[0:00]Cyber security threats increase as data volumes grow and finding real threats hidden among the noise of all that data is a challenge. And there's a chronic shortage of cybersecurity professionals like yourself, Jeff. Yes, in fact, there's an estimated 500,000 open cybersecurity jobs in the US alone. Half a million more Jeff Crumbs is a bit of a terrifying thought. Indeed, and even more terrifying is the fact that even if we had all of those people today, we might still be falling behind. But AI agents powered by large language models are augmenting cybersecurity experts with agents that can think, act, and reason within defined boundaries. I'm not sure an augmented Jeff is making me feel any better about things, but well, we've had traditional security tools for years that follow static rules or use narrow machine learning models. These AI agents, they can do a lot more. Right, cybersecurity AI agents use generative AI's ability to understand natural language and context to empower dynamic, autonomous security operations. So, let's first of all compare how LLM powered agents differ from a traditional cybersecurity workflow. Then we're going to cover some applications of AI agents in cybersecurity operations and then we're going to address some limitations and risks that AI agents bring to the cybersecurity landscape. Traditional cybersecurity workflows rely heavily on predefined rules, signature-based detection and playbooks crafted by humans. Many of these are static rules-based processes that don't adapt unless they're manually updated. Right, so for example, a typical incident response process is a is a fixed sequence. So, an alert comes in, an analyst friend here gathers data and references known threat indicators, and then follows the documented procedure. Now, machine learning algorithms are applied in specific areas like anomaly detection or malware file classification. But these models they're quite narrow, they're trained for single tasks under fixed patterns. Whereas agents are more dynamic and adaptive. And by agent, we specifically mean a system that uses an LLM to autonomously decide on actions and interact with its environment in real time. Right, AI agents can ingest structured log files as well as unstructured inputs like written reports and security advisories and common vulnerabilities and exposure descriptions. They can interpret intent and context and choose which tools to query to execute next. And that might be to call out to an external tool, for instance calling a threat intelligence API or query a database, running a Federated search across security information sources or running a script. And then using the result of that call to inform the agent's next steps. Which means security workflows can be adjusted on the fly, the agent kind of thinks about what data is needed or what action to take based on live information, much like a human analyst would. And in cybersecurity where attackers constantly change tactics, this level of adaptability is especially valuable. AI agents can handle unexpected scenarios or cleverly disguised attacks better than a brittle script. Exactly, AI agents powered by LLM's, large language models, they bring natural language understanding and reasoning and adaptability into security workflows. An agent might correlate disparate clues or interpret nuanced patterns that a single purpose ML model or a signature might miss. In fact, agentic workflows are reported to cut investigation times quite significantly. What might have once taken 3 hours can now be achieved in as little as 3 minutes without sacrificing accuracy. And unlike us overworked humans, the AI agents don't get tired. There's less variability due to an individual analyst's experience or fatigue. So, at a high level, this all sounds good, but let's discuss some applications of AI agents in cybersecurity operations. And we'll start with threat detection. An LLM agent can analyze raw event data or alerts in plain language and determine if they narratively suggest malicious activity. So, given a series of logs, an agent might pick up on an unusual sequence that wasn't really explicitly coded as a rule, and research indicates that LLMs can detect malicious intent in text-based data, sometimes actually better than humans or by using traditional methods. In practice, AI agents in security operations centers are being used to triage alerts rather than completely replace detection engines. When an alert triggers, the agent automatically pulls and related data in a data-gathering exercise. Things like cloud logs, identity logs, and EDR telemetry to decide when an alert represents a real threat. And these agents can reduce noise by summarizing and grouping alerts, generating insights like these 50 alerts together, they actually indicate a single port scan attempt, not 50 separate incidents. When it comes to security advisories, agents can answer the question, am I affected? When it comes to incident response, agents can help answer the question, how am I affected and how bad is it? They can derive the likely cause of an alert by searching knowledge bases and correlating information. This can be far faster than a human manually digging through logs or Googling security sites for similar incidents. Now, when it comes to fishing detection, the semantic analysis capabilities of AI agents go beyond more traditional methods of using spam filters and blacklisting URLs and heuristic rules. Unlike a static filter, an AI agent can consider a wide range of factors, like writing style. Does the email try to create a sense of urgency or fear? Yeah, exactly. That agent, Jeff. It can also analyze consistency with past communications. Does this sender normally talk this way? Uh, yeah, and and then look for the presence of social engineering cues. Please purchase these gift cards. What a bargain. Yeah, exactly those factors. When it comes to malware analysis, an LLM can read through code and explain it in natural language, effectively acting as a junior reverse engineer. So an analyst can give an agent a piece of suspicious code and the agent, using an LLM, breaks that code down, explaining each section and identifying any suspicious API calls. AI agents can also assist with vulnerability management, risk management, threat hunting, and just a whole bunch more besides, but I think we do need to be careful not to create the impression that AI agents are the solution to all of our cybersecurity problems. Yes, AI agents in cybersecurity come with limitations and risks that must be managed, like hallucinations. We all know that LLMs sometimes produce incorrect or fabricated information. Current models can make confident assertions that are just plain wrong, like an AI agent falsely summarizing that system X is clean when it actually isn't, or suggesting a wrong remediation that could disrupt systems. Which is exactly why we need explicit guard rails. You typically don't want an autonomous agent with the power to execute any action it thinks is right on production systems without checks. The best practice is to confine agent actions to read-only or to to low-risk situations and require human confirmation for high-risk steps like, well, shutting down a server. Adversarial manipulation is another area of concern. Attackers might attempt to deceive or exploit AI agents. That includes an indirect prompt injection. An attacker could craft an input data, like log entries or email content that includes a prompt to the agent to ignore certain alerts or to output false information, which is another reason for adding additional layers of validation before allowing agents to execute actions autonomously on high-stakes systems. AI agents can vastly improve things like threat detection, but they're not always 100% right. It can lead to false positives, such as flagging benign behavior as malicious, continuous feedback from analysts can be used in reinforcement learning to improve the AI's precision to a specific environment and then reduce these false positives over time.
[8:43]There's also over fitting. We talk all the time about AI models over fitting to their training data, but if analysts begin to blindly trust the agents, it's the human analyst decisions that may overfit to an AI output. Well, yeah, but it's important to keep humans in the loop, of course, and to maintain a culture of healthy skepticism. To trust but verify, an AI should assist thinking, it shouldn't replace it entirely. In fact, one could argue a more automated system is actually higher risk because it might hallucinate. Or you could say humans are more error prone because they make careless errors, so there's really a middle ground to be found here. In essence, deploying an AI security agent requires careful risk management itself. Right, you should apply the same caution as deploying any powerful automation or even a new team member. Start with limited permissions, test extensively, review its work outputs and gradually increase trust as it proves consistent. Okay, Jeff, so assuming that we mitigate those risks, how would this ideally work? Great question. I like this. So, what we could do is start off with a system that collects information from lots of different security sources like a security information and event management system. Then we enrich that information from threat intel sources. We correlate across multiple sources, multiple systems, then we predict based upon patterns that we've seen before. We can rank the information based upon risk, triage based upon priorities that we've assigned to these individual incidents. And then reference other frameworks like the MITRE ATT&CK framework to enrich the information even more. And then ultimately recommend a response that someone takes. Finally, we're going to take all of this and document it in the form of a ticket or a case. So, you can see what's happened here is we've basically taken the research part that the analyst would have had to have done manually, and we've automated that through the agent. Okay, Martin, I think it's safe for you to come on back. We haven't completely replaced you with an AI agent. Not. Well, look, AI agents powered by large language models, they're ushering in a new era of cybersecurity operations, one where machines take on intelligent roles alongside humans. AI agents for cybersecurity are handling a deluge of alerts, they're dissecting malware samples, they're drafting incident reports. Essentially, these agents are augmenting the human capabilities of cybersecurity analysts, and unless we find another 500,000 Jeff Crumbs from someplace, AI agents will continue to play a growing role in cybersecurity, empowering organizations to better respond to cybersecurity threats.
