GenAI and Threat Detection

This is part two of an article I wrote for LinkedIn where I took on the topic of the use of AI in Cybersecurity.? I’m focusing on the newest “kid on the block,” GenAI.?? Last time we covered what Artificial Intelligence (AI), Machine Learning (ML), and GenAI are and what some of the key capabilities GenAI brings to the table.???

In this article, I will dive into the first of two areas obvious areas that GenAI can help.? Today’s topic ?is Threat Detection.? In Part three we will continue by looking at other areas that GenAI can play in.? These are Incident Response, Risk Assessment, Compliance Monitoring, and Security Training.?

Before jumping into this, I’d like to ask a favor, if you find this worthy, could you please share this and present your opinions in the comment section.? I’m not writing this to hear my own voice.? I’m trying to spark a conversation and hear your perspectives.? All of you have a point of view that I may not have considered and learning what that is, helps me to evolve my own opinions.?? Now on to GenAI and the role it can play in both Threat Detection and Incident Response.

As I mentioned in Part One, AI and ML have been around for quite some time now.?? The concept took voice in 1950 in Alan Turing’s book Computer Machinery and Intelligence, but the actual phrase “artificial intelligence” appeared during a workshop at Dartmouth University by John McCarthy in 1955.?

Recent developments in Generative Pretrained Transformer AI or GenAI as it is colloquially known, have brought additional functionality to the forefront.? These differ from previous iterations of AI in that GenAI utilizes machine learning techniques to understand and generate human-like text. GenAI is part of a family of AI models known as transformers.?? Transformers are designed to handle sequential data while maintaining the overall context.??

Enough of a summary, let me dive into the “meat and potatoes” of GenAI and how it can augment our abilities in Cybersecurity.

The first area we will explore is the role GenAI can play in Threat Detection.?

As I mentioned in the first article, we have entirely too much data to manually analyze and action our activities to maintain good operational awareness.? The old pattern matching and primitive behavior analysis capabilities of our SIEMs and Intrusion Detection tools leave much to be desired.? Sometimes something as simple as a syntax deviation can lead to false negatives giving us a false sense of safety which can be potentially catastrophic.?

GenAI uses a combination of six capabilities to enhance operational awareness.? The first of these is its ability for large scale data analysis.?? GenAI can process and analyze incredibly vast amounts of data from multiple different types of systems.? The ability to handle all these distinctive information sources is a key aspect of how GenAI works.?? Basically, if you can get the data into a data repository and can tell GenAI how to read it, GenAI can analyze it.?

This feeds into GenAI’s second key capability with is pattern recognition.?? A lot of tools out there can identify know patterns.? This functionality is nothing new.?? While GenAI can do this very well, it can also identify additional patterns which may or may not be of interest to the cybersecurity team.?

An example of this would be the identification of specific Tactics, Techniques, and Procedures (TTP) used by the various attacker groups out there.?? GenAI can identify when those specific patterns emerge, it can also identify additional patterns which behave in a similar manner leading our analysts to investigate further.? This helps identify threats which have not yet been encountered such as when detecting zero-day exploits and other new threats.?

This identification of new patterns is an aspect of GenAI’s anomaly detection capability.? Rather than being solely reliant on known threat patterns, GenAI can go further by looking at similar behavior and flagging it.?? Over the past few years, other security tools have begun to incorporate similar features into their products and this approach has proven useful and, in most cases, invaluable in the early detection of hostile activity.?

Where a deployment of GenAI differs from other security tools with similar capability is its ability to combine two important capabilities.? These are understanding the context of the data it’s analyzing and then using that to proactively predict potential future activity.? GenAI deployments can maintain a contextual understanding of what it is analyzing and then using this ability to identify very sophisticated attacks that would normally fly under the radar.?

Lastly, GenAI actively learns as it is exposed to more and more data.? It learns and adapts how it analyzes the data to improve its threat detection capabilities.?

This is where I’m going to stop today.?? In this article, we examined how GenAI can enhance threat detection through large scale data analysis, pattern recognition, pattern prediction, anomaly detection, contextual understanding, and continuous learning.? Next time I’ll address the role that GenAI plays in Incident Response.? Other articles in the series will move on to address its role in Risk Assessments, Compliance Monitoring and Security Training.? I am writing these one at a time so I don’t have a feel for how many more articles there will be.? I’m trying to keep the word count under 1,000 words if I can.? Hopefully, you will join me for those.

#cybernews, #hacker, #securitycontrols, #datasecurity, #cissp, #genai, #infosecurity, #ciso, #informationsecurity, #networksecurity, #riskmanagement, #cybercrime, #cyberattacks, #cybersecurity