SANTA CLARA, Calif., June 26, 2024 — At the 16th Information Security Forum and 2024 RSAC Hot Topics Seminar held on June 7, 2024, Richard Zhao, Chief Operating Officer of International Business at NSFOCUS, presented the new picture of cybersecurity in the post-cloud era with his professional insights.
Key Highlights
Richard’s speech focused on three observations from the RSAC 2024 conference and three related background information points, deeply analyzing the current state and future trends of AI in cybersecurity.
- Efficiency Improvement in Cybersecurity Operations Leveraging Conversational AI: Using a leading cybersecurity company as an example, Richard demonstrated how conversational AI can enhance efficiency in cybersecurity operations. With Copilot technology, users can obtain information on vulnerability impact, system impact assessment, recommended countermeasures, and generate tickets based on user needs through natural language queries. This allows them to not only “Ask” but also “Act,” achieving “Real-time protection.” This interaction method not only improves information acquisition efficiency but also significantly speeds up response times.
- New Use Cases and Challenges of AI/ML: Richard pointed out that with the development of AI technology, AI agents are becoming a new challenge in cybersecurity. These agents can mimic normal user behavior to conduct malicious activities such as money laundering and click fraud, posing unprecedented challenges to cybersecurity.
- Platformization vs. Best of Breed: The phenomenon of platformization in the cybersecurity industry is becoming increasingly evident. Using two well-known cybersecurity companies as examples, Richard analyzed how platformization can improve corporate operational efficiency and achieve rapid revenue growth by integrating multiple security functions.
Background Information Analysis
- Establishment of CAIO: Richard mentioned that new policies require federal agencies to expedite the adoption of AI and appoint CAIOs (Chief AI Officers). This indicates that AI technology has become an essential part of the national strategy.
- GenAI Red Teaming: AI technology is a national endeavor. For example, the United States has organized large-scale, open GenAI CTF competitions to raise public awareness of AI technology applications and risks through such public competitions.
- Role of CSRB: Richard introduced the background and role of the CSRB (Cyber Safety Review Board), explaining how it promotes cooperation between the government and the private sector in cybersecurity, conducting in-depth analysis and providing recommendations on major cybersecurity incidents.
Expert Insights
Based on the above observations and background information, Richard summarized the following insights:
1. Evolution Trend of the Cloud-Local-Expert-Device Model
- Cloud-Local-Expert-Device Model: Richard proposed the evolution trend of the “Cloud-Local-Expert-Device” model, including cloud-local re-architecture, expert-device re-architecture, and the concept of “Southbound and Northbound,” providing new ideas for the future development of the cybersecurity field. The United States completed “cloud-local re-architecture” as early as 2016, turning all new applications into Cloud/SaaS architecture. Meanwhile, “expert-device re-architecture” and “Southbound and Northbound” are underway.
- Expert-Device Re-architecture: This refers to the fundamental changes in the roles and interactions between AI/ML technology and human experts. This reconstruction involves the transformation of intelligence generation, reading, and analysis methods. Traditionally, machine-readable intelligence (e.g., JSON format) and human-readable intelligence (e.g., report format) are distinctly separated. However, with the development of large language models (LLMs), this boundary becomes blurred. LLMs can not only read and write traditional machine-readable intelligence but also generate or interpret human-readable intelligence as needed. For example, if the platform supports Sigma query language, LLMs can help write Sigma rules or analyze on platforms like NSFOCUS’s Situational Awareness Platform.
- Southbound and Northbound: “Northbound” refers to the shift from basic indicators (IOC) to higher-level behavior (TTP) analysis. Compared to IOC, TTP is more stable and less prone to frequent changes, making it crucial for tracking and analyzing APT organization behavior. “Southbound” refers to pushing AI/ML technology from backend support to the forefront of cybersecurity protection. This is not just about letting AI/ML help generate reports or perform simple interactions but allowing these technologies to directly participate in proactive cybersecurity defense and real-time response.
2. Is It Possible to Break the Impossible Triangle of “Faster, Better Coverage, and Cost-down”?
In cybersecurity, “Fast”, “Better Coverage”, and “Cost-down” form an “impossible triangle” currently. Richard believes that balancing these three elements is crucial by changing the existing operational model and realizing the “Connect to Protect” concept, which improves efficiency through centralized cybersecurity operations.
3. Efficiency is the Key to Winning Cybersecurity in the Post-Cloud Era
Richard emphasized that large-scale application of AI, AI security protection, and utilizing AI to improve cybersecurity operational efficiency are three closely related areas. Large-scale application of AI is the foundation, AI security protection is the guarantee, and the first two areas are crucial for the last one (utilizing AI to improve cybersecurity efficiency). Without widespread AI usage across society, the latter two cannot be discussed because an industry cannot be formed. Without research in the first two areas, it is inconceivable to use AI to improve cybersecurity efficiency, as the software and ICD technology we use in cybersecurity will always lag behind the objects we protect. Therefore, only when AI is widely used at the societal level can we provide adequate protection and further use AI to enhance our cybersecurity.
Richard also highlighted the potential of generative AI and large language models (LLMs), which may bring “generational differences” in cybersecurity capabilities and efficiency. This means we need to establish a solid foundation, including data mastery and accumulation, and achieve economies of scale to develop new models of security operations using AI.
To achieve these goals, Richard suggested identifying and addressing “bottlenecks” affecting efficiency at the ecosystem level. This includes determining the extent to which online/remote/centralized security operations can be achieved and whether we can implement cloud-based centralized upgrades in response to significant threats like Log4j, rather than manual upgrades for each device or data center. Improving operational efficiency and security protection levels will directly impact our response speed and ability to handle cybersecurity threats.
Richard’s presentation not only provided us with rich information and profound insights but also pointed out the direction for cybersecurity development in the post-cloud era. By applying AI technology appropriately and effectively addressing new challenges, we can achieve greater breakthroughs in cybersecurity. At the same time, his views remind us to continuously explore and innovate to adapt to the ever-changing cybersecurity environment.
About NSFOCUS
NSFOCUS is a leading cybersecurity company that provides comprehensive, cutting-edge solutions to protect against sophisticated cyber threats. With a solid commitment to innovation, NSFOCUS is at the forefront of shaping the future of cybersecurity.
