The democratization of generative AI usage has been phenomenal in the last months. The most known generative AI tool, ChatGPT, has already gathered a pool of users well above 100 million, a growth in users that not even the biggest and most successful companies have reached. Improvements and new usage are found daily, and new generative AI tools are released by dozens each month.

People and pundits are talking about a general-purpose technology revolution. Time will tell, but one sure thing is that cybersecurity is a well-designated candidate to benefit from the generative AI revolution. Indeed, generative AI in cybersecurity can bring many benefits and answers to the challenges it is facing.

The growing complexity of cybersecurity threats calls for innovative solutions, and integrating generative AI in cybersecurity can significantly enhance security operations. Generative AI can help automate tasks, reduce noise, and prioritize threats, allowing organizations to effectively combat the ever-evolving cyber threat landscape. Combined with orchestration and automation capabilities, this has the potential for significant disruption. We have already discussed these challenges but will assess them today under the scope of generative AI.

Harsh reminder about cybersecurity pains

🚨 Growth of alerts

As the threat landscape evolves and organizations increasingly rely on digital systems, the number of alerts generated by security tools has grown exponentially. However, even though the noise issue is real, as we said in former articles, this last year saw a dramatic increase in attacks. Hence, these alerts range from false positives to genuine threats, making it challenging for security teams to stay on top of all the notifications.

💤 Threat overload and alert fatigue

With the ever-growing volume of alerts, it becomes difficult to distinguish between critical issues that warrant immediate attention and lower-priority concerns that can be addressed later. As security teams struggle to manage the overwhelming number of alerts, they may experience threat overload and alert fatigue.

Threat overload occurs when an organization has too many threats to track and mitigate effectively. In sum, there are insufficient hands to identify, quarantine, and remediate. In contrast, alert fatigue occurs when security personnel become desensitized to alerts due to their sheer volume.

Both threat overload and alert fatigue lead to missed threats, as overwhelmed security teams overlook incidents or fail to prioritize their response to potential breaches.

🛠️ Lack of trained experts

The rapid evolution of the cybersecurity landscape has resulted in a human and skills gap. The figure is known: the shortage of trained experts is around 3 million worldwide. This represents as many experts as are capable of addressing the myriad of threats organizations face today.

The high demand for skilled cybersecurity professionals exacerbates this lack of expertise. This makes it difficult for organizations to attract and retain top talent, favoring the happy few who can afford such talents. This can lead to a lack of institutional knowledge and experience, further hampering an organization's ability to defend against cyber threats effectively.

🔓 Linear scaling of security operations

As organizations grow, they digitize themselves, deploy assets on the cloud, and increase their attack surface. As they evolve, their security needs become more complex because the number of assets and endpoints grows. As a result, telemetry rises exponentially.

In front of this exponential increase in telemetry, the workload associated with managing and defending these systems often scales linearly, inevitably increasing the burden on security teams that can only do so much.

This linear scaling of security operations can result in significant toil—manual, repetitive, and automatable tasks devoid of enduring value. Toil not only consumes valuable time and resources but also limits the ability of security professionals to focus on more strategic tasks, such as threat modeling, root cause analysis, or risk management, for instance.

🙃 Stress in security teams

As we already learned, all these factors create an endless loop in which security team members are constantly harassed by noise, overload, or tool inadequacy and don't have the means to escape. This state of affairs contributes to high-stress levels among personnel who cannot focus on their primary responsibilities, such as analyzing potential threats and developing effective countermeasures.

Furthermore, this harsh environment can lead to miscommunication and confusion among team members, potentially hampering their ability to work together effectively.

What AI Brings to the Table

Today or in the next 5 years, generative AI will bring some of the following benefits or maybe more. It depends on further progress in specific domains, such as reinforcement learning or casuistic reasoning.

✅ Simplify complexity and reduce noise

One of the most significant advantages of AI and ML technologies in cybersecurity is their ability to simplify complex data sets and find correlations between disparate data sets. Variational Autoencoders (VAE), by learning the underlying structure of data through unsupervised learning, are particularly adept at capturing complex data distributions and can generate new samples representative of the original data.

Hence, VAEs can model normal network behavior and detect anomalies by comparing new data points with the learned distribution. This complex data pattern modeling will enhance threat detection capabilities, particularly for identifying previously unknown or zero-day attacks.

By incorporating reinforcement learning, generative AI models can adapt and improve their performance based on environmental feedback. This capability will help AI models learn to identify and respond to new threats more effectively over time, thus remaining up-to-date with the evolving threat landscape.

🤖 Implement AI and ML to lighten the burden

Implementing AI and ML technologies can reduce noise and significantly lighten the burden on security teams by automating manual, repetitive tasks that contribute to toil. For example, AI-powered tools can automatically categorize alerts based on their severity and potential impact, allowing security professionals to focus on more strategic tasks, such as threat hunting and incident response.

Additionally, AI and ML technologies can help automate vulnerability management, enabling organizations to identify and remediate system weaknesses more efficiently.

🚧 Advanced threat intelligence to identify and prioritize threats

Threat intelligence is vital in modern cybersecurity operations, helping organizations identify and protect against the most critical threats. As we saw above, generative AI technologies can significantly enhance the effectiveness of threat intelligence by collecting, analyzing, and correlating vast amounts of data from various sources.

This process allows organizations to understand better the tactics, techniques, and procedures used by threat actors, enabling them to prioritize their defenses and allocate resources more effectively. Recent announcements from Google and Microsoft are to be closely monitored.

Organizations can focus on the most significant risks and vulnerabilities by leveraging AI-powered threat intelligence through reinforcement learning. This allows them to develop targeted strategies issued and selected by generative AI models before being approved by humans to protect their critical assets.

The challenges of generative AI in cybersecurity

✨ Lack of skilled cybersecurity workers

As we know, the cybersecurity pain loop can repeat itself with AI. There aren't enough cybersecurity workers with adequate skills to tackle the complex challenges of today's threat landscape. Generative AI, for all its benefits, still needs skilled workers to provide it with the proper instructions, even though it introduced incredible democratization in the complex field of cybersecurity.

🔗 Integrating AI and security effectively

While AI and ML technologies offer significant potential for improving cybersecurity operations, integrating these tools effectively can challenge organizations. Successful integration requires a deep understanding of existing systems, processes, and security measures and the ability to adapt these elements to accommodate AI-driven solutions.

Speech and language analysis must be fine-tuned to correctly assert and solve instructions from disparate inputs, comply with different regulatory frameworks, ingest context, and provide consistent answers to context-based issues. Developments in reinforcement learning and bandit problems will offer significant benefits to AI by improving algorithms' learning curves and increasing causality in reasoning. Also, particular fields of machine learning, such as sequential decision-making under uncertainty problems, where the learning problem takes place in a closed-loop interaction between the learning agent and its environment, hence not passive but acting and learning its actions' consequences on the environment.

Finally, by choice or regulation, some industries won't be allowed to rely on generative AI powered by large data sets. This is where the ability to make sense of restricted, limited data sets, such as a model confined to your network, to solve issues in a given environment will be essential.

All in all, cybersecurity is a critical matter. Errors can lead to dramatic consequences, and this is why generative AI in cybersecurity will have to come through an ultra-specialization to become standard in operations. Maybe one day, we will have unsupervised algorithms doing the work!

📉 Potential negative impacts of AI on Cybersecurity

As with any other user, attackers quickly took their hands on generative AI tools. Although the implications are still limited in terms of the complexity of the value these tools provide, nonetheless, they are increasingly facilitating attackers' work. The best example is phishing emails. Still in the top 2 attack vectors, their writing, quality, and creation speed have dramatically improved using generative AI tools.

Some have tried and succeeded in creating malware, lacking intrinsic human value-added tactics to keep this code hidden as long as possible. Code obfuscation, which is all about converting simple source code into a program that does the same thing but is more difficult to read and understand for defenders, for instance, is something you will have a hard time making ChatGPT do in an advanced way.

There is also the risk of relying on generative AI models that are not "explainable." Explainability will help analysts understand the reasoning behind the model's predictions or generated samples, enabling them to trust and act upon the insights provided by the AI.

The risk of having generative AI models without "explainability" would be to create a gap between cybersecurity professionals and AI models that make decisions based on sometimes weak correlation links. Moreover, relying on a "non-explainable" AI would promote the outsourcing of skills to a third-party tool and, therefore, a loss of control over cybersecurity and the risk of uncontrolled decision-making errors or even a loss of visibility over one's cybersecurity architecture.

Integrate GenAI tools with your stack

🧩 Interoperable tools through exhaustive integration

To make the most of AI and ML tools and technologies, organizations will need automation platforms that promote the interoperability of tools. Such platforms should offer exhaustive integration capabilities, enabling seamless communication and data sharing between generative AI solutions and existing systems. By facilitating smooth integration, organizations can create a more cohesive and efficient security infrastructure, allowing them to leverage the full potential of AI and ML technologies in their cybersecurity operations.

Moreover, doing so helps every company take its share of the benefits of generative AI. One of the risks being such tools be monopolized by the wealthiest organizations that can afford them, the ability to provide integrations to a whole ecosystem enables any organization to have and keep access to generative AI tools.

⚙️ Automating mundane incident response tasks with AI

Taking full advantage of AI in incident response requires the implementation of an automation platform that can interconnect generative AI tools with other cybersecurity solutions, effectively streamlining the entire remediation process.

Integrating generative AI tools into the incident response process helps organizations quickly analyze security incidents, identify threats, and prioritize their response. Automating remediation tasks can significantly reduce the time it takes to mitigate security incidents, minimizing potential damage.

Generative AI will also help identify complex patterns and anomalies that may be difficult for human analysts, such as next-next-behavioral analysis! This will help reduce the likelihood of false positives and other errors.

Also, organizations can maintain control and oversight over automated actions and generative AI outputs by incorporating user-defined checks and balances during remediation. This can include requiring human approval for specific remediation steps, implementing detailed logging and audit trails, and creating real-time alerts to notify security personnel of critical events.

Useful combinations could lie in integrating generative AI models with existing security solutions, such as SIEM, EDR, and Orchestration and Automation platforms, enabling seamless data exchange and analysis.

So…

While AI and security integration may not be a silver bullet for all of the pain points of cybersecurity, they can significantly improve security operations for organizations. With advancements in AI technologies such as generative AI and large language models, the possibilities for AI to enhance security teams' effectiveness are expanding. By leveraging AI to automate mundane tasks, streamline communications, and prioritize threats, organizations can better defend against the evolving cybersecurity landscape. Implementing automation platforms to interconnect AI with existing infrastructure will be a critical factor in realizing the full potential of AI in cybersecurity.