The Era of Generative AI is upon us – there is no doubt about that. After over 50 years of academic research in artificial intelligence culminating in the development of neural networks and machine learning algorithms, and then another decade of building cybersecurity products based on those methods and trying to persuade customers to finally put their trust into them… The seemingly out-of-nowhere emergence of ChatGPT has managed to achieve that overnight.

Instead of a grumpy, suspicious crowd not willing to let AI automate their jobs, we now see a public craze that makes the Tulip Mania of the 17th century pale in comparison. Businesses are rushing to implement GenAI capabilities into all their processes and workflows. Vendors are struggling to come up with even more potential use cases to add generative capabilities to their products. But most importantly, literally everyone is happy to consume those capabilities again and again, disregarding potential risks and challenges (including being automated out of their jobs completely).

Even I couldn't resist asking DALL-E to create an illustration for the previous paragraph, and the result is quite impressive...

Discussing those risks for business applications of GenAI is a huge topic on its own. We already hear experts talking about lack of transparency, potential biases in training, compliance issues with leaking sensitive information to third parties, to say nothing about the massive costs of running LLM infrastructures. Still, the attempts of some organizations to outright ban ChatGPT usage on their premises have already been proven futile. Just like BYOD, this usage should be controlled by a combination of government-level regulation and organizations’ own acceptable use policies.

Generative AI for cybersecurity practitioners

Still, today we want to focus on a more specific question: does the introduction of GenAI capabilities fundamentally change cybersecurity? What practical new functionality do they offer to security experts? And what are the challenges of developing and using security tools that rely on modern GenAI models?

Oddly enough, the most obvious use case doesn’t even require any additional interfaces between you and ChatGPT: it’s continuous education, an absolute must for every cybersecurity practitioner. Having a virtual assistant that can instantly answer any question and free you from doing your own research is a very alluring prospect indeed. You just have to remember that ChatGPT is not smarter than you. In fact, it works much more like a room full of hyperactive monkeys with typewriters, and not everything they produce is necessarily on par with Shakespeare. When an LLM does not know something, it will happily make up a completely wrong but still plausibly-looking answer, and it is entirely your responsibility to check its validity. Trust but verify!

Another related area is using LLMs for creating various materials for safe simulations of cybersecurity incidents. The idea itself is, of course, not at all new – tabletop exercises, incident response bootcamps and other kinds of training are a big part of every business continuity program, but using Generative AI does not just reduce the cost of such exercises but dramatically increases the degree of their realism – after all, real threat actors are already using very similar tools for their nefarious purposes. Again, just keep in mind that the cost of an error in this business is not at your advantage – a poorly crafted spear phishing mail will only leave a hacker with a bit of lost revenue, yet a poorly designed phishing awareness exercise might leave your entire company unprotected against multiple future attacks.

With the tremendous improvements LLMs are now making in generating not just natural language, but application source code as well, the idea of making new software “secure by design” by replacing human developers (that make so many coding mistakes and are impossible to teach to follow security practices!) with code generated directly by an AI model is getting more and more traction. In a similar way, LLMs can be used to create more sophisticated authorization policies, generate synthetic data for security testing, etc. In a slightly less radical approach, LLMs would not outright replace humans but serve as an additional filter in an existing CI/CD pipeline to improve its coverage and efficiency.

To be honest, looking at the results produced by current-generation tools, I’m somewhat skeptical about AI completely replacing human developers anytime soon, but the situation might change quickly. In any case, however, there is absolutely no reason to treat the code generated by AI as inherently error-free. You’ll still need to keep unit tests, static and dynamic code analysis solutions, and a lot of other security tools included in your development pipeline. Can you delegate all these activities to LLMs? Perhaps, but should you? In the end, it is still someone’s liability, and you cannot put than on AI…

But wait, someone reading this might say, what about arguably the most interesting application of Generative AI – specialized security-trained LLMs built into solutions like Microsoft Security Copilot? Aren’t they the real future of cybersecurity?

Well, I cannot argue with that… to a degree. SIEMs, XDRs, and other security analytics solutions have been relying on various AI technologies for years, and the addition of GenAI does make them better in many ways. Providing better insights by cutting through the noise, helping to make critical incident response decisions faster, improving security analysts’ productivity – all these capabilities are great improvements, but they are not what makes a security tool reliable and scalable. Microsoft’s Copilot would never be so useful without the company’s existing vast telemetry network and threat intelligence database or their own cloud infrastructure.

Even Charles Babbage, the inventor of the first programmable computer, already understood the principle that later became known as “Garbage in, garbage out” – not even the most sophisticated machine can make right decisions based on incomplete, flawed, or biased input data. For Generative AI, this applies to a much larger extent than anywhere else in IT. Perhaps, when you’re choosing the next best cybersecurity tool for your organization, looking at its GenAI-powered bells and whistles should not be on the top of your list of priorities.

Tapping into the Wisdom of the Crowd

In the end, we cannot deny the fact that Generative AI is indeed a game-changer in almost every industry, including cybersecurity. And yet it is critical for everyone to understand that GenAI does not do magic. It is just a tool - an extremely sophisticated, sometimes quite delicate, and very expensive one. A crucial part of integrating these tools into your security strategy is to clearly understand their capabilities and limitations (which tend to change literally on a weekly basis). Even more important is to be aware of how both the trailblazers and ordinary peers within your industry are using them to capitalize on their experience and avoid their mistakes.

And of course, there is no better platform to meet those people than the upcoming EIC 2024, Europe’s prime conference on Digital ID, Security, Privacy and Governance in an AI-driven world, which will take place this June in Berlin, Germany. I hope to see you there as well!