The Future of Cyber Défense: How AI is Shaping Security Strategies

Considering AI’s proficiency in pattern recognition, detecting cyber security anomalies is an obvious use case for it. Behavior anomaly detection is a prime example. Through the use of machine learning, a model can identify what normal behavior within a system looks like, and single out any instances that deviate from the norm. This can help identify potential attacks and systems that are not functioning as intended by catching outliers in their behavior.

Even user behavior that might be an issue, such as accidental data leaking or exfiltration, can potentially be discovered through AI pattern recognition or other mechanisms. Using datasets either created or consumed by the organization can also be used to watch for patterns and outlier behavior on a broader scale, in an attempt to determine the likelihood of the organization being targeted by cyber security incidents happening throughout the world.

Use Cases

Anomaly Detection

Anomaly detection—the identification of unusual, rare, or otherwise anomalous patterns in logs, traffic, or other data—is a good fit for the pattern recognition power of ML. Whether it's network traffic, user activities, or other data, given the right algorithm and training, AI/ML is ideally suited for spotting potentially harmful outliers.

Example:

Consider a banking system where normal user behavior involves logging in from one geographic location and performing a set of standard transactions. If an account suddenly shows login attempts from different countries within a short period or large transactions that deviate from typical behavior, AI can flag these as anomalies. This helps in detecting potential fraud or unauthorized access.

Not only is AI/ML great at spotting patterns, but it is also able to categorize and group them. This is essential for assigning priority levels to various events, which can help prevent "alert fatigue." Alert fatigue can occur if a user or team is inundated with alerts, many of which may be little more than noise. When this happens, alerts lose their importance, and many, if not all, are viewed as noise and not properly investigated. Using these capabilities, AI/ML can provide intelligent insights, helping users make more informed choices.

AI-Assisted Cyber Threat Intelligence

The ability to monitor systems and provide real-time alerts can be vital, but AI/ML can also be used to enhance the security of systems before a security event occurs. Cyber Threat Intelligence (CTI) works by collecting information about cyber security attacks and events. The goal of CTI is to be informed about new or ongoing threats with the intent of proactively preparing teams for the possibility of an attack on the organization before it occurs. CTI also provides value in dealing with existing attacks by helping incident response teams better understand what they are dealing with.

Example:

AI-driven CTI platforms can scan through vast amounts of data from the dark web, forums, and other sources to identify chatter about potential vulnerabilities or planned attacks. For instance, if there’s an increased discussion about exploiting a particular software vulnerability, the AI can alert security teams to patch their systems accordingly.

Traditionally, the collection, organization, and analysis of this data were done by security professionals. However, AI/ML can handle many routine or mundane tasks and help with organization and analysis, allowing those teams to focus on the decision-making required when they have the necessary information in an actionable format.

AI-Assisted Code Scanning

While leveraging AI/ML to detect and prevent cyber security attacks is valuable, preventing vulnerabilities in software is also crucial. AI assistants in code editors, build pipelines, and tools used to test or validate running systems are quickly becoming the norm in many facets of IT.

Example:

A development team working on a financial application can use AI-powered code scanning tools integrated into their code editors. These tools can analyze code in real-time and flag potential security issues, such as SQL injection vulnerabilities or improper handling of sensitive data, before the code is even committed.

As with CTI, AI systems can help alleviate mundane tasks, freeing humans to spend more time working on more valuable projects and innovations. Code reviews, while important, can be improved by leveraging Static Application Security Testing (SAST). While SAST platforms have existed for some time now, their biggest issue is the often large quantity of false positives they generate. Enter AI/ML’s ability to take a more intelligent look at source code, along with infrastructure and configuration code. AI is also starting to be used to run Dynamic Application Security Testing (DAST) to test running applications to see if common attacks would be successful.

SAST has long used a “sources and sinks” approach to code scanning. This refers to tracking the flow of data, looking for common pitfalls. The various tools produced for static code scanning often use this model. While this is a valid way to look at code, it can lead to many false positives that then need to be manually validated.

AI/ML can provide value here by learning and understanding the context or intent around possible findings in the code base, reducing false positives and false negatives. Both SAST tools and AI assistants have been added to code editors, helping developers catch errors before they are ever submitted. There are a few limitations, however, including language support and scalability with very large code bases, but these are quickly being addressed.

Automating the Discovery of Vulnerabilities

Code reviews can be a time-consuming process, but once that code is submitted, testing doesn’t usually end. DAST is used to test common attacks against a running application. There are a few tools on the market that help with this well, but like coding itself, there is some ramp-up time involved. A user needs to understand these attack types, how to replicate them through the DAST tool, and then automate them.

Example:

A SaaS provider could use AI-enhanced DAST tools to regularly scan their live applications for vulnerabilities. The AI can simulate a wide range of attacks, such as cross-site scripting (XSS) or buffer overflow attacks, providing detailed reports on potential weaknesses without manual intervention.

Recently, DAST and related application testing tools have begun to implement AI/ML either directly into their platforms or as plugins, allowing for greatly improved automated scanning. Not only does this free up staff who would need that ramp-up time and the time needed to run the different attacks, but it also saves the time and money required to do full-blown penetration testing. Penetration testing still very much requires a human who is capable of thinking like an attacker and recognizing potential weaknesses, often creating novel ways of verifying that they are indeed exploitable.

Enhancing Endpoint Security

AI can significantly enhance endpoint security by providing real-time threat detection and response capabilities on individual devices. By analyzing patterns and behaviors, AI can detect malware, ransomware, and other threats that traditional signature-based antivirus software might miss.

Example:

Consider a corporate environment where employees use various devices for work. AI-driven endpoint security solutions can monitor these devices for unusual behavior, such as a sudden spike in CPU usage, which might indicate a malware infection. The AI can then isolate the affected device, preventing the spread of the malware and alerting the IT team for further investigation.

As we become more and more dependent on AI systems, the speed and accuracy of machine learning in securing the systems we use won’t just be a “nice to have,” but will increasingly become a “must have.” It is all but a guarantee that bad actors will use AI/ML systems to conduct their attacks, so the defenders will need to implement these systems to help protect and defend their organizations and systems.

Ideally, students getting ready to enter the workforce will learn about AI/ML systems, but experienced professionals will need to embrace this as well. The best thing individuals can do is make sure they have at least a basic understanding of AI, and the best thing organizations can do is to start looking at how they can best leverage AI/ML in their products, systems, and security.

?