SentinelOne’s Gregor Stewart on AI in Cybersecurity
Certainly there is massive hype about AI and its potential, and this excitement is as prevalent in cybersecurity as in any tech sector. The attitude among companies almost seems to be: sprinkle some AI magic on the network and – voila! – the perimeter is suddenly well protected.
In contrast, SentinelOne’s Gregor Stewart takes a very pragmatic view of AI in cybersecurity. When I spoke with him in a recent eSpeaks video, he detailed some key ways that companies can use AI to boost the effectiveness of their cybersecurity strategy. Additionally, he spoke in-depth about the challenges of AI, and also noted the human element in AI and cybersecurity.
Founded in 2013, SentinelOne is a cybersecurity company that unites endpoint, cloud, and identity protection with an XDR integration library. Gartner awarded Leader status to SentinelOne in the Endpoint Protection Platform category, scoring the company up with competitors CrowdStrike and Microsoft.
Jump to the video of the full interview below.
Three Ways to Use AI in your Security Infrastructure
(The following are select highlights from the interview, edited for length and clarify.)
One of the challenges presented by the rise of artificial intelligence is that hackers have AI and know how to use it – they often use AI to launch effective cyberattacks. So for today’s companies, AI is no longer optional; they must use it or be essentially defenseless. As a result, some companies have rushed to deploy AI without fully planning or understanding its uses.
“Customers are right, they know that AI is a value,” Gregor said. “But it only becomes meaningful when it’s used in specific ways.”
There are, he explained, three ways AI becomes valuable when used in a cybersecurity setting.
1) Awareness of Attacks
The first method is that AI enables security professionals to be aware of attacks and other threatening circumstances that they might otherwise miss, even if helped by deterministic software. “So the very flexibility of artificial intelligence over traditional software, and its ability to see patterns across different timescales, across many channels – more than a person can – makes it incredibly valuable.”
For example, “you might see a very slow moving attack, which essentially has a number of different components, which if you were a person looking at logs would be incredibly difficult to see. And if you were using deterministic software, you might only catch small pieces of it, but not be able to bring it into focus as a whole.”
2) Apply Policy
The second method for deploying AI is to flexibly apply a policy to a set of specific circumstances.
For instance, say that a company has a policy that none of our sensitive data should leave certain elements of our infrastructure. However, “we’re seeing that a certain set of actions is an attempt at exfiltration…then how do I either stop it or change configuration to prevent that?” Assistance with this issue is a crucial advantage of AI.
Additionally, “your environment may be different from a more general one and you may need specific parameters to be identified so that an attack can be rebuffed effectively,” Stewart said. In the past this was done manually. “You would write these little bits of code or no code in these SOAR type environments, but it was incredibly difficult to keep up to date as policy changed.” AI has streamlined this process exponentially.
3) Speed of Action
The third advantage of AI in security, which is essentially a composite of the first two, is speed of action.
“So the ability to see things and the ability to flexibly apply a complex policy in order to either rebuff an attack or find ways to mitigate potential attacks is the chief advantage here,” Steward said. “The ability of an organization to perceive problems and fix them very quickly is the core of being secure. The faster you can do that, the more preemptively you can do that, the better.”
And of course AI can move far faster than humans – and this greater speed will only increase in the years ahead.
Sentinel One Cybersecurity: Purple AI
SentinelOne’s Purple AI solution is central to the company’s AI cybersecurity offering. I spoke with Stewart about how it improves a client’s cybersecurity.
Purple, Stewart explained, focuses on helping analysts perform the complex tasks that they do now – but perform them faster and more effectively.
Security analysts often focus on threat hunting. For this task, “they want to go proactively into the data that the system has been collecting and see if there are threats that haven’t been detected. Perhaps there are notes on certain activity from a threat actor and they want to see if there are any indications that weren’t otherwise picked up in the environment.” This task requires them to understand three things: what data is being collected, the data’s format, and the language in which you query that data.
“To summarize, they are often answering security-related questions in the course of threat hunting that requires you to translate your natural thought into a domain specific language, and you need to have all this knowledge of the dataset and its structure.”
Purple enables cybersecurity professionals to avoid having to learn these things, so they can focus on more effective pursuits. As a consequence, “you can stay at the level of intent – you ask a natural language question, and it gets turned into a query for the security data lake, and you get a response back.” In essence, AI translates intent into rapid action, which allows security pros to move faster than the hackers.