AI Gets us the Many Eyes We Were Promised

Sponsored by AT&T Business, but the content is 100% controlled and written by me.

One of the things I’m most excited about with AI is the fact that it'll enable things to happen continuously instead of infrequently—or even not at all.

Many of the most important tasks that we do in society require lots of people, lots of time, lots of knowledge, and lots of resources to do properly. And this is why they're only done quarterly, annually, or once every few years. This includes things like:

• Monitoring all the cameras in a city
• Getting a pulse on the mental health of a population
• Watching terabytes of logs for signs of malicious behavior
• Assessing the cyber attack surface of an organization
• Prioritizing problems for an organization
• Threat modeling the various scenarios we're worried about

Most of these tasks should be done far more often—and ideally, continuously. We simply don't have the skilled people, the money, or the time to do so.

AI adds both skill and scale

With AI—and specifically with armies of AI agents—we will be able to automate these types of tasks to run constantly using updated information from the environment. For example, in security, AI can collect the full context that will be needed to create a threat model.

This would include tons of metadata about the company itself, such as its mission, goals, business objectives, KPIs, projects, budget, and people.

It would also include information about where they do business, such as in California and France (which have lots of regulations around data privacy), as well as markets they're trying to enter and that they want to avoid.

Also included would be information about their tech stack, such as whether they're cloud-based, use a particular cloud platform, what products they're building, what languages they use, whether it's in-house or outsourced, how those teams push code, etc.

Once the AI has built a model, it can continuously update it with new information and respond to prompts to display that information to authorized users.

Threat model scenarios

Using all this information as the backdrop, the AI can then propose scenarios. These scenarios might include things like:

1. A malicious insider exports a copy of the customer data to take to a competitor.
2. A phishing campaign targets the CEO's EA to get access to the CEO's email.
3. A regulation changes which makes it impossible to do business in a key market.
4. A new vulnerability comes out that targets the company's web app stack, as well as hundreds of other components within the infrastructure.

In the case of #4, which is what we saw with log4j and several other similar attacks, it's really difficult to find all the vulnerable systems, and also to prioritize when each should be fixed. And by whom.

Security & Attacker use cases

One of the most common questions people ask about AI and security is how it's affecting the cat and mouse game between attackers and defenders.

The short answer is that it's helping both simultaneously, but with a bias towards the attackers in the early innings. Attackers have the advantage when getting into AI—and really any new technology—because they can afford to experiment without a lot of downside.

Defenders need to worry about privacy, compliance, and all sorts of other issues before they take brand-new GenAI tech and put it into production. Attackers, on the other hand, are already using AI to automate phishing campaigns.

Phishing campaigns are a great example of where AI can help both sides. As an attacker you can quickly generate new emails that are likely to work on a target based on context like job, location, where they grew up, relationship status, stated opinions, etc. Defenders can use the tech in a similar way by looking for emails that are likely to be clicked on by VIP targets, and flagging them as more critical for analysis.

Another example of a benefit of AI for both sides is Attack Surface Management, where the time gap between finding a new surface to attack like a domain, a website, a URL, etc. is just getting shorter and shorter. So now the race between attackers and defenders is starting to move from months or weeks to days or hours. And within a few years, for the best attackers and defenders, that will get down to minutes or seconds.

For businesses to stay ahead of this, they need to be anticipating these attacker uses of AI, and use Continuous Monitoring to close the gaps before the attackers abuse them.

Continuous context

AI will allow us to continuously collect and analyze data in order to update the context we talked about above. That means the company's GitHub repos are being monitored for new submissions, scans of any new code, summaries of changes to the tech stack, changes to their security controls, etc.

The turnaround times for these updates are already shortening, but AI will push them to be nearly instantaneous over the next several years. I talked about this AI Infrastructure, which I call SPQA (State, Policy, Questions, Action), in early 2023, and companies are already building it.

SPQA will allow security teams to build their program around requests like:

“We're worried about this new vulnerability (give the details of the vulnerability). Give me a comprehensive analysis of how this impacts our Risk Register, how it compares to our current risks we're working on, and a comprehensive plan for remediation--including timelines, costs, and who's responsible.”

The key here is that this will not be a project that does the above. It won't be a point in time event that requires lots of people, lots of meetings, lots of coordination, and probably weeks or months of time.

This will be a request that anyone can send into the company's AI system at any time. And it'll be fulfilled in seconds.

Continuous analysis and communication

The AI system will be able to do this because it will have all the context needed to do so, which will enable it to properly prioritize the threat and build a plan that fits within the company's mission, goals, and other priorities.

And not only will the AI be able to prioritize the issue and build a plan, but it will also build a communication plan around it. This means it will be able to communicate to the right people in the right way at the right time.

And again, companies try to do that already, but that communication process alone requires tons of people working constantly to make it happen, and it's still not anywhere near ideal.

Once set up in the structure described above, AI can do that in seconds.

But there's a catch.

AI requires data pipelines

SPQA as described above, is powerful, which is why so many companies are scrambling to build it and implement it.

But it requires a constant stream of data, from thousands of sources. And it requires state and context to be updated constantly, in the proper way, so that AI can use that context to answer questions for decision makers.

This requires infrastructure. Connectors. Real time data feeds. Data processing. Data summarization. Data storage. Visualization interfaces. And so much more.

And that's just for one startup. Every company will be doing this soon. And it won't just be companies. This will be how any organization manages itself very soon. So we're talking about information processing infrastructure at company, industry, country, and global scales.

Building the infrastructure

There are lots of ways to benefit from what's coming, but there are a few main groups that will win by building what we need for this to happen.

• The companies building the AI applications
• The companies that build and run the infrastructure the AI runs on

If you're building in the AI space, you should be thinking about how you're going to power your AI with continuous context.

Everyone's been saying for years that the world runs on data, but with AI and the infrastructure that AT&T Business is building out, we're seeing exactly how that's true.

#AI #Cybersecurity #ContinuousMonitoring #ThreatModeling #ATTBusiness #DigitalTransformation