When generative AI debuted, companies embarked on an AI experiment. They have embraced innovations that many of them don’t really understand or, perhaps, don’t fully trust. However, for cybersecurity professionals, harnessing the potential of AI has been a vision for years – and a historic milestone will soon be reached: the ability to predict attacks.
The idea of predicting everything has always been the “holy grail” of cybersecurity and is rightly met with great skepticism. Any claims about “predictive capabilities” have proven to be either hype or premature aspiration. However, AI now finds itself at an inflection point where access to more data, better-optimized models, and decades of experience have charted a simpler path to making predictions at scale.
Now you might think I’m about to suggest that chatbots will turn into cyber-oracles, but no, you can sigh with relief. Generative AI has not reached its peak with next-generation chatbots. They are just the beginning, paving the way for basic models and their reasoning ability to assess with high confidence the likelihood of a cyberattack, as well as how and when it will occur.
Classic AI models
To understand the benefit that core models can bring to security teams in the near term, we first need to understand the current state of AI in this area. Classic AI models are trained on specific datasets for specific use cases to achieve specific results with speed and accuracy, the key benefits of AI applications in cybersecurity. And to this day, these innovations, coupled with automation, continue to play an important role in managing threats and protecting user identity and data privacy.
With classic AI, if a model was trained on Clop ransomware (a variant that wreaked havoc on hundreds of organizations), it would be able to identify various signatures and subtleties suggesting that this ransomware is in your environment and report it to the security team as a priority. And this with exceptional speed and precision that surpasses manual analysis.
Today, the threat model has changed. The attack surface is expanding, adversaries rely on AI as much as businesses, and security skills are still in short supply. Classic AI alone cannot cover all the bases.
Self-training AI models
The recent boom in generative AI has placed large language models (LLMs) at the center of the cybersecurity industry due to their ability to quickly retrieve and summarize various forms of information for security analysts using natural language . These models provide human-like interaction for security teams, making the digestion and analysis of complex and highly technical information much more accessible and much faster.
We are starting to see LLMs enable teams to make decisions faster and more accurately. In some cases, actions that previously took weeks are now completed in days or even hours. Once again, speed and precision remain the essential characteristics of these recent innovations. Striking examples are the breakthroughs introduced with IBM Watson Assistant, Microsoft CopilotOr Charlotte AI from Crowdstrike chatbots.
In the security market, this is where the innovation is currently located: materializing the value of LLMs, mainly through chatbots positioned as artificial assistants to security analysts. We will see this innovation transform into adoption and generate material impact over the next 12 to 18 months.
Given the talent shortage in the industry and the growing number of threats security professionals face daily, they need every helping hand they can get – and chatbots can act as a force multiplier in this area . Just consider that cybercriminals were able to to reduce the time it takes to execute a ransomware attack by 94%: They use time as a weapon, making it essential for defenders to maximize their own time as much as possible.
However, cyber chatbots are just precursors to the impact foundation models can have on cybersecurity.
Foundation models at the epicenter of innovation
The maturation of LLMs will allow us to exploit the full potential of foundation models. Basic models can be trained on multimodal data: not just text, but also images, audio, video, network data, behaviors, and more. They can build on the simple linguistic processing of LLMs and significantly increase or replace the current volume of parameters to which AI is tied. Combined with their self-supervised nature, they become naturally intuitive and adaptable.
What does that mean? In our previous ransomware example, a foundation model would not need to have ever seen Clop ransomware – or any other ransomware for that matter – to detect anomalous and suspicious behavior. The basic models are self-learning. They do not need to be trained for a specific scenario. Therefore, in this case, they would be able to detect an elusive and never before seen threat. This capability will increase the productivity of security analysts and speed up their investigations and responses.
These capabilities are about to materialize. About a year ago, we started running a pilot project at IBMpioneering a security foundation model to detect and predict new threats and enable intuitive communication and reasoning across an organization’s security stack without compromising data privacy.
In a customer trial, the model’s nascent capabilities predicted 55 attacks days before they even happened. Of those 55 predictions, analysts have evidence that 23 of those attempts occurred as predicted, while many of the other attempts were blocked before reaching the radar. Among other things, this included several distributed denial of service (DDoS) attempts and phishing attacks aimed at deploying different malware strains. Knowing the opponents’ intentions in advance and preparing for these attempts gave defenders extra time that they don’t often have.
The training data for this base model comes from multiple data sources that can interact with each other: from API feeds, intelligence feeds and indicators of compromise to behavioral indicators and social platforms, etc. The basic model allowed us to “see” the opponents. ‘ intention to exploit known vulnerabilities in the customer environment and their plans to exfiltrate data in the event of a successful compromise. Additionally, the model hypothesized more than 300 new attack patterns, insights that organizations can use to strengthen their security posture.
The importance of the extra time this knowledge gave defenders cannot be overstated. By knowing which specific attacks were going to occur, our security team could execute mitigations to prevent them from having an impact (for example, patching a vulnerability and fixing misconfigurations) and prepare to respond to those that occurred. demonstrated with active threats.
While it wouldn’t give me any more joy than saying that the basic models will stop cyberthreats and make the world cyber-secure, that’s not necessarily the case. Predictions are not prophecies, they are based predictions.
Sridhar Muppidi is an IBM Fellow and CTO of IBM Security.
More essential comments published by Fortune:
The opinions expressed in comments on Fortune.com are solely the opinions of the authors and do not necessarily reflect the opinions and beliefs of Fortune.