Yes, AI will have a big impact on cybersecurity—but it will happen over time and won’t change basic principles.
There has been a noticeable uptick in the buzz related to AI hitting my feeds lately. More and more cybersecurity companies have started releasing new AI-centric products and services to counter the coming thunderstorm of adversary AI.
But with all the hype it can be hard to find the needles of good information in the proverbial haystack.
One of my jobs as a cybersecurity advisor is to distill complicated (and sometimes convoluted) information into something meaningful. With that in mind, I think there are two key things to remember when navigating the information regarding cybersecurity and AI.
- We are all already using AI
- It doesn’t change the fact that people need to prioritize the fundamentals
We’re all using AI
All us cybersecurity vendors are using AI in some form or another. Just because a company isn’t pushing it hard doesn’t mean it’s not one of the tools they're utilizing.
Case in point, we use it here at Field Effect. I’m always impressed by what our data scientists figure out with it. (We even won an award for it). AI is an amazing tool, but I do worry that it’s being overhyped. It can’t do everything—Maybe one day, but we definitely aren’t there yet.
Like many other industries, cybersecurity is utilizing this technology to advance our services and products, find efficiencies, and sometimes discover new things.
Will the "bad guys" use it? Of course they will! Many already do.
Studying criminology gave me a good understanding of why people do bad things and what can be done to possibly stop, prevent, or disrupt this. It's important to understand that the adversaries are, in many, many ways, like us.
They wake up and go to work every day, they're trying to provide for their families, and most importantly for this conversation, they don’t want to work harder than they have to to make the same amount of money. If the use of AI improves our products and productivity, it'll do the same for them.
But if we approach our cybersecurity practice solely focused on advanced tooling to fight advanced threats, it feels like preparing for the storm by boarding up your front door but leaving all the windows open.
Why? Because people are still struggling with the basics of cybersecurity, and covering the basics is still necessary.
Implementing the fundamentals should remain the priority
As a company that monitors endpoints, cloud services, and network traffic ( in addition to providing incident response and cybersecurity assessment services), we see a lot during our day-to-day. We see end-of-life or out-of-date operating systems, legacy protocols being used, and a lack of multi-factor authentication, just to name a few.
We have years of data and anecdotal evidence showing that many organizations still struggle to meet the basic best practices that are proven to reduce risk. Generally, in these instances, their IT team knows issues exist and want to fix them, but there are often too many barriers for them to overcome.
Over the years working in this sector, I’ve seen those barriers in many forms, but they can most often be attributed to one of two things: resource constraints (i.e., time and money) or pushback to any changes to the current workflow. I suspect that the first point is obvious, but I’ll speak a bit more to the second.
People are not a fan of change; we all have a bias towards the status quo and find comfort in our routines. If the change also requires more time and/or effort, then we should expect pushback or non-conformity as your average user has enough on their plate already.
We’ve all had that moment with a bunch of work open on our desktops, then we get a notification telling us a restart is required to install the latest operating system. We press the "remind me later" button, knowing full well that a quick restart might be patching a security issue.
I have been in cybersecurity for over 20 years and, while the conflict between security and productivity isn’t anything new, the scale of our technology use and our reliance on it means the collateral damage from this conflict has higher stakes now.
Everyone is a bigger bullseye.
We see this struggle to master the basics across the board; it affects organizations large and small and with varying environments. One must only glance at recent headlines to see large companies we assume would have the highest level of security fall to the simplest threat actor tools.
Reporting indicates that the MGM Grand and Caesars Palace hacks were both social engineering-based. In the MGM attack, the threat actor appears to have simply picked up the phone and impersonated a user, literally talking someone into giving them access to a legitimate user account.
The bottom line
Now I want to be clear that I do think cybersecurity companies need to use AI, as well as anything else we can to stay ahead in this game of cat and mouse. But I worry that all the AI rhetoric might lead people to believe they just need the shiny new AI-labelled security tool to be protected.
To truly protect our clients, we need to offer them a mixture of technological solutions along with professional services to help fill in the inevitable gaps.
What does this look like? A suite of detection and response tooling fed by AI analytics, vetted and utilized by amazing analysts. A suite of services (that is, cybersecurity assessments, incident response preparedness, tabletop exercises, and more) informed by AI but run and delivered by people.
We need to provide our IT friends and MSP partners with the information, recommendations, and support they need to reduce their threat surface. This will help make them more resilient today and in the future.
I believe that AI will, for now, simply make it easier for adversaries to find and exploit the exact same vulnerabilities they’re finding and exploiting now. If we want to protect our clients from more advanced adversaries, we can’t just use more advanced tooling—we also have to help them cover the basics.
