Hybrid AI: The cyborg version of a SOC

Hybrid AI is here to stay.


What do you get when you combine the experience and expertise of a cybersecurity expert with the processing and evaluation power of artificial intelligence? A cybercrime-fighting cyborg.

As cartoonish as that may sound, hybrid artificial intelligence is very real, and according to SC Magazine, it may be the foundation for the future of cybersecurity. We can rest assured that computers and people will not be sharing bodies any time soon; however, they are both already playing critical, complementary roles in the modern security operation center.

Let’s take a closer look:

Automated threat detection

Machine-learning algorithms have been used in just about every industry for a variety of productivity functions. Traditional applications require explicit, rules-based programming to make sense of data. They need to be told what to do, or when to stop doing something. AI, on the other hand, can understand much more with leaner scripts. This is partially because it is programmed to evaluate information according to certain features (yellow, sweet, fruit), rather than seeing each individual piece of data as a singular, quantitative entity (banana). This makes it possible to then define, understand, group and differentiate significant amounts of data with less programming – case in point, interpreting the massive quantities of network metadata to differentiate between normal activity, and abnormal or threatening activity.

That deep level of threat hunting isn’t something a human could do as effectively or as quickly as a collection of finely tuned algorithms backed up by processing power. There’s just too much data on a network to sift through. Sure, creating rules for certain activities can prevent known threats at bay. For instance, a firewall or web filter can detect known malware signatures. But modern networks are incredibly dynamic. Some activity that may quantitatively appear harmless (for instance, an authorized cloud user viewing privileged information) is revealed to be threatening upon deeper analysis (that user is accessing the account from a new device at 3 a.m. local time, and to boot, several thousand miles away from his or her last login location).

AI can make sense of large data sets much more quickly than the human mind.AI can make sense of large data sets much more quickly than the human mind.

Incident response and strategic analysis

“For now, IR requires a human hand.”

Powerful threat detection through continuous network monitoring is an important part of the cybersecurity equation, but it’s not the only part. Once a threat is detected as an alert, a human security engineer will need to assess the validity of the event. If that event proves to be a breach, immediate action must be taken to mitigate damages. In the future, AI may be sophisticated enough to prescribe remediation actions, but for now, IR requires a human hand. Depending on the type of breach, any number of actions may need to be taken, from quarantining certain machines to revoking specific user access privileges and more.

Security posture also needs to be taken into account. Once the threat has been neutralized, the onus falls on security engineers to figure out why the threat went undetected and what they can do to prevent it from happening again. This requires detailed, qualitative and strategic analysis of the entire security environment and its existing controls.

Perhaps this hybrid AI approach is best illustrated by the rise of managed detection and response (MDR) services. The detection aspect of MDR is usually focused around using advanced analytics to threat hunt. The response element pertains to prescriptive action at the behest of human cybersecurity engineers.

The end result of these combined efforts is a cybersecurity strategy that is effective in real time, but also strategic in the long term. Edit