AI-Augmented Cybersecurity: They Use It So We Use It?

I fear the AI hype and the groupthink of"the bad guys are using AI so we have to use AI" without an assessment, a plan and specific goals. Failing to plan is planning to fail after all.

So I was surprised to hear from an experienced Risk Management executive that his conservative financial institution is using AI internally to bolster their cybersecurity stance. We discussed needing to make sure that once your pet AI is an expert on your weaknesses that it doesn't blab about them to the wrong people.

He was pretty sure that they were keeping their AI in line and seemed to be doing all the right things to ensure that. I look forward to hearing more some day. In the meantime, let's review what AI can do for you, what it cannot and what it should not.

Let The Buyer Beware

Keep in mind the fact that training an AI is a difficult task and keeping one up-to-date is harder. Your choices for this are not great: have your AI get ever more out-of-date, carefully curate the input yourself, or shovel lots of new stuff at it. Keeping in mind how easy it is to poison an AI and how quickly new threats such as prompt injection are coming at us.

Also be aware that currently the cost of using AI is greatly subsidized on what I like to call "the drug dealer model." For now, you can use AI for cheap and once you come to depend on it the model will change. That's capitalism for you.

A Second Pair of Eyes (Protect)

You can use AI as a second pair of eyes for your team. A properly trained AI is a great fit for this job. For example, we all know that you should constantly review the risks poses by your contact points with the public: your links to the cloud, your public-facing web servers and email servers, your Wide Area Network (WAN) links between Local Area Networks (LANs). This is important but rather tedious work. This is the kind of task for which a properly trained, unpoisoned AI is well-suited. Review all your public contact points far more frequently than you do now--but keep an expert human at the wheel. Always make sure that your AI isn't just wildly wrong or even mildly wrong.

A Helping Hand (Detect)

We have discussed before how one might use AI to give your team a helping hand. The short version is that monitoring a large network of active computers involves monitoring a vast amount of activity. Much of that activity is routine. A tiny bit of it needs to be reviewed. Human attention is a precious resource and it would be ideal to focus it on the signal (the abnormal stuff) while safely ignoring the noise (the normal stuff). LLMs in particular are good with sophisticated pattern matching. A properly trained AI could greatly lighten the load of monitoring, making your humans much more productive.

A Teammate (Respond)

If you are braver than I am, you would consider using AI agent to actually take action as part of your Cybersecurity Program (CSP). Any good CSP identifies risks (Protect), checks to see if those risks have been realized (Detect) and then takes swift and decisive action to mitigate that risk (Respond). In theory, if your risks are well-defined and your response is well-defined then having an AI agent swiftly and automatically do the right thing at superhuman speed with superhuman accuracy would be awesome. In theory.

Conclusion

Perhaps I am old enough that I am inevitably a luddite, but I remain unconvinced that in 5 years or even 10 years everything will be AI-augmented and we will all live a life blissfully lacking on digital drudgery.

However, a new option doesn't have to be the ultimate good in order to be worth considering. And there is something to the idea that knowing how you look to your enemies is always valuable.

So go forth and assess the risk of trying AI in different roles. Consider the cost and weight the benefit. Form a policy or set of policies. Plan based on them. Execute the plans. We in cybersecurity are risk managers, after all, this should be right up our alley.