In the cat-and-mouse game between online attackers and security professionals defending their companies' networks, the attackers have often not had to work very hard.

The complexity of networks has meant that vulnerabilities and misconfigurations are often overlooked. While some companies have had to hire more security professionals, there are not enough to go around and most companies cannot afford the manpower to stave off attacks. Instead, defenders have turned to automation and — when has proved insufficient — machine learning and artificial intelligence.

These technologies promise to improve the recognition of threats, better identify weaknesses, and speed the response to incidents.

“Without enough talented and experienced people to go around, AI will augment what human experts can do, giving them — the equivalent of — bionics," said Brian Witten, senior director of Symantec Research Labs. "In that sense, AI can help each of them `up their game,’ shifting from just shoveling and sifting through data, to having systems that free up their brains to really play this crucial cat-and-mouse game at the strategic level."

Automation, machine learning and research into artificial intelligence represents the efforts of the industry to combat the increased complexity of information technology, the sophistication of threats, and the automation used by attackers. Yet, for all the promise of the technology to improve professionals' ability to protect their networks, the move to more intelligent systems could also work in attackers' favor.

While there have not been any publicly reported incident of attackers incorporating artificial intelligence into their strategy, automation is an old trick among the black hats of the Internet.

For the past decade, for example, attackers have increasingly created malware variants using automated algorithms and systems. Keeping up with the rapidly expanding number of malware variants - which has soared from 275 million in 2014 to 357 million two years later - requires automation and machine learning.

In addition, attackers routinely use automation as part of denial-of-service attacks and the creation of botnets. Indeed, Internet-of-things botnets — such as Mirai — automate their attacks by using brute-force password guessing to compromise vulnerable devices and then use the infected device as a platform to infect other devices.

A more recent tactic is the automated scraping of software credentials and the authentication codes for Web services — known as application-programming interface, or API, keys — that have been accidentally published to online data stores on GitHub and Amazon Web Services. In one incident, technology-services company Accenture was found to have left private data and sensitive keys on an exposed storage image on Amazon's S3 service.

Automated, Intelligent Defense

But as the bad guys look to automate their reconnaissance, companies can automate their own processes, augmenting existing capabilities with machine-learning and AI systems to defend against increasingly sophisticated attackers.

Many companies are already using automation to seek out vulnerabilities and misconfigurations in their networks. While rule-based systems have become popular, however, they can only find those issues for which they have been instructed to look, and corporate network perimeters have become more complex and porous over the years, according to AI expert Uday Veeramachaneni, the founder and CEO of PatternEx.

“No matter how much of that you do, you will be vulnerable somewhere — that is where monitoring is supposed to help," he said. "AI can both make sure that your perimeter is airtight and, when an attacker gets in, make sure that you can detect their actions."

Other companies have applied the AI field of natural-language processing to automate the gathering of intelligence on attacker activities. Automation can collect the data, while machine learning can be used to group pieces of information into similar categories.

What’s more, AI promises to bring together the context surrounding the threat data. By shadowing analysts who sift through the data, machines can learn what is important. At the same time, analyst teams processing these incidents have a great training data set to help classify things that the system may not have seen before.

Security teams looking to augment their capabilities today have already adopted a variety of automated technologies, from vulnerability management to incident response. However, making sure that automation does not cause an error to propagate and disrupt operations requires more intelligence. In addition, most companies do not have the resources to create and maintain their own security operations center (SOC).

So, for many companies, the first step is to evaluate systems that help the existing security group — whether that is a single part-time IT professional or a team of a dozen analysts — to more efficiently manage the security of their systems.

“Most security operations centers use rule-based systems, but not every company can afford a full SOC, and even those that can, should look at — and likely need — smarter automation,” Symantec's Witten said.