The AI hype of 2023 has placed the prospect of Artificial General Intelligence into our collective imaginations. A common refrain: “AI will be able to do that” has been uttered countless times about almost every conceivable task. And yet the reality is that today’s AI isn’t singular.
AI is a foundational capability that applications and solutions are built on top of almost as if it’s a new-age CPU. CPUs can do wonderful and magical things through the applications they enable.
Emerging Cyber AI solutions have similarly captured imaginations, and their early opacity has allowed those imaginations to wander and wonder what they’ll be able to do. The truth is that there is no singular Cyber AI, but instead, a set of AI solutions that will support different missions.
What Cyber Operations Missions will AI support?
- Cyber GPT – These solutions, like Microsoft’s Security Copilot, bring the power of ChatGPT into your cyber data. Analysts will be able to ask questions to an AI chatbot that will provide explanations and recommendations. The net effect will be analysts making decisions 20%+ faster; if your analysts review 50 alerts a day, they will be able to squeeze in an extra 10. Other benefits are hard to quantify but equally important; for example, report and presentation writing will improve how analysts communicate to leadership about the threats they encounter. Additionally, AI language models can have a wider base of experience that can help upskill analysts who may not have experience in a particular threat family or enterprise technology.
- Automated SOC – Solutions, such as Salem Cyber, will automate the process of investigating cyber alerts from your security tools. This will include both dynamically creating individual alert enrichment playbooks and understanding the nuance of an alert investigation to make a choice to escalate or not. The benefit of this AI is the speed and scale that comes with analyzing actions flagged as suspicious. In a human-only SOC, there is a hard limit related to the cognitive capacity of your team. In this world, you could perhaps perform thousands of investigations to find the 1 or 2 alerts that need to be escalated to someone in the SOC.
- Anomaly Detection – Practically every detection side tool (EDR, SIEM, Cloud) has some form of AI/ML anomaly detection. The idea is that models can review large sets of data, find patterns, and flag new transactions that are suspicious. As data scientists become more indoctrinated in the unique challenges of analyzing data for cyber threats, these capabilities have and will continue to get better. These solutions can help address the emotive question, “I have all this data; shouldn’t something look at what’s in there”?
What type of AI should you prioritize?
If you’re a cyber leader who reports through an IT organization, you likely are getting pressure to find ways to adopt AI to gain efficiency. You might be looking at new ways to keep your team motivated and engaged. Or perhaps you’re concerned about the SOC’s ability to provide consistent coverage of the full tech landscape. Your motivations will dictate what best looks like for you.
- Easy Button – If you want AI and you want it fast, the easiest solution will be to turn on a Cyber GPT tool such as Security CoPilot. It’s going to be an extra license and then boom, you’ve got AI. The downside is that there might be a small delta (read: low ROI) between what this type of solution provides your team and other AI chatbot tools your organization invests in.
- Best Value – Automated SOC AI’s will provide the biggest and most sustained capability boost to your team. Alert triage is typically the most time-consuming and lowest ROI task any SOC performs. That’s a bad combination and a solution that offloads that work is not only good for your productivity and board metrics, but it’s also good for your team’s morale. Add in the benefit of finally getting coverage for the cloud tool that has been blinking over in the corner untouched in months.
The future of cybersecurity is AI-powered. Eventually, most or all of your cybersecurity technology will be underpinned by AI. The question is: where can it make the biggest impact in your tech stack now? For instance, you might enable Salem to help cut through the noise and only escalate the one or two alerts that matter to your enterprise and then ask Microsoft’s co-pilot for advice on how to best respond to the threat that Salem escalated. Either way, investing in emerging AI can give you piece of mind that you are employing the most cutting-edge tools to stay on top of the ever-changing cyber landscape.