To benefit from the work I put into my typography, read natively at: Why We’ll See AI in Security Operation Centers Sooner Rather Than Later.

—

Art by Pinguino Kolb

I’ve had a few debates with InfoSec colleagues of mine about the current and future efficacy of AI within the security field.

Their general stance is that AI for InfoSec is crap, garbage, and snake oil, and that it will continue to be so for the foreseeable future. It’s basically too hard of a problem, to emulate the complexity and creativity of what an analyst does, etc.

I agree that this is the current state, but I believe this will change very quickly. I also can’t help but notice that these are the exact noises that were made about Chess, Go, and Poker, and in the span of around 11 seconds of time we’ve seen those challenges go from insurmountable to trivial.

They have an advantage of having messed with a lot of these bad products, while I’ve not. I think I have the advantage of reading a ton of books about AI, and watching the field closely. And not just reading the stuff myself, but consuming what the best minds are saying about how quickly improving. I recommend What to Think About Machines That Think for getting some of that perspective. I’m also quite familiar with the challenges of being a security analyst.

Anyway, let’s call that a draw for the sake of argument, since I believe I have a winning play.

The standard for AI to become useful (and therefore prolific) within InfoSec is not being better than humans—it’s being able to do just about anything at all.

Just as with satellite imagery analysis, audio recording analysis, security camera monitoring, log data analysis, and other similar disciplines, the case against humans (and for AI) is multidimensional.

First, and most importantly—there aren’t enough humans to look at the content.
The marginal cost of training humans is the same as training the first one, whereas it’s virtually zero for adding additional AIs.
Humans are trained inconsistently.
Humans get tired and bored.
Humans have biases that can vary their analysis even if the training were consistent.

The list goes on, but the most important points are that there aren’t nearly enough humans to look at the content that needs to be seen, and even if there were we wouldn’t be able to see near the same amount of content—and as consistently—as a fleet of AIs.

The straw man everyone is attacking is the idea of AI security agents becoming smarter and more creative than a fully trained L1 or L2 analyst. That could take 5, 10, or 20 years—or could never happen at all. I believe it will happen much sooner, but I’m agnostic on this point.

But it doesn’t matter.

What matters is the value that AI can bring to the thousands upon thousands of companies generating terabytes of log data that nobody is looking at.

If AI agents can be unleashed on all that data and find something—anything of value in the mess—and then surface that to a human, then it’ll be invaluable and the market around AI security analysts will thrive.

In short, it’s a low bar because of how much data is currently not being analyzed at all, and because that bar is so low I think we’ll hit it sooner than most think.

So my prediction for this is that we’ll see companies using AI analyst technologies pointed at IT and IS exhaust data in significant numbers within five years. That doesn’t mean replacing L1 analysts. It means needing to hire fewer of them, or hiring them to be L2 analysts instead.

And, importantly, it means a whole lot more of the data produced within a company being seen by someone—even if that someone is an algorithm.

—

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can afford fancy coffee whenever you want, please consider becoming a member at just $10/month.

Begin Membership

Stay curious,

Daniel