AI Cybersecurity – Fact or Fiction?

Over the past decade, the development of artificial intelligence (AI) reached its peak with the unveiling of ChatGPT, bringing a tangible AI product to the IT market. Despite this progress, we haven’t yet achieved the revolution presented by Microsoft’s research director Rick Rashid in 2012. Amidst the hype, marketing messages and product launches often seem like fluffy clouds to the customer. Finding real value in AI-based products can be challenging, at least from a marketing perspective. So, is AI Cybersecurity a fact or fiction?

“Security analysts now have a unified incident experience that streamlines triage and provides a complete, end-to-end view of threats across the digital estate.”

Unrealized benefits?

For example, let’s examine Palo Alto SOC’s transition from a Security Information and Event Management (SIEM) solution to the XSOAR and XSIAM solutions that leverage AI. In 2017, it took ten people to analyze data, while in 2023, the theoretical equivalent would have been 26 people. Consequently, the solution saves the effort of 16 individuals. While this may seem significant on a small scale, it represents only 0.1% of the workforce. It’s also worth noting that the gap narrows when considering the annual development of old technology. From an Operational Expenditure (OPEX) perspective, the benefit is marginal.

However, the key question often remains unanswered: Does the new solution enhance the ability to detect and combat threats? Could the 26 people have possibly noticed something better? Machine and deep learning as aids

In examining cybersecurity in general, traditional methods like signature-based detection and behavior analysis have been in use for decades. While AI has been touted in security products for a long time, most either use statistical analysis for data prioritization or traditional machine learning (AI Machine Learning) for task optimization.

Deep learning (AI Deep Learning) doesn’t require manual feature definition by an expert. It can learn which features define a threat or malicious intent using both benign and malicious data. This model can then detect various threats, including new and unknown ones (Zero Day).

Although the theory of deep learning has been known since the 70s, its significant development occurred in 2012. Despite its potential benefits, implementing the solution on endpoint devices (EDR) remains challenging due to resource constraints. In SIEM/SOC solutions, more resources are available, providing a slightly better situational awareness but often too late. Implemented correctly in network traffic, deep learning can detect unknown threats and stop them in real time.

Cyber AI pioneers are dying

In theory, AI and deep learning can uncover unknown threats, upon which many award-winning AI cybersecurity startups based their models around five years ago. Such technology would revolutionize the industry, attracting investors. Who wouldn’t want a solution that identifies new and unknown threats in real-time and prevents them?

Very few of these companies survived the 5-year slump due to a lack of evidence. Mere hype and technical marketing materials aren’t sufficient for experts. Interestingly, these AI technologies, even under new ownership, don’t seem to perform particularly well in cybersecurity comparisons. It’s a challenging field even for the best, but was AI Cybersecurity fact or fiction?

Data is the new oil – encrypted data is milk

While seeking a solution for the financial sector in 2021, one of our most challenging discussions with these startups revolved around deep learning yields much better results for unencrypted traffic than encrypted. Although decrypting is possible, it’s rare. For example, this perspective should be considered when transitioning to cloud security or a next-generation firewall. If you want better results, you must decrypt about 50 protocols, not just TLS/SSL. That means acquiring a separate solution that can only be implemented by the data owner. It’s better to start improving security with a Zero Trust project, reducing the deep analysis needed in the future.