The good, the bad and the ugly: generative AI and cybersecurity

Putting the AI into mAInframe security

Artificial intelligence can be as much a help as a threat: a powerful tool in the hands of either the good, the bad or the ugly.

Today’s threat landscape and cybersecurity requirements are more complex and challenging than ever. While many organizations historically spent a lot of time focused on enterprise IT and perimeter security, the mainframe was at best neglected, and at worst, forgotten. This situation was compounded by the fact that some people continued to believe that the mainframe was inherently secure, despite the world we now live in, and despite the fact the mainframe is now mainstream. It’s as much a part of enterprise IT as anything else. 

I read an article recently by a colleague at Rocket Software, a Vertali partner. Describing the mainframe as “the most overlooked cybersecurity risk”, she wrote, “Once hackers gain access to the mainframe, the damage can be catastrophic, even after their presence is detected. If they have the time to create backdoors into the mainframe, they can further compromise it even after the weakness has been eliminated, and the data and mission-critical applications stored there remain at imminent risk.” Scary stuff. It’s a reminder to us all to check your mainframe front door is locked before you go to bed. And the windows. And set the alarm. 

The Mainframe is Hackable

The mainframe is, of course, eminently hackable. My team at Vertali has done it many times, sometimes in minutes (obviously as part of a security assessment or pen testing exercise, and in a safe and secure way that never compromises the client). And it’s because the mainframe continues to be modernized, and continues to play such a central role in critical national infrastructure, that it’s such an attractive target for the bad actors.

To make matters worse, the last few years have seen the inexorable rise of artificial intelligence. This double-edged sword brings as many new threats as it does new opportunities.

What is generative AI?

Generative AI is a type of artificial intelligence used to create content like images, music, text, videos, and audio. You’ve probably heard of ChatGPT to ‘write’ text (but already applied to writing malware), and perhaps DALL-E to create images or Midjourney.

Generative AI is used for a range of purposes including media creation, product development, and running chatbots. It can “learn” complex subjects like art, chemistry, biology, human language – and programming languages. Models are trained on large amounts of data and then use neural networks to identify patterns and structures in the data to generate new content.

The models can respond to prompts similarly to how humans might react, but far faster. But generative AI models don’t really know if their output is accurate, and users don’t understand how the algorithms work. Multiple concerns have been raised around, for example, the creation of deepfakes and the spread of misinformation – fake news. So, what are the implications for the mainframe security world?

The Good, the Bad, and the Ugly of Gen AI

Generative AI brings an array of new risks, challenges, and opportunities – the good, the bad, and the ugly. We’re already seeing developments in Enhanced Threat Detection and Prevention, Automated Security Responses, Enhanced Encryption and Data Privacy, and Vulnerability Management. We’ll have to face up to new regulatory and compliance considerations, as well as the need for new and evolving skills sets.

The Good

Let’s look at some of these in turn, starting with “the Good.” If you’re into classic Western movies, this is the Clint Eastwood character. For threat detection and prevention, we can look to AI-powered security analytics such as Elastic. Generative AI can significantly enhance threat detection by analysing vast amounts of data, identifying patterns, and detecting anomalies that might indicate a security breach.

That can lead to more proactive and adaptive security measures, enabling mainframe environments to respond far faster to potential threats. And with Advanced User Behaviour Analytics (UBA), AI can model typical user behaviours and detect deviations that might suggest, say, insider threats or compromised accounts. These can be crucial for mainframe environments where insider threats are often a significant risk and can be particularly damaging.

What else is Clint packing, as he squints at the horizon and sees a single horse and rider emerging from the haze? Generative AI can automate intelligent security incident responses and so reduce the time lag between detection and targeted action. This might involve everything from isolating affected systems to automatically applying patches and updates. AI can also dynamically adjust access controls based on real-time assessments of user risk, ensuring only authorized and verified users can access critical mainframe resources. 

In vulnerability management and predictive maintenance, generative AI can analyse system behaviours, code, and configurations to anticipate and predict vulnerabilities before they can be exploited. It can automate the process of identifying, prioritizing and applying patches, so mainframes can remain secure without significant downtime. 

AI-driven attacks: The Bad

It’s time to have a quick look at “the Bad”. Here, Lee Van Cleef, a ruthless mercenary in the movie, provides an avatar for our cybercriminals. Just as AI can enhance security, attackers can also use it to identify vulnerabilities, craft sophisticated phishing attacks, and automate the exploitation of security flaws. AI-driven attacks are already underway. Mainframe security strategies must evolve fast to counter these threats, but making AI work on the side of the righteous is no easy matter.

“Making AI work on the side of the righteous is no easy matter.”

Integrating AI technologies and tools into mainframe environments can be complex, and may require significant investments in time, people, and resources. At the same time, there’s a risk that over-reliance on AI and automation could lead to complacency down the road, with some organizations overlooking the importance of human oversight. 

The Ugly

Last, but not least, do you remember who played “the Ugly” in the film? It was Eli Wallach. By ugly in this context, I mean tricky and challenging rather than outright criminal.

As AI becomes more commonplace and is integrated into mainframe security, organizations will need to ensure their use of AI complies with regulatory standards and requirements. This will include ensuring transparency in AI decision-making processes and maintaining audit trails for security-related actions taken by AI systems.

We’ll also have to develop new skill sets. We will see a growing demand for professionals with expertise in both mainframe environments and AIot a time when we already have a historic skills gap to close. Continuous training and education will be crucial for security teams to keep up with the evolving threat landscape, and the risks and opportunities presented by evolving AI technologies.

As I suggested earlier, integrating generative AI into mainframe security will be a double-edged sword: powerful tools to enhance protection together with new risks requiring careful management. It goes without saying that organizations that are in a position to effectively leverage AI while maintaining robust oversight and, crucially, adaptability and flexibility will be well positioned to secure their mainframes (and their businesses) into the future.

Team Cybersecurity: enhanced by AI

How best to approach this Gen AI world? In the simplest terms, it’s about having the right focus. Your Red Team needs to think and behave like the threat actors: to better prepare the organization for the inevitable threats, and constantly changing cybersecurity landscape.

The Blue Team needs to focus on handling day-to-day business cybersecurity tasks, including detection, prevention, and response. 

And, the Purple Team needs to focus on helping the Red and Blue teams to combine the data they both gather over time, to understand it, and to make it actionable — with new experiences and insights feeding into a cybersecurity posture that’s consistently learning and improving.