Which cybersecurity processes can be automated with AI? | Kaspersky official blog

Which cybersecurity processes can be automated with AI? | Kaspersky official blog

/in

Although automation and machine learning (ML) have been used in information security for almost two decades, experimentation in this field continues non-stop. Security professionals need to combat increasingly sophisticated cyberthreats and a growing number of attacks without significant increases in budget or personnel. On the positive side, AI greatly reduces the workload on security analysts, while also accelerating many phases of incident handling — from detection to response. However, a number of seemingly obvious areas of ML application are underperforming.

AI-based detection of cyberthreats

To massively oversimplify, there are two basic — and long-tested — ways to apply ML:

Attack detection. By training AI on examples of phishing emails, malicious files, and dangerous app behavior, we can achieve an acceptable level of detection of similar The main pitfall is that this area is highly dynamic — with attackers constantly devising new methods of disguise. Therefore, the model needs frequent retraining to maintain its effectiveness. This requires a labeled dataset — that is, a large collection of recent, verified examples of malicious behavior. An algorithm trained in this way won’t be effective against fundamentally new, never-before-seen attacks. What’s more, there are certain difficulties in detecting attacks that rely entirely on legitimate IT tools (LotL). Despite these limitations, most infosec vendors use this method, which is quite effective for email analysis, phishing detection, and identifying certain classes of malware. That said, it promises neither full automation nor 100% reliability.
Anomaly detection. By training AI on “normal” server and workstation activity, we can identify deviations from this norm — such as when an accountant suddenly starts performing administrative actions with the mail server. The pitfalls here are that this method requires (a) collecting and storing vast amounts of telemetry, and (b) regular retraining of the AI to keep up with changes in the IT infrastructure. Even then, there’ll be many false positives (FPs) and no guarantee of attack detection. Anomaly detection must be tailored to the specific organization, so using such a tool requires people highly skilled in cybersecurity, data analysis, and ML. And these priceless employees have to provide 24/7 system support.

The philosophical conclusion we can draw thus far is that AI excels at routine tasks where the subject area and object characteristics change slowly and infrequently: writing coherent texts, recognizing dog breeds, and so on. Where there is a human mind actively resisting the training data, statically configured AI in time gradually becomes less and less effective. Analysts fine-tune the AI instead of creating cyberthreat detection rules — the work domain changes, but, contrary to a common misconception, no human-labor saving is achieved. Furthermore, the desire to improve AI threat detection and boost the number of true positives (TP) inevitably leads to a rise in the number of FPs, which directly increases the human workload. Conversely, trying to cut FPs to near zero results in fewer TPs as well — thereby increasing the risk of missing a cyberattack.

As a result, AI has a place in the detection toolkit, but not as a silver bullet able to solve all detection problems in cybersecurity, or work completely autonomously.

AI as a SOC analyst’s partner

AI can’t be entirely entrusted with searching for cyberthreats, but it can reduce the human workload by independently analyzing simple SIEM alerts and assisting analysts in other cases:

Filtering false positives. Having been trained on SIEM alerts and analysts’ verdicts, AI can filter FPs quite reliably: our Kaspersky MDR solution achieves a SOC workload reduction of around 25%. See our forthcoming post for details of this “auto-analytics” implementation.
Alert prioritization. The same ML engine doesn’t just filter out FPs; it also assesses the likelihood that a detected event indicates serious malicious activity. Such critical alerts are then passed to experts for prioritized analysis. Alternatively, “threat probability” can be represented as a visual indicator — helping the analyst prioritize the most important alerts.
Anomaly detection. AI can quickly alert about anomalies in the protected infrastructure by tracking phenomena like a surge in the number of alerts, a sharp increase or decrease in the flow of telemetry from certain sensors, or changes in its structure.
Suspicious behavior detection. Although searching for arbitrary anomalies in a network entails significant difficulties, certain scenarios lend themselves well to automation, and in these cases, ML outperforms static rules. Examples include detecting unauthorized account usage from unusual subnets; detecting abnormal access to file servers and scanning them; and searching for pass-the-ticket attacks.

Large language models in cybersecurity

As the top trending topic in AI, large language models (LLMs) have also been extensively tested by infosec firms. Leaving aside cybercriminal pursuits such as generating phishing emails and malware using GPT, we note these interesting (and plentiful) experiments in leveraging LLMs for routine tasks:

Generating detailed cyberthreat descriptions
Drafting incident investigation reports
Fuzzy search in data archives and logs via chats
Generating tests, test cases, and code for fuzzing
Initial analysis of decompiled source code in reverse engineering
De-obfuscation and explanation of long command lines (our MDR service already employs this technology)
Generating hints and tips for writing detection rules and scripts

Most of the linked-to papers and articles describe niche implementations or scientific experiments, so they don’t provide a measurable assessment of performance. Moreover, available research on the performance of skilled employees aided by LLMs shows mixed results. Therefore, such solutions should be implemented slowly and in stages, with a preliminary assessment of the savings potential, and a detailed evaluation of the time investment and the quality of result.

Kaspersky official blog – ​Read More