Artificial Intelligence — Beyond the Algorithms

Sep 26, 2023
6 minutes
... views

In Episode 6 of “This is How We Do It,” Peter Havens, from Cortex product marketing, continues the interview series. He sits down with Yoni Allon, VP Research, to discuss how Palo Alto Networks leverages artificial intelligence (AI) to enhance cybersecurity in our SOC.

Palo Alto Networks stands as a cybersecurity stalwart, safeguarding the network and security environments for nearly one hundred thousand organizations across the globe. Given the dynamic threat landscape, Yoni and his team employ a multifaceted and proactive approach to fortify their defenses. In this interview, we peek a bit under the hood to learn more about the role AI plays in defending our own security operations center (SOC), our customers’ data and how we utilize AI to adapt and enhance the efficiency of blocking and detecting malicious activities.

It’s a brave, new world, but in a good way.

Defining “Artificial Intelligence” in Cybersecurity

Yoni opens the conversation by offering his perspective on what constitutes artificial intelligence within the purview of cybersecurity. He defines AI as “any algorithm capable of adapting to new data and evolving to accommodate these changes.” Crucially, AI possesses the ability to handle vast and complex datasets, making it a powerful tool for efficiently detecting and mitigating evolving cyberthreats. This distinction helps set the stage for understanding the significance of AI in modern cybersecurity. Yoni shares more about the differences between AI and machine-learning (ML), which are often (and somewhat erroneously) used interchangeably:

“And there's a distinction here between AI and machine learning or ML, or ML specifically is not just any algorithm that adapts to new data. It's a specific algorithm that was generated by another algorithm, meaning that you push data into an algorithm and that results in a new algorithm that can potentially adapt to new data as it comes. And that's where the differentiation lies. So, AI might be man made, might be machine made, right? But, the general broad term is, you know, still AI.”

The Data-Driven Nature of Modern Security Challenges

As Yoni points out, the nature of security threats has evolved dramatically. Traditional security approaches relied on human experts crafting signatures – a specific pattern that allows cybersecurity technologies to recognize malicious threats – and to counter specific threats. However, with the exponential growth of attacks and data, as well as the need to protect against diverse threats, AI has emerged as a critical asset. AI's data-processing capabilities empower it to tackle contemporary challenges where traditional human-centric approaches fall short. The immense volume of data ingested daily by Cortex XSIAM in our SOC highlights how AI can analyze and detect potential threats that may otherwise go unnoticed.

Notably, a common customer pain point is the inability to analyze or contextualize ingested data. With XSIAM, Yoni and his team can normalize data and stitch different points of view (POVs) of the same event into a single, augmented log line that tell the story of the activity, and then use this data in the analytics engine and make it available for querying via XQL.

That said, Yoni emphasizes that AI isn't a standalone solution but a collaborative effort – it merges the expertise of security professionals, data scientists and technology to create a formidable, yet balanced defense.

AI in Action: Anomaly Detection and Supervised Learning

Palo Alto Networks deploys AI across its Cortex suite to address various aspects of cybersecurity. Anomaly detection, a crucial aspect of AI, takes on a different dimension here. Yoni explains that conventional anomaly detection falls short because it often flags non-malicious activities as anomalous, leading to information overload. To overcome this, Palo Alto Networks employs supervised learning, creating models that classify and prioritize incidents based on labeled data. This approach focuses on finding the fine line between benign and malicious activities, ensuring a more precise and effective detection mechanism. Yoni explains further:

“So firstly, every model that we do release has a security person and a data scientist looking at the results, understanding if they're good enough, validating that it makes sense. And that's why using supervised learning makes more sense.”

Risk Prioritization with AI

Another key application of AI within Cortex is risk prioritization. By harnessing data and AI capabilities, Palo Alto Networks helps security analysts efficiently allocate their time to investigate the most critical incidents. The AI-driven risk prioritization model sifts through vast datasets and highlights incidents with the highest potential risk, streamlining the investigative process. Alert fatigue and endless false positives are no joke, and advancements in AI hold great promise to alleviate this all-too-common bane to security analysts to save time.

Building Trust in AI-Driven Decision Making

Trust in AI-driven decision making is paramount. To build confidence in the AI's recommendations, Palo Alto Networks employs a meticulous approach. Each AI model undergoes scrutiny from both security experts and data scientists. Additionally, the Cortex platform provides visibility into the reasoning behind AI-generated scores, enabling analysts to comprehend and validate the decisions made by the AI.

Lastly, the interview touches on the evolving landscape of AI, particularly large language models (LLMs). These models have the potential to revolutionize aspects of cybersecurity, such as data loss prevention and phishing detection, by enhancing natural language understanding, improving email filtering and identifying phishing emails more accurately.

However, they also raise concerns, as they can empower less experienced attackers to create sophisticated malware. While LLMs have the potential to streamline security operations and improve productivity, their impact on the cybersecurity landscape remains a topic of ongoing discussion. Delving further into the subject, Peter asks Yoni for his take on LLMs; whether it’s all hype, if he’s investigating it more, and what he sees happening down the road:

“That's a big question. I think you can split it into a couple of parts. First is, let's say the core security issues of creating new detections, solving core security problems. I think that there's some merit. There's some use for example of DLP (data loss prevention) or phishing, there's a lot of potential uses there. I think it's gonna revolutionize that in those industries. And I think for other things, people are maybe expecting this to change the way malware detection is working. I'm not as convinced, or at least not convinced yet that this is going to do that. In the second part, there's generating attacks and generating malware. And, and I think there, again, when you go to phishing emails, it's doing an amazing job at generating those things. And generating malware is something that I think a lot of people are actively investigating.”

In conclusion, Palo Alto Networks proactively embraces AI in its cybersecurity strategy to exemplify the industry's ongoing transformation. By harnessing AI's capabilities in anomaly detection, risk prioritization and beyond, Palo Alto Networks is not only safeguarding its own infrastructure but also leading the charge in enhancing security for countless organizations worldwide. The collaboration between security experts and data scientists, combined with a commitment to transparency, ensures that AI-driven decisions are both effective and trustworthy in the battle against cyberthreats.

Watch their full interview on our Cortex YouTube channel.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.