RSA 2024: Real world cybersecurity uses for GenAI

The RSA Conference next week will feature lots of GenAI rhetoric, but cybersecurity professionals are already trying it out in areas including security hygiene and posture management, incident response, and threat intelligence analysis.

At the mecca of security gatherings in San Francisco May 6-9, the hyperbolic topic du jour will be generative AI – particularly governance, threats, and how generative AI can provide a defender’s advantage.

Trade shows like RSA are always filled with product and industry embellishment. So, the first question worth asking is this: Are security professionals even interested in generative AI? 

According to Enterprise Strategy Group research, the answer is yes — and overwhelmingly so.  When asked if their organization uses open GenAI applications like ChatGPT for cybersecurity, 75% of security professionals reported they do so regularly while another 19% use open GenAI on an occasional basis.

A lot of this is pure experimentation, but regardless, GenAI is rapidly becoming a go-to tool for threat analysts, malware analysts, red teamers, and others. 

To dig further, we asked security professionals to identify the use cases where they are using GenAI in any capacity today.  Here’s what we found. 

GenAI for security hygiene, posture management

Nearly one-third (31%) of survey respondents said they use GenAI for security hygiene and posture management analysis and prioritization. 

Boy, does this make sense to me.  The attack surface is constantly growing and changing, leading to tons of vulnerabilities and critical exposures.  The bad guys know this and are experts at exploiting these security gaps.

When applied here, GenAI can help security teams identify high-risk vulnerabilities on the attack path, enabling them to prioritize the right actions for cyber-risk mitigation.

Analyzing security data sources

Twenty-four percent said they use GenAI to analyze security data sources and determine which ones should be optimized or eliminated. 

I’ve been saying it for years but it’s worth repeating here: cybersecurity is a big data application.  Unfortunately, many organizations interpret this to mean that they must collect, process, and analyze everything, while others anchor security to the old standbys like logs, EDR data, and network telemetry, and miss other valuable data sources completely. 

AI has the potential to analyze data sources based on things like targeted industry threats, known TTPs, the MITRE ATT&CK framework, and past security breaches, and then suggest ways to optimize security data management. Less data and better efficacy?  I think any CISO would eagerly pursue these benefits.

Incident response and investigations

Twenty-two percent of our survey respondents said they use GenAI for incident response and forensic investigations. 

This is one of the mainstream use cases we’ll hear a lot about at RSA.  GenAI can automate response actions or at least guide analysts in the right direction.  GenAI could also be a helper app for forensic investigators, easing the process of determining what happened and when.  It’s all about improving the security team’s efficiency. 

GenAI for threat intelligence

Twenty-two percent said they use GenAI for threat intelligence analysis.  This is bound to be a major use case.  Threat intelligence analysis is an advanced skill that many organizations can’t afford, or they can’t find security pros with the right skill set to hire. 

In the past, many firms lived with this deficit and tried to focus on blocking IoCs or known malware, but this strategy is no longer effective as adversaries use social engineering tactics and living off the land techniques to push attacks under the radar.

The key objectives with threat intelligence today are getting ‘left of boom’ (i.e. responding to attacks before they happen) and understanding strategic business risks associated with all things IT.  CISOs will lean on GenAI to bridge the threat intelligence analysis gap, with tools that filter massive amounts of threat intelligence data and produce customized analysis based on an organization’s size, location, industry, and existing defenses.  Service providers in the threat intelligence analysis space will use GenAI tools as they take this on as a proxy for customers. 

Risk scoring with GenAI

Twenty-one percent said they use GenAI for risk scoring. Enterprises typically have thousands of open software vulnerabilities at any time. Using methods like CVSS scores to prioritize patching still leaves them with hundreds, if not thousands, of remediation tasks for IT operations. 

GenAI can help correlate software vulnerabilities to factors such as known threats, adversary ‘chatter,’ and asset value, and then churn out reports highlighting patching for security and IT teams. These reports may also turn into automated remediation actions over time.

One consistent thing I hear from security professionals is their interest in the capabilities of GenAI like natural language query, report creation, and recommendations.  These are already helping security pros with time management — a critical need in an era of continual security skills shortages and overwhelming workloads. 

In summary, the 2024 RSA security conference will be all abuzz with GenAI hype and vendor ga-ga, but for good reason. My esteemed colleague, Dave Gruber, will present more ESG research data on Generative AI in a session at the conference on May 9. 

Jon Oltsik is analyst emeritus and founder of TechTarget’s Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group has business relationships with vendors.