Since the “birth” of ChatGPT in November 2022 and the emergence of other AI tools such as Aleph Alpha, Google Bard, and Microsoft Copilot, events have unfolded thick and fast. One headline follows the next and the triumph of Generative AI (GenAI) seems unstoppable. But how does the development of AI affect cybersecurity? How are cyber threats changing and how is AI helping SOC teams to better mitigate attacks and protect data and systems?
GenAI makes AI available to everyone for the first time. We can all use AI easily, interact with it, and even develop it further ourselves. We quickly find use cases that bring important advantages for us personally, for our cybersecurity efforts, for our work or our company. GenAI lowers the entry threshold for users enormously and whets their appetite for more.
Artificial Intelligence is also an important topic for IT and cybersecurity. Technologies such as big data analytics, machine learning (ML), and behavioral analysis have been used for years to automate processes or improve the detection rate of malware. Threat detection and defense are popular fields of application. Intelligent tools quickly and accurately identify anomalies or suspicious behavior in networks or systems. This allows countermeasures to be initiated at an early stage. The solutions also assist in mitigating vulnerabilities in cybersecurity by automatically detecting potential vulnerabilities and prioritizing security updates.
On the other hand, cyber criminals are also making use of the technology, for example, to quickly find personal or business-critical information in stolen data. AI also enables them to carry out more sophisticated and inconspicuous cyberattacks than before. Phishing emails are one example: in the past, these were easily recognized by spelling mistakes and confusing sentence structures. Today, they appear more consistent and are more professionally formulated. This is because GenAI makes it easy to create fake cover letters in many languages.
However, SOC teams and manufacturers of AI security solutions are also adapting to this. In turn, they use AI to recognize AI-generated texts. Email protection solutions, for example, flag suspicious threat emails and sort them out. Conversely, this approach also motivates attackers to use AI tools even more effectively in order to write more catchy texts. A cat-and-mouse game in which cybercriminals and security operations try to outdo each other.
AI offers numerous opportunities beyond the detection of phishing emails, especially for providers of Managed Security Services such as T-Systems. For example, it supports our security analysts in the Security Operations Center (SOC) so that we can protect our customers' applications, data, and systems even better as part of our Managed Detection & Response. AI is used in the SOC for various tasks and is already integrated into many security solutions. For example, security alerts generated as part of threat detection are of a higher quality, thanks to AI. This reduces the number of false positives and, therefore, also the workload for the security teams in the SOC.
Not to be neglected when prompting: data protection. Neither personal nor customer-specific data may be transferred to public AI models such as Bard or ChatGPT. Because nobody knows what happens to the data in the background – where it is stored, whether unauthorized persons can access it, or whether it is duplicated for training purposes.
To be on the safe side when it comes to data protection, companies can set up their own GenAI as a separate, protected instance, and train it with internal data. Only the company's employees can then access it. But there are challenges here too: a secure authorization and role system must be set up, as not everyone is allowed to view all information – from finance and human resources, for example.
Such a solution would also be conceivable for the use of AI in a security context. After all, this also involves sensitive data. If, for example, the online banking of a customer in the financial sector is compromised and we help them to analyze the incident, this knowledge must not be leaked to the outside world. For instance, because bank and credit card details are involved, i.e., precisely the information that the cyber criminals wanted to access.
At T-Systems, we want to increasingly automate repetitive tasks in the Security Operations Center in the future using AI-powered security tools based on AI and machine learning. This speeds up processes and gives our experts more time for other tasks. At the same time, the SOC processes can be scaled better. This means we avoid service-level bottlenecks and improve support for our customers.
With regard to the general hype surrounding AI, such models have so far been very well adapted to individual use cases, such as conversation and knowledge transfer in the case of ChatGPT. However, this bot cannot solve complex mathematical problems. A model that can map all human abilities would be an Artificial General Intelligence (AGI) – but we are still many years and development steps away from this. So, it is clear to us: human skills will also be needed in the future – and not just in security. AI complements the skills of humans, but it cannot (yet) replace them.
1 Global Security Operations Center Study Results, Morning Consult, 2023, IBM
