Using AI in cybersecurity starts with data, establishing ‘baseline of operations’
With cyber attacks always on the rise, can artificial intelligence help network defenders keep up? “What AI is able to do is look at these patterns at a large...
The attention, focus and hype around the world of artificial intelligence seems to reach a new fever pitch every week.
And in many ways, cybersecurity is one area that’s emblematic of how AI “holds extraordinary potential for both promise and peril,” in the words of President Joe Biden’s new executive order on AI.
One of the major concerns is that nation states and hacking groups will take advantage of AI tools to pull of damaging cyber attacks at speed and scale. Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, recently called AI “the biggest issue that we’re going to deal with this century.”
On the flip side, many officials also envision AI aiding network defenders to more quickly identify vulnerabilities in software, uncover nefarious activities on networks, and stop cyber attackers in their tracks.
Cybersecurity companies are already seeing great promise in leveraging the data they’ve collected and applying AI to cyber defenses.
“How do you stitch all of this data together? You have data coming from your network, you have data coming from your cloud, you have data coming from your endpoints,” Joe Boye, FSI systems engineering manager at Palo Alto Networks, said on Federal news Network.
“What AI is able to do is look at these patterns at a large scale, especially from a cyber operations perspective, where you have millions, if not billions of threats that are coming in each day,” he said.
Boye says automated tools can help triage incoming incidents and identify the source and scope of the event. That’s a role typically filled by a “tier one” analyst in the cybersecurity world.
“AI is great at using the data to learn and then taking actionable events into consideration,” Boye said. “And instead of having that tier one analyst try to figure all that out, parsing all of that data, and then stitching it together, allow AI to perform those low level functions, and then bring in automation to perform that function. That will allow your team to focus on things that are more important like hunting and looking for what could be a possible threat in your environment.”
Good data hygiene
Organizations that want to take advantage of existing and emerging AI tools to defend their networks will need to start collecting and organizing their cyber data, according to Boye.
“These models work off of the data, and so you want to make sure you have good data hygiene,” he said. “If you’re feeding these models bad data, you’re going to get bad decisions.”
There’s an expanding range of cybersecurity-relevant data that organizations need to take into account, including data from applications, endpoints and cloud services. Zero trust security, now a mandate for agencies under the federal zero trust strategy, requires organizations to understand who is accessing what data at all times.
“It’s important to make sure that we can establish a baseline of operations, so that you can take full advantage of the necessary capabilities of AI, but then also give the user some level of control,” Boye said.
From reactive to proactive cybersecurity
Cyber defense operations today are largely reactive. Organizations struggle to keep up with the latest patches, monitor their networks for cyber threats, and rush to investigate and remediate when an incident is discovered.
The assumption is that hackers are always one step ahead of security professionals.
While that paradigm may be difficult to break entirely, Boye believes AI will help cyber defenders shift to a more proactive posture.
“I see a place where a lot of the lower level activities completely go away, allowing the cybersecurity workforce to focus on higher value activities, like threat hunting, like developing the countermeasures, and then doing the necessary research to continually evolve your environments to stay ahead or try to stay in line with the adversary,” he said. “And then the next step is taking what you’re seeing in the environment and providing that threat intelligence to other organizations so that they can take future actions prior to a potential incident occurring.”
FSI Systems Engineering Manager, Palo Alto Networks
Joe Boye has nearly 20 years of experience in IT operations, engineering, sales, and new business capture support in Government contracting and product sales. His time has been mostly within the Department of Defense (DoD), and the Intelligence Community (IC) providing mission-essential services and solutions. Joe holds several masters and bachelors degrees in business and engineering and various certifications that include the CISSP, CCSP, CEH, CISA, and PMP to name a few.