Beyond the Hype: AI's Future in Defensive Cybersecurity

Hybridizing signatures with artificial intelligence is making a significant difference in our ability to detect cyberattacks, including ransomware.

Joshua Saxe, Chief Scientist, Sophos

March 1, 2022

3 Min Read
Concept art illustrating artificial intelligence
Source: Kiyoshi Takahase Segundo via Alamy Stock Photo

AI is a buzzword that gets thrown around a lot in cybersecurity — often, it seems, to obscure and impress, rather than to clarify how products and services work. This is unfortunate, because beyond the hype, artificial intelligence's role in cybersecurity is becoming increasingly indispensable. While AI won't solve all problems, it provides a growing toolbox for accelerating security workflows and better detecting threats. In fact, there are several ways in which AI is already revolutionizing cybersecurity.

Pattern Matching and Threat Detection
Until the past half decade or so, most cyber-threat detection was performed using small, handwritten pattern-matching programs (called signatures, rules, or indicators of compromise). The widespread adoption of AI has changed this. Now, security vendors are on a long march to augment signature-based detection technology with AI in every context for making detections: detecting phishing emails, malicious mobile apps, malicious command executions, and the like.

AI won't replace signatures, nor should it, because these technologies complement each other. Whereas signatures are good at detecting known threat artifacts, AI algorithms — trained on vast threat databases that cybersecurity companies have accumulated over the years, are better at detecting previously unseen artifacts. Whereas signatures can be written and deployed quickly, AI technologies take a lot longer to train and deploy. And while signature authors can control precisely what threats their signatures will and won't detect, AI is fundamentally probabilistic and harder to control.

Security marketing copy often contrasts AI-based detection approaches to signature approaches, but behind the scenes, good security product architects have come to understand that these methods complement each other quite elegantly. The good news here is that hybridizing signatures with AI is making a significant difference in our ability to detect cyberattacks, including ransomware, which was responsible for some of the biggest cyberattacks of the past year, including Colonial Pipeline, Kaseya, and Kronos.

AI's Future in Cybersecurity
Unfortunately, much of the security community is not exploring applications of AI beyond the narrow attack-detection use case. To keep pace with threats, it will be necessary to explore new application areas of AI that can augment the human operators who are the last and most important line of defense against cyberattacks.

This is challenging because it requires that cybersecurity leaders keep track of the rapidly evolving AI research and development space just as we track trends in cybersecurity practice and cybersecurity threats. But it's too important a priority to forsake.

Some areas that the defensive cybersecurity community needs, urgently, to focus on, include:

  • AI models that can accurately predict which security cases analysts truly care about, and then intuitively cue up relevant information for security operators.

  • A natural language and visualization user interface, not unlike the way you can search for COVID-19 case numbers, with Google returning results in a neatly visualized case-tracker graph. These technologies will surface and visualize relevant information during "live fire" cybersecurity incidents.

  • AI models that can help to explain what suspicious observables do; for example, artificial neural networks that can automatically explain the purpose of a suspicious PowerShell script to users, thereby speeding up analysts' understanding of incident-relevant evidence.

While we can count on cyber adversaries to get creative and act boldly in applying AI to their malicious goals (for example, using artificial intelligence to generate phishing emails or fake social media profiles), AI should not be the domain of attackers alone within cybersecurity. We need to continue to incrementally improve the AI we're already using to improve cyberattack detection. And with the rapidly evolving and complex threat landscape we face, CIOs, CTOs, and IT and SecOps teams have to commit to exploring new and creative ways of applying AI technology that focus on helping the human operators that our network security ultimately depends on.

About the Author

Joshua Saxe

Chief Scientist, Sophos

Joshua Saxe is Chief Scientist at Sophos, where he leads the company’s artificial intelligence R&D, engineering, and operations teams. Before Sophos, Joshua spent a decade leading US government-sponsored security data science research programs. Joshua is the author of the book, Malware Data Science from No Starch Press, numerous scientific papers, and has presented research at major cybersecurity conferences worldwide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights