Responding and Adapting to Cyber Threats Using Artificial Intelligence and Automation

The world of cyber defense is becoming increasingly complicated as technology evolves and as bad cyber actors become more sophisticated.

The challenge becomes more complex as enterprise attack surfaces continue to grow. For example, organizations are consistently adding more fixed and mobile devices, which can reach into the hundreds of thousands of people depending upon the size of the organization. These devices, in turn, collect and store more and more sensitive and proprietary data that needs to be protected. The result is a rise in attack vectors—the means by which a hacker can gain access to a computer or network server. This also means maintaining an organization’s security posture is gradually exceeding the capacity of humans alone.

Artificial intelligence (AI) combined with human knowledge is the answer to solving this challenge. With machine learning (ML), a subset of AI, algorithms can rapidly assess high volumes of security events and identify potential threats, ranging from malware to high-risk human behavior. These algorithms learn and adapt over time, using past data and patterns to identify new attacks and gradually becoming more autonomous. AI can keep pace with bad cyber actors and respond more effectively and adaptively than conventional rules-driven approaches.

Many organizations are struggling to understand the distinctions among AI; ML; robotic process automation (RPA); and security orchestration, automation, and response (SOAR)—and which technology would most benefit their security posture. The answer: it depends. Each technology has use cases that maximize its capabilities and features. Independently, each one is useful for unique use cases, but combining them can produce powerful results:

  • RPA is most suited to automating well-defined and standardized business processes with expected outcome/outputs
  • SOAR detects endpoint attacks based on correlating information and security information and event management (SIEM) tools
  • AI and ML add additional value because they can be integrated with the tools mentioned above to provide in-depth analysis of the available data and to automate decision-making for many cybersecurity functions

The first step in this framework is to select a business need(s) that requires a lot of human intervention. Business problems that require a lot of human inference, cognitive-heavy processes, or complex decision-making are good candidates. In addition to the business problem(s), you will need to collect available data—including images and structured or unstructured data—that adequately represents the problem space.

Tetra Tech’s Innovation Lab and cyber experts have been actively working to develop solutions for increasing automation in cyber defense. For example, we developed an RPA bot for security compliance that performs system security plan (SSP) validation checks in minutes. We are actively working with our customers to define new use cases for AI and related technologies and researching new ways of looking at AI and cyber, such as developing a solution based on our AI chatbot, Auxilium. This solution aims to leverage natural language processing to detect social engineering threats that are commonly generated from outside the United States by non-native speakers.

Generally, the use of AI and related technologies helps minimize or mitigate the impact of cyberattacks. The benefits of implementing AI and related technologies in a cyber context include:

  • Detecting threats and identifying indicators of compromise that may not be discovered using traditional cyber detection mechanisms
  • Delivering consistently up-to-date knowledge of threats to help make critical prioritization decisions 
  • Improving understanding and ability to automate responses to cyber incidents 
  • Utilizing resources efficiently by focusing cybersecurity staff on high-value activities instead of repetitive tasks
  • Maximizing existing investments in tools and data initiatives
  • Identifying anomalous behavior proactively at all layers in context (e.g., people, assets, networks)
  • Leveraging AI’s natural language capabilities to understand the origination of cyberattacks

Branko Primetica

Branko Primetica

Branko Primetica has more than 20 years of experience as an information technology (IT) executive in process and performance improvement, DevSecOps, technology modernization, and artificial intelligence. Branko has supported multiple U.S. federal agencies with these initiatives, resulting in more than $300 million in cost savings due to integration of emerging technology and consolidation and modernization of redundant IT systems.

A thought leader and published author, Branko has been recognized for his achievements and expertise with multiple awards, including the Rising Star Award and the Fed 100 Award. He received a certification of recognition from American Council for Technology and Industry Advisory Council (ACT/IAC) and was named a finalist for the Northern Virginia Technology Council’s Chief Technology Officer (CTO) Innovator of the Year Award. Branko also has co-authored various industry-focused publications, including the Practical Guide to Federal Service Oriented Architecture, the Federal Cloud Computing Strategy, the U.S. Government’s IPv6 Transition Roadmap, and the Federal Risk Authorization Management (FedRAMP) guidelines. Additionally, he has served as a co-lead for the National Defense Transportation Association’s Mentoring Program, served on the U.S. Cloud Computing Commission, and has consulted for global forums on current IT trends (including the U.S. Congress, Asia-Pacific Economic Cooperation (APEC), and the governments of Serbia and Poland).