Let AI Handle the Heavy Lifting in the Modern SOC

Mar 13, 2024
7 minutes
1654 views

Donnie Tindall – AI Revolutionizes Cyberthreat Defense

00:00 00:00

“AI’s Impact in Cybersecurity” is a blog series based on interviews with a variety of experts at Palo Alto Networks and Unit 42, with roles in AI research, product management, consulting, engineering and more. Our objective is to present different viewpoints and predictions on how artificial intelligence is impacting the current threat landscape, how Palo Alto Networks protects itself and its customers, as well as implications for the future of cybersecurity. In our interview with Donnie Tindall, we discuss how AI is altering our cyberthreat defense strategy.

The cybersecurity field is experiencing a paradigm shift as artificial intelligence (AI) emerges as a game-changer. Innovation is happening on the daily with both defenders and attackers alike deploying AI into unseen territories, testing to see what’s possible. It’s like a penetration test on steroids. It’s a new frontier fueled by ones and zeros, wielded by those who wish to protect or those who desire to do damage.

To delve into this fascinating territory, we spoke with Donnie Tindall, a seasoned expert at Unit 42 Security Consulting. His unique perspective sheds light on how AI is revolutionizing the way we defend against cyberthreats, presenting both exciting possibilities and ongoing challenges.

AI on the Front Lines

Donnie's work primarily focuses on utilizing AI to combat web scraping, where malicious actors harvest data from websites. The key lies in AI models that analyze web traffic, flagging suspicious patterns that indicate data extraction attempts. However, the power of AI extends beyond mere detection. Donnie emphasizes the crucial role of human review in ensuring accuracy and minimizing false positives. This human-AI partnership, where machines handle the heavy lifting and humans provide expert oversight, strikes a vital balance in the fight against cybercrime. He explains a little of his process:

“We focus on the web scraping piece of it. So, engineers built a set of models to look at… inbound web traffic to their website and determine, ‘Is this user scraping our data?’ They did a lot of modeling on what that sort of behavior should look like.

After about 6 months, they realized these models were making tons and tons of decisions over time, but they had no idea if they were the right decisions. So, they actually brought us in to do what they refer to as ‘human review,’ where we sample subsets of these AI models’ decisions and determine, ‘Was this the right call? Is this user scraping or is this a benign activity?’

We help categorize and feed those back into the model over time to help it learn and change its detections and decisions. So, my kind of hot take, if you will, is that obviously there's lots of chatter everywhere all over the internet about the jobs that AI is going to replace. But …it's also going to create some new categories of jobs that we may not have considered… somebody has to keep these things on the rails and make sure they're doing what they're supposed to do.”

Automating the SOC

Security operations centers (SOCs) are the nerve centers of cybersecurity. They’re monitoring for and responding to threats, teeming with copious amounts of data from numerous and often disparate sources. Traditionally, managing a SOC has been a labor-intensive process, with analysts sifting through mountains of alerts, determining which were critical and needed immediate attention, and which were false positives. This is a mind-numbing exercise, repeated ad infinitum by security analysts struggling to stay ahead of the deluge.

With SOC teams receiving an average of 11,000 alerts per day, according to Forrester Research, security analysts are often plagued with burnout. In a report by the Ponemon Institute that assessed the performance of SOCs, it was revealed that 65% of IT security operations personnel admitted that the stress levels within the SOC environment had led them to contemplate switching careers or leaving their current jobs. Additionally, 66% of the survey participants expressed a high likelihood that seasoned security analysts would decide to resign from their SOC positions.

Thankfully, AI is transforming the SOC landscape by automating mundane tasks like alert triage, allowing even smaller SOC teams to handle large workflows (not possible in the past) with limited manual and siloed tools. Imagine the AI handling the initial sorting and identifying the most critical threats for human analysts to focus on. This frees up valuable resources, allowing security professionals to delve deeper into complex investigations and implement effective countermeasures.

With Cortex XSIAM®, artificial intelligence plays a pivotal role, particularly in the intricate process of data stitching. This critical procedure involves the aggregation of data from various threat vectors, the grouping of diverse events, and the presentation of these events as a coherent incident narrative.

Image depicting Cortex XSIAM: bringing it all together.
Cortex XSIAM is the AI driven security operation center platform that brings together security data from across the enterprise, network, endpoint, identity, cloud and attack surface.

Without the power of AI, this task presents a formidable challenge. In the absence of AI, security analysts would find themselves manually navigating through multiple product consoles to collect data, and often suffering from “swivel-chair syndrome.” Subsequently, they would painstakingly compile this information, often resorting to notepads or Excel spreadsheets. This workflow would then require them to meticulously analyze the data to identify the underlying thread connecting these events. Such a manual approach would not only be time-consuming but also inefficient in swiftly detecting issues and proactively addressing security concerns.

A Glimpse Into the Future

The integration of AI into cybersecurity is still in its early stages, but the future holds immense potential. Donnie paints a captivating picture of possibilities. Imagine an AI-powered internet traffic cop, who analyzes global web traffic in real time and automatically blocks identified attacks before they reach their targets. This centralized defense system could be a game-changer in the fight against cybercrime.

However, Donnie also acknowledges the challenges that lie ahead. As attackers become more sophisticated, they will undoubtedly learn to exploit the vulnerabilities of AI models. The arms race between attackers and defenders will continue, with AI serving as a powerful tool on both sides.

Answering the question: “What types of cybersecurity threats or attacks do you think AI powered systems are particularly effective at detecting and preventing?” Donnie responds:

“I would imagine right now, a lot of that is going to be in the known vulnerabilities and exploits, like what CVEs have been documented. Obviously you can dump the entire MITRE database into a learning model and detect any of those attacks. What I expect the struggle to continue to be, as it already is without AI, is the zero-day attacks or the stuff that just hasn't been prevalent enough to be broadly analyzed and torn apart and figured out how it works. I think that's going to be the real power of the AI…to help us find those in the wild.”

Navigating the AI Frontier

As we embrace AI in cybersecurity, it's crucial to recognize that it's not magic. Human expertise remains irreplaceable, providing the strategic direction and critical thinking that AI currently lacks. The key lies in building a strong partnership between humans and machines, harnessing the strengths of each to create a robust and adaptable defense against ever-evolving cyberthreats.

How frequently do we need to check in, and how frequently is too unreasonable to expect for humans to be able to keep up with the AI?

Donnie's insights serve as a valuable reminder that while AI technology is rapidly advancing, the fundamental principles of cybersecurity — vigilance, adaptation and collaboration — remain the cornerstone of our digital safety.

By understanding the current applications, future possibilities and ongoing challenges of AI in cybersecurity, we can prepare ourselves for the exciting journey ahead. As Donnie aptly concludes, “...the battle between attackers and defenders continues, with AI becoming increasingly sophisticated on both sides.” Let us leverage this powerful technology responsibly and strategically, ensuring that the future of cybersecurity is one of proactive defense and collective resilience.

Learn More About AI’s Impact on Cybersecurity

Register for Symphony 2024, April 17-18, to explore the latest advancements in AI-driven security, where machine learning algorithms predict, detect and respond to threats faster and more effectively than ever.


Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.