I have to admit to being slightly proud of how infantile the human race can be by taking a transformative leap in technology like Generative AI and immediately using it to make Johnny Cash cover Barbie Girl, and Elvis do an equally amazing cover of Sir Mix-A-Lot’s legendary one hit wonder Baby Got Back.
I’m certain that the impact of quantum compute on cryptography will turn out to be a greater existential threat than Generative AI, but in the immediate term it’s the latter that will be game changing for Security Operations Centres (SOCs). That’s both good and bad for those of us working in them.
Moving beyond ML
Well-crafted machine learning (ML) allows inference from vast quantities of data at a rate that far exceeds what could be inferred by humans – a well proven and well understood science. These atomic ML solutions are useful, but they still require human tasking at inception and after reporting. They are not game changing. They are accelerators that also allow some greater opportunity exploitation.
Generative AI, however, really is game changing. If attacking a company can become as simple as…
“search LinkedIn for the most important members of ACME Co., and every day feed 30 phishing emails crafted in the writing style of their CTO to those people. Also, feed 10 unique CVs created for each open role found in LinkedIn to their recruitment portal using this [malware compromised] template, and keep my dashboard updated every minute on progress of incoming connections from these people”
…then the world really has changed.
Indeed, you could say “generate me a unique attack profile based on the historical success for other NASDAQ FinTech companies and run it”, and the algorithm could generate the brief itself!
From a defender’s point of view, it’s not quite so great. The threat landscape is changing at pace and Generative AI is one part of this. SOCs will need to be able to support defence in this new landscape. An attacker has the whole technical and human organisational scope to exploit and experiment with proactively. Attackers can launch infinite numbers of intrusions, and they need only one success.
Organisations will therefore have to be far more resilient to intrusions as a whole, and not dependent on SOCs as the first and last lines of defence.
Counter-AI technologies will be crucial – for example to detect when a phishing email is written by ChatGPT or a human. But will those have to be AI powered too? That feels like a nice little arms race for start-ups to play with, so it’s going to be interesting to see how this area develops over the coming years.
Putting AI to work
For me, vulnerability exposure and automated triage present the greatest opportunity for intelligent AI powered defence. Anomaly detection tools can already highlight when traffic deviates from the baseline, indicating unusual behaviour. However, such complex data sets – built upon fragile baselines – will never get close to the confidence levels required to blindly trust, and would implode in any SOC that attempted human-less automation. The human’s experience comes from interpreting such alerts and making decisions on how to respond.
But, what if Generative AI could form a hypothesis that is based on the mass of vulnerability data available to it, and historical experience of a world full of analysts working on similar threats? In this scenario, across complex infrastructures like energy sectors, transport, smart cities and digitised militaries where there are a huge number of highly complex industrial and operational technology (OT) systems, an almost impossible depth of defence becomes imaginable.
Such journeys start with small steps. We have a decade of SOC logs. We have a populated case management tool. We have a decade of threat intelligence deep dive reports and supporting data. Could we set OpenAI up to absorb all that data and use that to provide an analyst with automated enrichment of alerts by attaching insight into how new events relate to historical activity?
That feels possible (and I intend to try it soon), and that alone is a big step in how Generative AI could benefit SOCs right now.
We believe that strong digital defences come from security of both the Enterprise and the Nation