AI in Cybersecurity — A CISO’s Perspective

Mar 06, 2024
8 minutes

Niall Brown – AI in Cybersecurity

00:00 00:00

AI’s Impact in Cybersecurity” is a blog series based on interviews with a variety of experts at Palo Alto Networks and Unit 42 with roles in AI research, product management, consulting, engineering and more. Our objective is to present different viewpoints and predictions on how artificial intelligence is impacting the current threat landscape, how Palo Alto Networks protects itself and its customers, as well as implications for the future of cybersecurity. Niall Browne discusses the current and future landscape of artificial intelligence (AI) in cybersecurity with us.

As AI technology matures and proves its worth, it is set to revolutionize the way security professionals approach their roles and responsibilities. This is not hyperbole, yet rather a credible assessment of the daily outcomes experienced in our own security operations and with our customers who benefit from deploying our AI-driven solutions. In a candid interview with Niall Browne, CISO of Palo Alto Networks, we explored the profound impact of artificial intelligence on the current and future landscape of cybersecurity.

AI's Journey in Cybersecurity

While AI is not a novel concept, its full potential is finally becoming a reality with the democratization of tools, such as generative AI. As such, there has been a noticeable shift as AI has seemingly entered the mainstream, available to anyone with access to a keyboard and an internet connection. And Browne envisions even more tectonic changes on the way.

Adversaries are already continually examining the tools used by organizations and exploring ways to leverage AI to compromise their targets. This battle will remain a nonstop game of cat-and-mouse for the next 5 to 10 years. Both defensive and offensive teams are constantly recalibrating their strategies and techniques, trying to one-up each other, but this game will look different as AI evolves.

AI-powered adversaries don’t have the same limitations as humans. They never sleep or take breaks. They don’t get distracted. They can move at machine speed. They can multitask in ways humans can’t. AI can exploit vulnerabilities, move laterally, and compromise multiple targets simultaneously, posing a significant threat to organizations.

We have seen similar changes in financial markets with high-frequency trading, where technology advancements led to millisecond interactions. In a world of AI, cybersecurity will transition from humans dealing with threats over days to AI handling them in milliseconds.

Bolstered by AI’s capabilities, initial compromises to data theft are possible in hours now. Coordinated wide-scale attacks are happening concurrently. And, attackers are increasingly showing a deep understanding of how business processes work. This all leads to an unprecedented increase of security events and breaches. The relentless advancement of technology, coupled with the creative minds of malicious actors, paints a potentially grim picture for the cybersecurity landscape. Attacks are already increasing in “speed, scale and sophistication” according to Wendi Whitmore, SVP, Unit 42.

That said, Browne sees an inflection point occurring right now where AI is being applied effectively to detect and respond to cyberthreats before they can cause harm. This transformation is akin to the paradigm shift that occurred when organizations embraced cloud computing. Browne elaborates on that comparison:

“The power of AI will be transformative for cybersecurity teams. We're now seeing the real potential for AI to detect attacks as they occur, and then to help the systems recover from those same attacks. I am certainly seeing there's a huge undertaking from cybersecurity teams to start embracing AI, similarly to the journey 6 or 7 years ago, when enterprises started embracing the move to the cloud.

I think AI will totally transform the way cybersecurity teams operate within their organization, from the security operations center, to application security teams, and beyond.”

Understanding the Importance of Metrics in Security

Looking at the current state of technology, Browne details key performance metrics for evaluating the effectiveness of AI-powered solutions in cybersecurity. Metrics are crucial to understanding how to improve processes and where there are security gaps. But, he dismisses the idea of mean time to close as a top metric, comparing it to call center practices where the aim is to quickly end calls. Instead, he prefers to focus on metrics related to systems and AI capabilities:

  • Percentage of Systems Logged and Data Ingested: Tracking how much data is ingested from various systems.
  • False Positives and True Positives Rates: Ensuring a balance between accurate alerts (true positives) and avoiding unnecessary alerts (false positives).
  • Mean Time to Detect: The time taken to detect an incident once it occurs. Browne’s goal is a swift 10-second detection time.
  • Mean Time to Respond: Measuring how quickly the security team responds to an incident, aiming for a 10-minute response time.

These metrics enable organizations to assess the efficiency and effectiveness of their cybersecurity operations. Browne also highlights the ease of comparing these metrics when transitioning from legacy SIEM (security information and event management) systems to AI-based SIEM, allowing for clear ROI calculations. Palo Alto Networks Cortex XSIAM® is quickly demonstrating its prowess in handling data that can be ingested and integrated to feed machine learning, analytics and automation. With a SOC that ingests over 1 trillion events per month, nearly 40 billion per day, and intelligently groups and analyzes alerts, resulting in only eight incidents a day on average in need of human investigation.

“In the case of Palo Alto Networks, we use XSIAM and we leverage that on a day-to-day basis to go through approximately 75 TB gigabytes of data. And, that's allowed us internally to achieve a result of a mean time to detect of 10 seconds, and then a mean time to respond of 1 minute.”

Graph of what our SOC has achieved with Cortex XSIAM

The Exponential Growth of AI in Cybersecurity

With the advent of AI and more automation, there is a shift away from traditional, four-tiered SOC structures, where human analysts handle most tasks, toward a model where AI takes over the initial triage and analysis.

Browne agrees with this evolution and shares that, in his vision, the lower tiers of a SOC (Tier 1, 2 and 3) will be primarily AI-driven, while human analysts will focus more on Tier 4 tasks. At Palo Alto Networks, Browne notes that we've eliminated lower SOC layers, creating a more dynamic workforce of specialists. This shift allows SOC analysts to concentrate on more engaging and valuable tasks, like threat hunting, ultimately leading to higher levels of job satisfaction and lower levels of attrition.

As organizations increasingly embrace AI for cybersecurity, we are witnessing a profound transformation across various facets of the industry:

AI Data Concentration Risk: Internal AI systems will have access to a treasure trove of highly confidential information. This data concentration risk will ensure that AI becomes the top target for hackers. As such, organizations will need to deploy significant resources to ensure these AI systems are deployed and secured appropriately, from the start. To add to the complexity, some AI security controls may be nascent, and as such, compensating controls will become critically important.

Shift Left for Security: The concept of “shift left” in security emphasizes addressing vulnerabilities at the earliest stage of the development process (i.e., before they are introduced.) With AI assistance, developers can receive real-time feedback on potential security issues, leading to more secure code and infrastructure. This shift left approach ensures that security is not an afterthought but an integral part of the development process.

Security Operations Transformation: AI is poised to have the most significant impact on security operations. Security operations centers (SOCs) are currently overwhelmed by the sheer volume of alerts and incidents. AI-driven solutions can sift through vast amounts of data, prioritize threats, and significantly reduce false positives. This enables SOC teams to focus on high-value tasks, such as threat hunting and research, as opposed to low-value alerts. In fact the Palo Alto Networks SOC spends just a third of their time on alerts, enabling them time to focus on much higher value work.

Reshaping Security Analyst Roles: With AI handling routine tasks, security analysts can evolve into high-value resources. They can dive deep into data analysis, threat intelligence and proactive threat hunting, driving overall security maturity within organizations.

The AI-Driven Future Looks Bright

Browne predicts that AI will transform the cybersecurity landscape in the next few years, delivering value that exceeds expectations. It's not just about potential; it's about real-world applications. AI is set to become an indispensable tool in the security arsenal, exponentially improving efficiency and effectiveness.

Imagine a world where AI serves as a co-pilot to developers, offering real-time guidance on secure coding practices. Envision security operations teams with drastically reduced alert fatigue, focusing on the most critical threats. Picture a security landscape where the attacker's job becomes exponentially more challenging due to AI-powered defenses. It’s a future ripe for possibilities, and Palo Alto Networks is leading the charge with AI-driven products such as Cortex XSIAM and the whole Cortex suite of products.

AI is not just a buzzword but a tangible force shaping the future of cybersecurity. As organizations adopt AI-driven security solutions, they will experience a significant transformation in their security posture. With AI as a co-pilot, we are on the cusp of a more secure digital world, riding shotgun with some pretty cool tools. And as technology advances, defenders and organizations must adapt rapidly to stay ahead of the ever-more-sophisticated adversaries they face.

Learn More About AI’s Impact on Cybersecurity

Attend Symphony 2024, April 17-18, to explore the latest advancements in AI-driven security, where machine learning algorithms predict, detect and respond to threats faster and more effectively than ever. Register today! 

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.