In cybersecurity, artificial intelligence has always been considered essential; nevertheless, 2023 will be particularly noteworthy due to the widespread implementation of Large Language Models (LLMs). LLMs have already begun to change the cybersecurity landscape. However, it is creating enormous obstacles.
One way that LLMs help everyone utilize AI is by simplifying the processing of massive amounts of data. They can give incredible efficiency, intelligence, and scalability for controlling vulnerabilities, preventing attacks, handling warnings, and responding to incidents.
Adversaries, on the other hand, might employ LLMs to increase the efficiency of their assaults and exploit additional vulnerabilities introduced by LLMs, and misuse of LLMs can lead to additional cybersecurity risks such as unintended data leaks owing to the widespread usage of AI.
A fresh perspective on cybersecurity is necessary for the deployment of LLMs. It is far more dynamic, interactive, and customizable. Historically, hardware was only updated when it was replaced with a newer piece of hardware. In the cloud age, the software could be updated and customer data collected and analyzed to improve the next edition of the software, but only when a new version or patch was available.
In the new era of AI, the customer-facing model has its intelligence, can continue to learn, and may adapt based on consumer usage — to either better serve customers or skew in the wrong direction. As a result, we must not only incorporate security into the design phase (ensuring secure models and preventing training data poisoning), but also continue to evaluate and monitor LLM systems after deployment for safety, security, and ethics.
Above all, security systems must be intelligent from the start (e.g., educating kids about morality rather than just controlling their actions) for them to be able to adapt and make sound decisions without being readily swayed by false information.
What advantages or disadvantages have LLMs brought to cybersecurity?
look out for 2024 forecasts and examine the lessons we have learned in the last year.
2023 Retrospective
The Future of Machine Learning in Cybersecurity a year ago (before the LLM era), the following three separate challenges for AI in cybersecurity: accuracy, data scarcity, and a lack of ground truth, as well as three common AI challenges that are more severe in cybersecurity: explainability, talent scarcity, and AI security.
Now, a year later, after extensive research, we identified LLMs as a significant aid in four of these six areas: data scarcity, a lack of ground truth, explainability, and talent scarcity. The other two categories, accuracy, and AI security, are vital yet problematic.
The main benefits of employing LLMs in cybersecurity in two areas:
- Data: Labeled data
Using LLMs has helped us overcome the difficulty of insufficient “labeled data.”High-quality labeled data is required to improve the accuracy and applicability of AI models and predictions for cybersecurity applications. However, this data is difficult to come by. For example, it’s hard to find malware samples that can help us learn about attack data. Organizations that have been breached are not exactly eager to share that information.
LLMs are useful for gathering starting data and synthesizing data based on existing real data, extending it to provide new data on attack origins, vectors, tactics, and objectives. This information is then utilized to build new detections without relying solely on field data.
The real truth
We can employ LLMs to drastically increase ground truth by identifying gaps in our detection and numerous malware databases, lowering False Negative rates, and retraining models as needed.
- Tools
LLMs are excellent at making cybersecurity operations more manageable, user-friendly, and actionable. So far, LLMs have had the greatest impact on cybersecurity at the Security Operations Center (SOC).
For example, function calling is a fundamental component underpinning SOC automation with LLM, as it helps translate natural language instructions into API calls that can directly control SOC. LLMs can also help security analysts manage alerts and incident reactions more wisely and quickly. LLMs enable us to integrate powerful cybersecurity solutions by receiving natural language commands straight from users.
Explainability
Previous Machine Learning models worked well but were unable to answer the question, “Why?” LLMs can revolutionize the game by providing accurate and confident explanations, fundamentally altering danger detection and risk assessment.
The capacity of LLMs to swiftly evaluate huge amounts of information is useful for correlating data from many tools, such as events, logs, malware family names, Common Vulnerabilities and Exposures (CVE), and internal and external databases. This will not only help to identify the root cause of an alert or issue, but it will also significantly reduce the Mean Time to Resolution (MTTR) for incident management.
Talent scarcity
LLMs significantly reduce the workload of security analysts due to their advantages, which include fast compiling and digesting massive amounts of information, comprehending commands in normal language, breaking them down into necessary stages, and identifying the correct tools to complete tasks.
From obtaining domain knowledge and data to dissecting new samples and malware, LLMs can help construct new detection systems faster and more effectively, allowing us to automate anything from recognizing and analyzing new threats to pinpointing bad actors.
Three Forecasts for 2024
It’s evident that we are entering a new era in terms of the expanding application of AI in cybersecurity—the initial phase of what’s frequently referred to as “hockey stick” growth. The more we learn about LLMs that allow us to improve our security posture, the more likely it is that we will be ahead of the curve (and our adversaries) regarding maximizing AI’s potential.
there are other areas in cybersecurity ripe for discussion regarding the expanding use of AI as a force multiplier to combat complexity and broaden attack routes, three stand out:
- AI Models
AI models will take significant steps ahead in the development of in-depth domain knowledge anchored in cybersecurity requirements.
Last year, a lot of research was focused on improving generic LLM models. Researchers worked hard to make models more intelligent, faster, and cost-effective. However, there is a significant gap between what these general-purpose models can provide and what cybersecurity requires.
Specifically, our sector does not require a massive model capable of answering inquiries as broad as “How to make Eggs Florentine” or “Who discovered America”. Instead, cybersecurity requires hyper-accurate models with extensive domain knowledge of cybersecurity risks, processes, and more.
In the field of cybersecurity, accuracy is crucial. For example, Palo Alto Networks processes 75TB+ of data every day from SOCs all over the world. Even a 0.01% error rate in detecting verdicts can be devastating. We demand high-accuracy AI with a strong security background and knowledge to provide bespoke services that address our customers’ security needs. In other words, these models must perform fewer specific jobs but with considerably more precision.
Engineers are making significant progress in developing models with more vertical-industry and domain-specific knowledge, and a cybersecurity-focused LLM will emerge by 2024.
- Use cases
There will be transformative use cases for LLMs in cybersecurity and this will make LLMs necessary in cybersecurity.
In 2023, everyone was ecstatic about LLMs’ incredible potential. People used that “hammer” to attempt every single “nail.”
In 2024, we will recognize that not every use case is a good fit for LLMs. We will have actual LLM-enabled cybersecurity products aimed at specific activities that complement LLM strengths. This will significantly increase efficiency, productivity, and usability, address real-world problems, and lower costs for consumers.
Consider being able to read thousands of security playbooks on topics such as configuring endpoint security appliances, troubleshooting performance issues, onboarding new users with appropriate security credentials and privileges, and breaking down security architectural design on a vendor-by-vendor basis.
The ability of LLMs to consume, synthesize, evaluate, and produce the appropriate information in a scalable and timely manner will transform Security Operations Centers and change how, where, and when security personnel are deployed.
- AI Security and Safety
Developing secure AI and utilizing it securely without compromising the intelligence of AI models are important subjects in addition to employing AI for cybersecurity. There have already been several conversations and significant contributions in this direction. In 2024, actual remedies will be implemented, and while they may be preliminary, they will be steps in the right direction. In addition, an intelligent evaluation framework must be developed to dynamically examine the security and safety of an AI system.
Not to mention that evil actors can also access LLMs. Hackers, for example, can quickly generate substantially more phishing emails of greater quality using LLMs. They can even use LLMs to generate entirely new malware. However, the industry is becoming more collaborative and purposeful in its use of LLMs, allowing us to move ahead and remain ahead of the bad guys.
US President Joseph Biden signed an executive order on October 30, 2023, addressing the proper and responsible use of AI tools, products, and technologies. The goal of this order was to emphasize the need for AI suppliers to take all required precautions to guarantee that their products are used for legitimate rather than harmful reasons.
We need to take the threat posed by AI security and safety seriously, and we should presume that hackers are already developing methods to get around our safeguards. The fact that AI models are already widely used has resulted in a significant growth of attack surfaces and threat vectors. This is a highly dynamic field. AI models improve daily. Even once AI solutions are implemented, the models constantly evolve and never remain static. Continuous review, monitoring, protection, and improvement are critically needed.
More and more attacks will employ AI. As an industry, we must prioritize developing secure AI frameworks. This will necessitate a modern-day moonshot including the involvement of vendors, companies, academic institutions, legislators, regulators, and the entire technological ecosystem. This will undoubtedly be a difficult undertaking, but I believe we all understand how important it is.
Final Thoughts: The Outstanding Part Is Yet to Arrive
In some ways, the success of general-purpose AI models such as ChatGPT and others has spoiled us in the cybersecurity space. We all hoped to design, test, deploy, and continuously enhance our LLMs to make them more cybersecurity-centric, only to be reminded that cybersecurity is a very specific, specialized, and difficult domain to use AI. To make it work, we must address all four important aspects: data, tools, models, and use cases.
The good news is that we have access to many clever, determined people who see why we need to move forward with more accurate solutions that combine power, intelligence, ease of use, and, perhaps most importantly, cybersecurity relevance.
