“Better context in a world that's changing quickly”: Leading CISOs discuss AI’s role in SecOps

Written by Thomas KinsellaCo-founder & CCO, Tines

Earlier this month, I was thrilled to join forces with the team at Dark Reading for a webinar on the future of AI in security operations. Titled CISO Perspectives: How to make AI an accelerator, not a blocker, the webinar allowed me to take a deep dive into the future role of AI in security with some of the most knowledgeable CISOs on the subject, Mandy Andress of Elastic and Matt Hillary of Drata. 

I’m excited to share the full webinar recording here, plus an extract from the conversation to give you a sample of what we discussed. Enjoy!

Excerpt: Mandy Andress and Matt Hillary on the future of AI in security 

Thomas: AI and LLMs are probably the biggest technology change of the last century, or certainly since the internet was developed. Matt, have you seen that impact translate to the enterprise yet? Or has that been a little bit underwhelming? 

Matt: You know, this is a really interesting question because I feel like the last two years have been more still in the discovery space. I'm still feeling really positive about the outlook here, but man, I feel like we're still at the beginning of trying to understand what is capable, what we can do, what are the next steps. And so, I know on the enterprise side of things, one of the things that surprised me was the price tag associated with the AI capabilities that were going to be added into the existing technologies that we had. I feel like the economics around pricing for adding these AI capabilities into our SaaS tools to embolden our organizations and our enterprise team members with these capabilities is one that's like, oh man, there is a price tag associated with these capabilities. And so that's, I think, being realized as well. But, you know, I think there's some cases where it's been fascinating, even my personal life. I know pi.ai, that's one that I'll shout out. I have, like a number of us as we've gone through self-discovery, spent time with therapists. And jumping out of pi.ai and asking similar questions that you might ask someone who's a personal coach or a therapist, and then seeing AI generate some responses that were like, oh my gosh, this is just like a human therapist. So the fact that it's emboldening that aspect of our lives is pretty fascinating. So again, very optimistic. I feel like we're still at the beginning. Because our expectations are so high about where we probably should be in the last couple of years, I can see why it might feel underwhelming. But at the same time, I think, again, just the outlook being super, super positive. 

Thomas: Yeah, I'm trying to be a little bit controversial here. I think there's been plenty of applications that are absolutely mind-blowing. Mandy, can you dive into one or two of those use cases that your team is seeing immediate applications for?

Mandy: Yes, if you look at day-to-day what an analyst needs to do, and how they spend their time, there's usually two general buckets that take up most of their time. It's highly repetitive response actions just based on the volume of types of alerts that come into their environments. While they need the alerts, there's a better way to automate or have less manual response actions. Then secondly is, bringing in context. So have something fire as an alert, but there's a lot of surrounding information to help you determine what's really happening in the environment. How critical is this? How do I continue to investigate and understand if it's something that needs immediate urgent action or if it's an alert that can wait a little bit? So we've been working to both look at what are those alerts that are taking up most of the time of our analysts, and then what is that process. Where the LLMs and the newer AI technologies really help is helping make small contextual decisions to where, before you could automate, I'm going to bring in this data, but there was always a decision point of, what's the next step. And it wasn't always an A or B answer. So there was a little bit of subjectivity that needed to go into that analysis. And with the newer AI approaches, they're able to handle some of that really light subjectivity and help make decisions as things change and evolve around us. So it's helping to automate more of those processes as well. And then on the broader analysts contextual, I think the key thing that I see really helping initially is on the context front. So we could automate bringing in asset data, owner data, application criticality to the business, IoCs, things like that in today's tools. But what we couldn't always do was tie that into what's happening in the threat environment around us, because that's always changing. Yes, we might have some contextual information from reports that we've read or things that we have done from a threat intelligence perspective, but it's changing day to day, sometimes hour by hour. And having some of that available in more of an LLM context allows you to apply better context in a world that's changing quickly when you're working with companies that are building out those LLMs. 

Thomas: One of the things I really love about that is that, I suppose, and I say this as a co-founder of a workflow automation platform, but the challenge is that keeping some workflows up to date involves tweaking them a lot. But with AI, you can overcome some of those challenges, right? You no longer need to have that tweak all the time because you can rely on AI to say, hey, actually, should I perform this next step? Can you automatically enrich? Can you automatically take that next step in the journey or summarize something for me? Even when a new alert is enabled by your SIEM. So it removes some of that as well, as detections evolve, as threats evolve. 

Mandy: And some tools that I've seen being developed, it also helps or it also provides suggestions. This is what you should do or these are some next steps that you should consider that you don't have in it. So it’s helping to expand analysts' capabilities and knowledge. Now you're able to bring in not just the knowledge from your immediate team, but knowledge from the broader security community. And what are other approaches or ways that we can think about this, that we just don't have exposure or perspectives on yet? 

Matt: I love what you shared there. Like you're totally spot on as far as emboldening the analysts on the edge there. I love that you mentioned the summarizing of remediation steps there, too. That's been helpful in both educating our team members, saying, hey, there's this issue that we just found and we need to fix this issue. This is how to fix it. It's cool to be able to see the teaching as well as the actual going about. Now, obviously, not blindly applying what the AI is generating to go apply to fix that issue. But one of the other areas I think I've seen with the analysts on the front lines is around querying, right? Being able to generate a query if they're still learning how to query using a variety of logging platforms that are out there, or even trying to do relational data query and be able to identify, hey, this is a question I'm trying to answer. How can I craft a query to get the results set to help me there? That's been cool to see that happen more cutting-edge and more readily. But another thing that I haven't seen yet, but I'm excited for as a CISO, is knowing like, how is my posture today? What are the things that are exposed today that weren't yesterday? Give me a dossier of my own perimeter that a hacker might use to come at me today. It would be nice to be able to see that situation report almost every day, AI-generated based off of open source intelligence or other capabilities that might be there. I've not yet seen that, but that's something that I'm excited to see and hopefully enrich our day-to-day activities and decisions on how we do that. 

How are leading CISOs approaching AI? Read the full results of our survey in our report.

Built by you, powered by Tines

Talk to one of our experts to learn the unique ways your business can leverage Tines.