Connect with us

Hi, what are you looking for?


Artificial Intelligence

AI is Security’s Best Defense

Automation, Artificial Intelligence and Machine-learning Should be on the Radar for Any Modern SOC

Automation, Artificial Intelligence and Machine-learning Should be on the Radar for Any Modern SOC

With 2021 well underway, we’ve become used to new ways of working and new work environments. Many of us now work from home with digital communication methods for project collaboration and discussion. Our employers have developed agile methods for equipping staff with the right tools to work effectively and flexibly, with remote work becoming a longer-term consideration for operational budgets and staff hiring decisions.

This shift is unlikely to change. We may return to the office in 2021 but not the standard 5-day working week. Reports show that many organizations are planning a hybrid approach to give employees more options. Remote working is here to stay, and with this, security and safety have gained even more relevance.

One effect of this change has been the visibility and number of alerts processed by the Security Operations Centre (SOC). Previously the team dealt with data centers within office locations, meaning that threats had limited hiding places. Now with remote-working, unmanaged personal devices – including home IoT and family computers – have thousands of options to hide out. Threats previously visible on the corporate network have become invisible, hiding in home networks and waiting for the opportunity to launch an attack.

Automation to Help with Alert Overload and Fatigue

Automation, artificial intelligence and machine-learning should be on the radar for any modern SOC. Suppose cybercriminals are already leveraging these technologies to launch effective attacks across this broad new surface. In that case, security analysts should also take advantage of these same technologies to help protect their organization and keep data and users safe.

Security analysts are receiving thousands of alerts daily, and now with so many remote workers, these alerts could come from thousands of locations. Many will be benign, but the team must maintain complete visibility in case of missing a serious threat. This work is repetitive and can lead to analyst fatigue or errors. Here are ways that automation can help:

• Alerts are analyzed and flagged. If the data is ‘good’ or ‘bad,’ existing rules apply automated actions to either allow or reject the information. For any other alert, the data is tagged as ‘unknown’ and reported to an analyst for further analysis, meaning that the team is now working with more valid alerts and less false positives.

Advertisement. Scroll to continue reading.

• When alerts are flagged as bad, several actions must be activated and applied fast. These may include deleting attachments from an email, quarantining devices, or even shutting down parts of the network for remediation. Security automation rules can be used to perform these actions, either fully automated or at the click of a button by the analyst.

So, from a couple of examples, it’s clear how automation can help the modern SOC with early detection and remediation of a threat, as well as reduction of the security team’s workload. However, what about Artificial Intelligence and Machine Learning? Until recently, these were buzzwords, but when properly applied to an environment, these technologies become key enablers for analysis, helping to increase team efficiency and make cybersecurity fast, consistent and accurate.

Using Artificial Intelligence to Turn Data into Intelligence

Artificial Intelligence combines the output from processing millions of pieces of threat data with available environmental information, including network information, entry vectors, protocols used and even perform cloud analysis to understand whether the threat is new or previously seen in other environments. This data provides valuable context for security engineers, which previously would have required manual effort and time to extract. Detection time is reduced because the AI will see changes in the network faster than a human might, gather relevant data and provide positive alerts to the team. Response time is improved as the engineers do not have to start with a deep analysis of what happened. They are immediately working with actionable data and using it to create a remediation plan.

Machine Learning Understands the Network, Increases Team Efficiency

Using Machine Learning (ML) with AI means that tools can be trained to work better with data and the ML system will be able to make recommendations for improvements. ML can assess behaviors seen on the network, spotting what may be outside of normal patterns and alerting the team with advice, and catching issues before they become threats that might include unusual network port usage, DNS manipulations or potential traffic storms. Not only does this improve efficiency for the security team, but ML will leverage data to increase intelligence incrementally and become a more effective technology – making this a win-win for cybersecurity!

Moving forward, I expect to see new sources of threat information leveraged, including routers, switches and access-points. We are just beginning to learn the full capabilities possible in this space, but that means that now is the time to start looking more closely at how these can make the team more effective and improve overall cybersecurity postures.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...