systems are underpinned by machine-learning models that take time, location, behavior data, and other factors to assign a risk score that is used to grant or deny access,” Cleaveland said.
When utilized correctly, these solutions can detect when unauthorized individual attempts to access privileged information and block the connection. Cleaveland said that these capabilities are becoming more important following the mass shift to remote or hybrid work environments that have taken place throughout the COVID-19 pandemic.
Bridging the skills gap with automation
One of the main drivers of adoption for some organizations is AI’s ability to bridge the IT skills gap by enabling in-house security teams to do more with less through the use of automation. AI can automatically complete tedious manual tasks, such as processing false-positive alerts so that analysts have a more manageable workload and additional time to focus on more productive and rewarding high-level tasks.
“We’ve been able to automate 97% of routine tasks that occupied a defender’s time just a few years ago, and we can help them respond 50 percent faster,” Johnson said. “And the reason is that we can do a lot of automated threat hunting across all of the platforms in a much quicker way than a human could actually do them.”
“This isn’t a takeover by AI,” Beck said. “AI is there to be a force multiplier for security teams. It’s doing a whole load of digital work behind the scenes now to present to human teams genuine decisions that they have to make so that we have a point where those human teams can decide how to take action.”
Ultimately, humans have control over the types of tasks they automate, choosing what tasks are automated and how they use AI solutions. While AI is essential to cybersecurity for modern organizations, so are human analysts, and guess what? They’re not going away anytime soon.