Think of cybersecurity like your personal health. In cybersecurity, basic cyber hygiene foils most cyber attacks. With a shortage of cyber experts, just as in medicine, finding faster and better ways to train practitioners using real-world scenarios is key. However, artificial intelligence (AI) for cybersecurity can improve a team’s response by triaging threats on its own.

AI for Cybersecurity Means Finding the Patterns

The medical field is similar to cybersecurity for AI in other ways, too. The medical field’s process of studying and diagnosing the patient is often well-structured, but siloed. Digital defense experts know the playbook of attacks well, just like doctors know the symptoms and signs of most diseases.

What’s different is the rate of fire. In medicine, under most conditions doctors have time to triage, and the number of patients does not overwhelm them. In cybersecurity, data constantly barrages analysts. Effective triage sets up a team for improved defenses.

This is why we are researching new ways of using AI for cybersecurity and deep learning tools, so developers can use both to build effective models for threat triage. Right now, there is a big gap in the AI defense landscape when it comes to true behavior-based threat analysis.

A handful of agent-based AI threat analysis platforms do exist. However, they may be limited to the major operating system platforms. This fails to cover hosts running less used and older, but still crucial, platforms. For example, they may not be able to work with the Unix family (HPUX, AIX and Solaris) or consumer devices that have network access but are not yet considered inside-the-perimeter devices. In contrast, the AI can only cover threat triage well if it scans behavior across all relevant readings regardless of host.

Teaching an AI Threat Disposition System

During threat disposition, an analyst or automated system needs to quickly assign an alert to one of three statuses. The first status involves behavior that is likely to be benign and not worth checking out. The second status refers to behavior that may or may not be dangerous and requires further study to tell whether it’s safe. The third status shows an attack, requiring action right away. Over time, these exercises may lead to policy changes. Those might be changes to security controls and stances.

One major hurdle for AI and cybersecurity in threat triage is the volume and types of training data. Deep learning systems need high volume of data to generate good results. In the case of cyber triage, humans must guide deep learning systems in order to generate smart decisions. That’s because so many of these decisions are still judgment calls by nature. Context and history drive a lot of the decisions made in threat triage. Humans need to train the AI in order to convey how to make these decisions.

How to Teach AI to Triage

Cyber attack simulation systems can help create more teaching data, enabling AI for cybersecurity to work effectively. Here’s how it works:

  • Set up a test production landscape complete with hardware, software and network assets, as well as security controls
  • Queue up a large volume of real-world verified attack playbooks to run against it
  • Export the indicators of compromise (IOC) or contents of system alerts to human experts
  • Triage the alerts and IOCs as either benign, possibly malicious, or confirmed malicious

This system will enable faster training without needing actual live alerts. By creating a higher volume of alerts flagged by humans, the AI can acquire data at 10 to 20 times the rate possible using organic data. Equally important, cyber attacks tend to come in similar waves. For example, there are a lot of ransomware attacks right now. In the past, there were more database breaches or supply chain compromise attempts. Live data does not tell the whole story. So using real-world attacks to train AI models helps create balanced coverage across a wider range of potential attack types.

Detect Multiple Types of Attacks

In addition, AI for cybersecurity models are able to simulate both single and composite attack types. To respond to a single-machine attack, you need to look at telemetry, endpoint detection and response and status on a single machine or a group of similar machines that attackers are hitting in the same way. A composite attack, on the other hand, is when the attacker targets a cloud host, a device or hardware host and/or a network agent. The attackers may exploit one, two or all three of these attack paths. Or they may try to breach one of the hosts and traverse to a network. They might connect hosts over a network and then back out to an external command and control server.

To train the AI model, you need to simulate as many attack path options as possible and do so quickly. Deep learning can study all of the inbound attack path data fed by the human analysts and begin to recognize attack patterns.

From AI Triage to AI Response

A logical end result of AI for cybersecurity would be to move beyond automated triage to automated remediation and response. This would only trigger when confidence that an attack is underway is high. For example, the threat disposition engine could trigger an action if it detects the signature of a known attack type.

It’s key to avoid false positives. Trying to fix them could cause operational issues by abruptly shutting down production systems, stalling service delivery and degrading customer experience. For this reason, moving to automated attack response requires rock-solid belief in the AI model paired with rapid escalation to human analysts. Once you can trust AI for cybersecurity to be accurate, you can change the game by reducing incident response times. This also requires deep integration with SOAR and SIEM systems to ensure a closed-loop response.

This appears to be the future of threat triage, and AI for cybersecurity can make a meaningful difference in improving broad security posture.

Learn why IBM Security is recognized as a leader in managed security services, combining AI, threat intelligence and response to deliver better security outcomes.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read