Saryu Nayyar | Forbes.com »
The world has entered a new era of cyberthreats, including actual cyber warfare against strategic digital assets. In fact, the Cybersecurity & Infrastructure Security Agency (CISA) is warning organizations to put their “shields up” to protect against cyberattacks. Key industries such as banking, manufacturing and critical infrastructure are especially vulnerable.
Security Operations Center (SOC) teams are the tip of the spear for defending the systems and applications that enable their companies to function. These teams are essential to smooth business operations. If a SOC team fails to adequately do its job, the risks to the business are immense.
Like any army doing battle, this team needs the appropriate tools to succeed in its four main responsibilities:
- Monitor for and detect cyberthreats that pose risk to the organization.
- When alerted to an incident, investigate the situation to determine the legitimacy and extent of the threat.
- If needed, respond to mitigate the threat.
- Following incident resolution, prevent a repeat of the threat.
These functions must be automated in order to scale—especially now with threats on the rise. Security teams are already overwhelmed, and many are understaffed. There are too many alerts to address in a reasonable time, resulting in threats being overlooked. That’s a recipe for disaster.
ML and AI are force multipliers.
Organizations need real-time threat detection, analysis and response. This is beyond the scope of manual human efforts, given the amount of data coming from logs, identity and access management systems, threat intelligence feeds and numerous other sources. Machine learning (ML) and artificial intelligence (AI) are required to address automated threat detection and response.
AI is the ability of a computer to perform tasks that would normally require the intelligence and decision-making ability of a person. AI is made possible in part by ML, which uses mathematical algorithms to process huge amounts of data to autonomously learn the patterns and seasonal behaviors of that data. It adapts as more data continues to be processed. The key to ML is that it doesn’t have to be explicitly programmed to learn.
ML has the ability to analyze millions of files in short order. Once data patterns are analyzed and understood and anomalies are revealed in those patterns, security incidents can be correlated with each other into a single alert to prompt a response. For example, ML uses many sources of data to discern that a threat is present, and AI can take action to respond to that threat without the need for human intervention.
When events are similar in nature, they can, ideally, be dealt with automatically using the same response mechanism. One can see how this autonomous and repeatable activity is a force multiplier for an SOC team’s ability to monitor, detect and respond to malicious activities in the infrastructure.
How To Get Started
Most cybersecurity platforms on the market today have already incorporated ML and AI into their core functions, thus eliminating the classic IT question, “Should we build it ourselves or buy a solution?” Unless you’ve got a team of brilliant data scientists on staff, building ML/AI internally should not be a serious consideration. Instead, select a platform that provides flexibility in customizing the ML models and use cases that most closely meet your needs.
At the outset, the ML models need to be trained on your datasets, preferably using unsupervised training where the models learn for themselves how to recognize patterns in your data. The training period can take from a few days to a few weeks.
Feeding as much data as possible from a variety of sources into the ML models is crucial. Most commercial solutions use a Big Data repository to collect and normalize data from both internal sources—such as network data and firewall logs—and external sources—such as threat intelligence feeds and list of vulnerabilities. Data should be current and ingestion must be in real time. Otherwise, you’re simply looking at historical events, and you’ve lost the advantage of detecting and preventing attacks early in the kill chain.
The ML algorithms should be tuned to focus on specific use cases, i.e., what to watch for in the data patterns. Examples of use cases might be watching for excessive numbers of failed login attempts or monitoring for unusual user activity that deviates from normal or expected behavior. Start with a small number of use cases and expand on them as your proficiency with the solution grows.
Automating Responses For Quick Mitigation
With AI and ML in place, one way to help security analysts prioritize and respond to alerts is to connect your threat detection capabilities to a Security Orchestration and Automated Response (SOAR) platform.
SOC teams often need to gather further context and background information pertaining to an alert. This is a tedious and time-consuming task if done manually, but an incident response playbook can be developed to run a series of tasks to build more information about an alert. With machines running the data-gathering process, security analysts can spend their time on higher value work.
As for those playbooks, they consist of a workflow and list of actions to take to mitigate an issue. Pieces of the playbook can be manual tasks, while other parts can be automated to accelerate the response. The more automation, the better. The Integrated Adaptive Cyber Defense (IACD) provides example playbooks and workflows that are categorized using the NIST Cybersecurity Framework’s Five Functions: Identify, Protect, Detect, Respond and Recover.
Security threats from inside and outside organizations are on the increase. SOCs should be considering how to incorporate ML and AI technology in their solutions to monitor for, detect and respond to incidents as they are happening, and not after damage has been done.
Optimize Security Operations
Optimize Security Operations