Ushering in AI to Automate Cyber Threat Intelligence

Security teams are automating their cyber threat intelligence collection, analysis, and response — increasingly with the aid of artificial intelligence (AI). In a new survey, nearly half (46%) of U.S. security professionals surveyed said they have already automated at least part of their threat intelligence programs, with another 41% planning to soon. They see AI as an essential tool for automating threat intelligence. 

These findings were recently released in a CyberRisk Alliance (CRA) report, sponsored by Mimecast, titled “Threat Intelligence: Critical in the Fight Against Cyber Attacks but Tough to Master.” Security professionals surveyed for the report described their threat intelligence programs and how they feed into other parts of their operations, such as network and systems monitoring, vulnerability management, and incident response. This article is the second installment in a three-part series on the CRA report’s findings. (Read the first article, “Report Reveals Growing Reliance on Threat Intelligence.”)

Survey respondents are strongly motivated to automate cyber threat intelligence, in an environment where the volume, velocity, and variety of threats can overwhelm security teams. In fact, they rated automation as the most important aspect of their current threat intelligence program — and the one with which they are least satisfied. While they see a solution to the problem in AI and its subset, machine learning (ML), they also recognize the challenges of implementing and maintaining AI-powered threat intelligence.

AI/ML Shown to Improve Cyber Threat Intelligence

Based on the cybersecurity field’s first few years of experience with AI/ML, security professionals say it helps automate threat intelligence programs in several ways, including:

• Higher Speed: Threat intelligence feed data is analyzed in real time, allowing more rapid response, since AI-based systems are far faster than manual processes. IBM reports that early adopters of AI/ML in automation are cutting the time it takes to detect incidents by one-third.[1]
• Greater Volume: AI/ML can process huge volumes of data.
• Better accuracy: Threat detection improves with AI/ML. And smarter results can be produced over time as AI/ML models are monitored and retrained when they produce false positives or negatives. In Mimecast’s separate State of Email Security 2023 (SOES 2023) report, survey respondents using AI/ML saw the increased accuracy of threat detection as its biggest benefit.
• Reduced Workload: AI/ML can free up security analysts from routine tasks — especially as the technology cuts down on false alerts — helping increase capacity and opportunities for specialization across the security team.
• Lower Costs: Generally speaking, cybersecurity costs are quantifiably reduced by AI-driven efficiency and productivity gains, with IBM estimating a 40% increase in companies’ return on investment in their security programs.
• Better Protection: Nearly half of SOES 2023 respondents who are currently using AI/ML in some part of their cybersecurity program reported better threat prevention as the technology’s second biggest benefit, after better detection.

In short, AI-driven automation can deliver significant improvements in companies’ cybersecurity defenses, even while security teams’ workloads become more manageable. Clearly, security professionals surveyed in the CRA report recognize the potential, ranking AI/ML among their Top 5 requirements for threat intelligence feed solutions, nearly on par with such essentials as “cleanliness/quality of data” and “feed compatibility with our solutions”.

How AI/ML Elevates Cyber Threat Intelligence

The security professionals CRA surveyed rely most heavily on three threat data collection types: malware analysis (75%), indicators of compromise (72%) and open source intelligence (such as public monitors of threat actors, 47%).

AI/ML models analyze these and other feeds for anomalous behavior and suggest remediations if malicious acts are suspected. AI/ML can isolate threats by user, device, or location. The technology can then suggest a response for human security analysts to consider. For example, AI/ML scanners can catch malicious URLs inside email messages, protecting recipients by blocking phishing websites. 

Threat Intelligence Automation ‘Tough to Master’

Security teams today are driven to automate with AI/ML because of their need to analyze bigger data footprints, constantly changing cyberthreats, evolving digital business models, and more remote employees. Yet they face many challenges in deploying AI/ML for automation, whether in off-the-shelf products, customizable solutions, or wholly custom-built tools. Among those challenges:

• AI/ML skills are in short supply for training and retraining models to recognize malicious activity.
• A huge volume of quality data is required to train AI/ML solutions, and many security teams simply do not have it.
• False positives can overwhelm security teams if they don’t have a solid retraining plan in place.
• Any AI/ML solution will degrade over time unless maintained.

The rapid pace of AI/ML innovation is seen alleviating at least some of these shortcomings over time.[2] Meanwhile, security teams are also integrating cyber threat intelligence feeds as part of their move to integrate their various security tools and platforms — creating a stronger foundation for automation. 

The Bottom Line

Security teams are driven to automate their threat intelligence programs in today’s environment of mounting threats, expanding attack surfaces, and a global cybersecurity skills shortage. AI/ML is their technology choice for achieving automation, according to the new CyberRisk Alliance report, “Threat Intelligence: Critical in the Fight Against Cyber Attacks, But Tough to Master.” You can read the full report here.

[1] “AI and Automation for Cybersecurity,” IBM

[2] “The State of AI in 2022,” McKinsey