A Practical Overview of AI in Security Operations

A lot is being thrown around right now about agentic systems, AI agents, autonomous security operations centers, and everything in between. Vendors are hyping capabilities — some that are here and now and many more that are far off in the future. Many of the clients I work with are confused about which capabilities are real now and which will come down the road.

Read below for a breakdown of common questions we get about generative AI, to bring a little clarity to a confusing topic.

What is Generative AI?

Generative AI (or genAI) refers to a type of artificial intelligence designed to predict the next likely item in a given context. This capability is crucial for understanding complex structures like human languages, which can be unpredictable. Popular models typically rely on vast datasets filled with human-written content.

In security, generative AI manifests through three primary use cases:

1. Content Creation: Generating incident summaries or reformatting query languages.
2. Knowledge Articulation: Using chatbots for threat research or product documentation.
3. Behavior Modeling: Implementing triage and investigation agents to respond to security incidents.

Use Cases for GenAI Chatbots in Security

Chatbots like Claude, Gemini, and ChatGPT, alongside security-focused equivalents like Microsoft Security Copilot, leverage large language models (LLMs). These tools excel at providing answers to open-ended questions, creating nuanced responses, and adapting to various security-related subjects.

However, while the potential is significant, practitioners often underutilize these chatbots. Most frequently, users turn to them for queries related to product documentation or specific threats. Beyond these scenarios, the chatbot’s application tends to diminish, leaving its full potential largely untapped.

Core GenAI Capabilities in Security Tools

When excluding chatbots, genAI is integrated into security tools in several common ways, enhancing the analyst’s experience:

• Summarization: Quickly generating summaries of alerts or threats to streamline analysis.
• Report Writing: Automating the generation of reports on threats and incidents.
• Code Writing: Assisting in the creation of patches, exploits, or queries.
• Script Analysis: Breaking down code or scripts for better understanding.
• Language Translation: Translating between different programming or query languages.

These functions help improve efficiency and ease the burden on security professionals, allowing them to focus on more complex tasks.

The Role of AI Agents in Security

The introduction of AI agents marks a significant advancement in generative AI applications for security operations. These agents are specifically designed to follow strict instructions and execute particular tasks, responding to defined events like alerts or indicators of compromise.

It’s important to differentiate between invoking AI for a function and having an AI agent. For instance, a feature that generates incident summaries isn’t necessarily an AI agent; it might just be an application of an LLM. True AI agents manage specific tasks, maintain state throughout their processes, and encapsulate their functions to deliver reliable results.

Market examples include AI agents offered by CrowdStrike, ReliaQuest, and Intezer. These agents focus on specific tasks within incident response, displaying a high level of precision due to targeted training.

What is Agentic AI in Security Tools?

Agentic AI combines multiple AI task agents that work together towards a common objective. These agents communicate with each other to enhance their effectiveness.

An example of an agentic system in action could involve a phishing triage agent first confirming a phishing attack before consulting an endpoint triage agent that verifies the attack’s scope. This collaborative approach allows for a more exhaustive investigation and enables better-informed response actions.

A Word of Caution: Current Limitations

While agentic systems promise a revolutionary shift in security operations, they have limitations and are still evolving. Currently, many tools support only a limited range of use cases, and not all functions are universally available.

Challenges remain in data acquisition for effective triage, integration of systems for seamless communication, and ensuring consistent output quality from AI agents. Managing these complexities continues to be a work in progress, underscoring the need for a realistic perspective on current capabilities.

Engage and Learn More

For those invested in security and technology, attending industry events can provide insights into the latest advancements and practical applications of generative AI and AI agents. Engaging with industry professionals can help navigate this evolving landscape.