While AI is interweaved with almost every digital experience – from the auto-suggest feature on touchscreen keyboards to Netflix movie recommendations to Google search results – in the cybersecurity world, AI is generally absent in the user interfaces used by network defenders.
This doesn’t mean AI is absent in security – on the contrary, AI has been tremendously valuable in supplementing traditional malware and attack detection methods.
But the security industry as a whole hasn’t yet taken the leap into integrating AI into the painstaking and labor-intensive process of doing live cybersecurity analysis, the way that so many of the tech giants have done for years now in other applications.
The role of AI in today’s cybersecurity products
In today’s cybersecurity, AI operates in the background, detecting low-level attack signals. Vendors that currently incorporate AI in their security products use the same basic template:
- They collect examples of both malicious and benign data, like executable programs, URLs, mobile apps, and system behaviors
- They train machine learning (ML) models, like neural networks, to correctly distinguish between malicious and benign example artifacts
- When their ML systems see previously unseen malicious Android applications, Windows .exe files, URLs, and the like, they issue alerts or take remedial actions to block such content from threatening our networks
There’s nothing wrong with this paradigm. For my team at Sophos, the use of AI has cut our miss rate by more than half, meaning we’re capturing many more cyber attacks than before. It’s a huge advantage over old-school manual detection methods. But it doesn’t affect the experience of cybersecurity analysts who are still using clunky old interfaces that make it hard to accomplish the basic, manual work that continues to dominate the process of securing our networks.
To address this, security vendors need to aim for creating a virtuous, seamless feedback loop between people and AI, one that makes AI the guiding force behind the cybersecurity user experience.
Reimagining AI as a virtuous feedback loop
Imagine if, similar to how Google bakes AI into the heart of its search algorithms or Facebook integrates AI into the heart of its news feed curation, AI was woven more tightly into the fabric of our cybersecurity experiences? Instead of being used only in the background, AI was used to drive user experiences within SOC tooling ecosystems. This new breed of cybersecurity AI could:
- Provide analysts with an AI “auto-complete” for routine security workflows, making them more time-efficient
- Predict which information analysts will need in making a given decision, automatically displaying it in real-time and accelerating their workflows
- Execute complex, time-sensitive incident remediation actions, under human supervision
This security model of the AI-native user experience will yield a live feedback loop between the AI and the hands-on-keyboard human operators – a virtuous cycle where the work done by the human side feeds higher quality data into the AI, refining the algorithms and enabling the AI to produce better outputs, which in turn enhances the human operators’ work and drives business success.
The next five to 10 years will be a race to determine who gets there first. The companies who achieve this will be able to drastically enhance their threat hunting capabilities and establish a new equilibrium between attackers and defenders; the ones who don’t will get left behind.
But this isn’t just about creating a competitive advantage between vendors, either. Our industry works better when we’re open, collaborative and transparent around new innovations. That’s to everyone’s benefit – the vendor and the customer. Creating this new paradigm that balances the predictive modeling of AI with the human touch of threat hunters will make the overall threat hunting processes better at flagging and thwarting the next generation of emerging cyber threats.
