Automation, Artificial Intelligence and Machine-learning Should be on the Radar for Any Modern SOC
With 2021 well underway, we’ve become used to new ways of working and new work environments. Many of us now work from home with digital communication methods for project collaboration and discussion. Our employers have developed agile methods for equipping staff with the right tools to work effectively and flexibly, with remote work becoming a longer-term consideration for operational budgets and staff hiring decisions.
This shift is unlikely to change. We may return to the office in 2021 but not the standard 5-day working week. Reports show that many organizations are planning a hybrid approach to give employees more options. Remote working is here to stay, and with this, security and safety have gained even more relevance.
One effect of this change has been the visibility and number of alerts processed by the Security Operations Centre (SOC). Previously the team dealt with data centers within office locations, meaning that threats had limited hiding places. Now with remote-working, unmanaged personal devices – including home IoT and family computers – have thousands of options to hide out. Threats previously visible on the corporate network have become invisible, hiding in home networks and waiting for the opportunity to launch an attack.
Automation to Help with Alert Overload and Fatigue
Automation, artificial intelligence and machine-learning should be on the radar for any modern SOC. Suppose cybercriminals are already leveraging these technologies to launch effective attacks across this broad new surface. In that case, security analysts should also take advantage of these same technologies to help protect their organization and keep data and users safe.
Security analysts are receiving thousands of alerts daily, and now with so many remote workers, these alerts could come from thousands of locations. Many will be benign, but the team must maintain complete visibility in case of missing a serious threat. This work is repetitive and can lead to analyst fatigue or errors. Here are ways that automation can help:
• Alerts are analyzed and flagged. If the data is ‘good’ or ‘bad,’ existing rules apply automated actions to either allow or reject the information. For any other alert, the data is tagged as ‘unknown’ and reported to an analyst for further analysis, meaning that the team is now working with more valid alerts and less false positives.
• When alerts are flagged as bad, several actions must be activated and applied fast. These may include deleting attachments from an email, quarantining devices, or even shutting down parts of the network for remediation. Security automation rules can be used to perform these actions, either fully automated or at the click of a button by the analyst.
So, from a couple of examples, it’s clear how automation can help the modern SOC with early detection and remediation of a threat, as well as reduction of the security team’s workload. However, what about Artificial Intelligence and Machine Learning? Until recently, these were buzzwords, but when properly applied to an environment, these technologies become key enablers for analysis, helping to increase team efficiency and make cybersecurity fast, consistent and accurate.
Using Artificial Intelligence to Turn Data into Intelligence
Artificial Intelligence combines the output from processing millions of pieces of threat data with available environmental information, including network information, entry vectors, protocols used and even perform cloud analysis to understand whether the threat is new or previously seen in other environments. This data provides valuable context for security engineers, which previously would have required manual effort and time to extract. Detection time is reduced because the AI will see changes in the network faster than a human might, gather relevant data and provide positive alerts to the team. Response time is improved as the engineers do not have to start with a deep analysis of what happened. They are immediately working with actionable data and using it to create a remediation plan.
Machine Learning Understands the Network, Increases Team Efficiency
Using Machine Learning (ML) with AI means that tools can be trained to work better with data and the ML system will be able to make recommendations for improvements. ML can assess behaviors seen on the network, spotting what may be outside of normal patterns and alerting the team with advice, and catching issues before they become threats that might include unusual network port usage, DNS manipulations or potential traffic storms. Not only does this improve efficiency for the security team, but ML will leverage data to increase intelligence incrementally and become a more effective technology – making this a win-win for cybersecurity!
Moving forward, I expect to see new sources of threat information leveraged, including routers, switches and access-points. We are just beginning to learn the full capabilities possible in this space, but that means that now is the time to start looking more closely at how these can make the team more effective and improve overall cybersecurity postures.
