Security operations and the barriers to AI adoption 

Jason Keirstead at Cyware explores the role of Gen-AI in security operations: its risks, limitations and the crucial need for open security interoperability

 

In an effort to improve efficiency, collaboration and to embed a security-first mindset into modern organisations, Security Operations (SecOps) brings security and IT operations teams together to better protect digital assets.

 

From threat intelligence and monitoring to incident response and remediation, SecOPs offers a proven approach designed to reduce risk and overcome the traditional siloed approach to IT operations and security. 

 

It has also become an exciting use case for generative AI, with the potential to improve the approach organisations take to SecOps. For example, it can be used to improve threat identification, identify attacks sooner and analyse huge datasets to uncover Indicators of Compromise (IOCs). When a security breach is detected, AI technologies are also being used to improve remediation and recovery strategies while also using automation to address complete tasks such as software patching and configuration updates. 

 

The interoperability challenge 

Despite the enormous potential AI has to improve SecOps delivery and effectiveness, it is, however, no silver bullet, with one of the biggest hurdles being issues associated with technology interoperability. In particular, as cyber-threats grow more sophisticated and diverse, security operations centres (SOCs) need to leverage a variety of tools and technologies to detect, prevent and respond to attacks.

 

In fact, over half of all organisations use more than 25 different cyber-security products, and that increases to upwards of 100 tools for large enterprises. 

 

These can include everything from security information and event management (SIEM), security orchestration, automation and response (SOAR) to extended detection and response (XDR) and threat intelligence platforms (TIP). These products and systems have different functions, features, architectures and protocols, making it difficult to ensure that they integrate and communicate effectively with each other. 

 

Given the sheer volume of cyber-security tools in use, it’s unsurprising that two-thirds of organisations say that a lack of interoperability among these products presents a significant challenge for their security strategy. In practical terms, this often leads to fragmented, siloed and inefficient SecOps processes, which in turn reduce visibility, coverage and response.

 

There is also a knock-on effect for the implementation of generative AI, where endemic interoperability stands in the way of SecOps teams trying to capitalise on its capabilities. 

 

For example, generative AI systems are highly dependent on APIs, which act as the software interface used by different technologies to exchange data, and also on data models, which are vital because they define how information is organised and represented. Both are essential for generative AI to access, understand and use the data it needs to produce outputs. 

 

The problem is that APIs and data models are not normally standardised or consistent across different cyber-security products and systems. They can vary significantly in terms of design, functionality, format and protocol and are often poorly documented.

 

As a result, generative AI systems may not be able to learn how to interact with specific security products, or systems may produce inaccurate or incompatible outputs if they do not understand or are not able to locate and use the required APIs and data models. 

 

What this all means is that, currently, generative AI must be carefully integrated and aligned with existing non-standardised cyber-security products and systems. This not only has the potential to be complex and costly but may also require ongoing updates and adaptations to keep pace with the rapid evolution of cyber-threats and technologies. 

 

Setting standards 

This isn’t helped by the fact that there is no industry-wide consensus, frameworks or standards that guide how cyber-security solutions are designed, developed, deployed and operated. AI use cases can greatly benefit from standards, not least because they facilitate the integration and alignment of generative AI with existing cyber-security products and systems by providing common terminology, protocols, formats and interfaces.

 

Without such standards, extracting the optimal value from generative AI tools is difficult. Granted, the likes of the OASIS STIX, TAXII and CACAO standards are out there, but they aren’t adopted widely enough to negate the issues associated with interoperability or the lack of it. 

 

Looking ahead, this situation needs to change if AI is to reach its potential for transforming cyber-security effectiveness. The sense of urgency should be even more important given that threat actors are not bound by the use of standards when developing their own AI-powered strategies and will exploit any gaps that a lack of uniformity creates among their victims. 

 

Instead, generative AI/SecOps integration must go hand-in-hand with an acceleration in standardisation efforts. With cross-industry cooperation and momentum, organisations everywhere can press ahead with their investment in AI, safe in the knowledge that its effectiveness won’t be limited by intractable interoperability barriers.  

 

---

 

Jason Keirstead is Vice President of Collective Defense at Cyware

 

Main image courtesy of iStockPhoto.com and Thinkhubstudio