The rapidly evolving threat landscape and the way threat actors are leveraging AI to enhance attacks means that defenders no longer have a choice and must also use AI to help defend networks from from cyber threats – otherwise they are “doomed to fail.”
That is the warning Joe Slowik, director of cybersecurity alerting strategy at Dataminr, gave at Infosecurity Europe on Tuesday 2 June.
In a session on the AI & Cloud Security Stage, Slowik argued that there is a critical need for defenders to adapt to accelerated adversary timescales, and that organizations which still rely on a human-focused security operations center (SOC) will be left behind – and vulnerable to cyber threats.
“We don’t have a choice anymore. Quite simply, when it comes to security processes, those which are human-in-the-loop driven, just don’t adapt to new adversary timescales,” Slowik explained.
“Having a human analyst being able to dig into an intrusion and provide a summary of what’s going on is just no longer is practical anymore given the acceleration of adversary intent,” he added.
Cybercriminals and other threat actors have leveraged emerging technologies like AI, machine learning and large language models (LLMs) to enhance and speed up attacks, meaning that the window between a vulnerability being discovered and being exploited has significantly decreased.
That means that while security teams may have previously had time to assess their cybersecurity posture in the light of new threats, Slowik estimated it is “no longer practical” as attackers can be leveraging new vulnerabilities or attack methods within days or even hours.
Rethinking Security Operations with AI
“I say this as someone who was skeptical of machine learning: the time has passed for skepticism, human-only solutions are doomed to fail, we don’t have the ability to leverage strictly human-in-the-loop to align with adversary lifecycles,” Slowik warned.
The solution for security teams, he argued, is a “rethinking of security operations” – and that defenders should enhance their workflows with the use of AI. But this needs to go beyond the deployment of LLMs.
For example, using AI agents to gather intelligence on what is known about vulnerabilities, what elements of the network are most vulnerable to an attack and what the best way to implement protection around it is.
Doing this can vastly speed up reaction to an attack at a time when attackers are faster than ever.
“Instead of waiting until after the ransom notice has been delivered or the wiper malware has been deployed, you can improve and enhance your ability to get ahead,” said Slowik.
He used the React2Shell vulnerability as an example of a rapidly exploited vulnerability, which was compromized by adversaries in just hours.
A solely human-focused SOC might have needed days to compile a report on how to react, while a SOC that was enhanced with AI was able to more rapidly compile reports and learn how to defend the network against attackers exploiting React2Shell.
“From these enrichments, I can embark on an informed and accelerated remediation lifecycle, in real-time, alongside events to enhance improved decision-making processes,” said Slowik. “Adversary operations from time to breach to time to objectives are accelerating. It’s a matter of fact defenders have to keep pace, this is not optional.”
However, he was also keen to stress that humans are not being replaced by AI and that they are very much a vital cog in the SOC. But it is by combining a human-in-the-loop with AI that is the way forward for cyber defenders – as that is the only way they will keep pace with the cyber attackers doing the same.
“Humans are will still definitely be making decisions, but assisted with AI to align with adversary workflows,” Slowik concluded.
