Artificial intelligence is well on its way to disrupt the world of cybersecurity, but some areas of cybersecurity are more ripe for early disruption than others.

In a recent survey by Insight Partners, security operations (along with AppSec) was ranked as the No. 1 cybersecurity area where chief information security officers are looking to implement generative AI to deliver better outcomes. This comes as little surprise, as AI excels in some of the complex and resource-intensive challenges that have been plaguing security operations for decades, namely: 

• Anomaly and threat detection: Security operations teams must effectively analyze and interpret increasing volumes of data to identify potential threats that require investigation.
• Toil: The abundance of manual and repetitive tasks in security operations negatively impacts both the quality of work and the morale of the security operations team.
• Talent shortage: Experienced security operations professionals are difficult to hire and retain, making technologies that empower less experienced staff to perform complex tasks highly valuable.

Five practical use cases for AI in security operations

Though it’s still early days for AI in security, generative AI is already delivering tangible benefits to security operations teams. Here are five use cases that illustrate the practical applications of AI in security operations:

1. Summarization

If there is one thing security teams never have enough of when responding to an alert or incident, it’s time. But understanding the lay of the land typically requires sifting through vast amounts of data. 

AI can automatically generate concise summaries of security incidents, providing analysts with a quick overview of the situation. This saves valuable time and enables faster triage. In addition, analysts can ask AI assistants to summarize information on-demand. For example, AI can summarize the latest threat intelligence report, or summarize the list of actions taken to address an incident to create an incident report.

Summarization is not limited to initial orientation. For example, let’s say a specific search query returned 10,000 results — AI can quickly generate a summary of these results to help analysts see the forest through the trees.

2. Investigation

Investigation is usually the most time-consuming aspect of security operations. Understanding what and how to investigate is far from trivial, and it also often requires generating complex search queries. 

AI can assist investigations by enabling natural language search prompts. (Think of prompts that enable defenders to quickly identify anomalous behavior, such as “Show me all users from ‘x’ region who visited ‘xyz’ site last week outside of working hours.”) This eliminates the need for analysts to master complex search syntax, making even junior analysts more effective. More advanced AI assistants can even recommend next steps for an investigation, or automatically surface additional context that the AI model believes is useful for a specific case.

3. Threat hunting

Threat hunting is a complex function that has historically been reserved for highly skilled and mature security operations teams. Threat hunting is complex because it requires a deep understanding of the threat landscape, coupled with an understanding of how to actually hunt for a threat.

AI can make threat hunting more accessible, as it can proactively hunt for threats by identifying patterns and anomalies that might indicate malicious activity. This is especially powerful when AI integrates with a threat intelligence tool to understand the threats, tactics, techniques and procedures, or TTPs, and indicators of compromise, or IOCs, used by threat actors and combines it with a company’s specific security telemetry. A simple prompt such as “Hunt for Makop ransomware on my network” can proactively search and uncover IOCs and TTPs in your data that are known to be associated with this attack.

4. Detection/response engineering

Creating detection rules and writing playbooks is another SecOps task that has typically been reserved for expert security engineers. It requires mastering the scripting language used by a specific platform, as well as an understanding of what you need to actually detect.

Generative AI can create detection code or playbooks to address new threats. Simply using a prompt such as “Build a detection rule for this case” allows advanced AI assistants to understand the context of the case and create a detection rule to uncover future instances of it. Similar to code generation in other disciplines, don’t expect 100% perfect code right out of the box. But even if AI takes you 70% to 80% of the way, it can be a productivity game-changer.

5. Malware analysis

If threat hunting was historically limited to advanced security operations teams, reverse engineering malware is truly the domain of a handful of elite defenders. Thanks to increased token windows and improved large language models, AI has proved to be extremely effective at malware analysis. For example, advanced AI models were able to reverse engineer complex malware in under a minute — giving security analysts instant insight on how a piece of malware operates and, in certain cases, providing clear and actionable information on the malware’s “kill switch.” 

Fostering an AI culture

The use cases outlined above are delivering tangible results for security operations teams today, but we’re naturally in the early days of AI, and use cases will undoubtedly evolve as the technology matures. What security teams should start doing today is fostering a culture of AI, and think how they can integrate AI into detection, investigation and response workflows. Here are some easy steps to get started:

• Provide AI training and education: Equip your team with the knowledge and skills needed to understand and utilize AI tools effectively.
• Encourage experimentation and innovation: Foster a safe environment where team members can explore new AI applications and solutions without fear of failure.
• Demonstrate the value of AI: Showcase real-world examples of how AI can improve cybersecurity outcomes and make their jobs easier.

The evolution of AI promises to unlock new levels of efficiency, accuracy and proactive defense in the ongoing battle against cyberthreats. As the saying goes, the best time to start was yesterday, the second best time is now.

With more than 20 years of experience in the cybersecurity arena, Chris Corde works as a director of product management at Google, where he runs the Security Operations PM team, which includes Chronicle, Siemplify, VirusTotal and Mandiant. He wrote this article for SiliconANGLE.

Image: kanawatTH/Canva