Cybersecurity is evolving at breakneck speed, with new malware varieties and hacking techniques appearing on a regular basis, completely altering attack characteristics. While we still need anti-virus (AV) scanners and intrusion prevention systems (IPS) to protect us from legacy threats, current attackers use evasion techniques that can easily overcome our aging ICT defensive systems, making it difficult for us to keep up with this rapid rate of change.
In the last few years, cutting-edge artificial intelligence, machine learning, and user behavioural analysis have been integrated into cybersecurity systems, claiming to alleviate these concerns. Although it appears to be a terrific idea on the surface, what exactly are these technologies, and do they deliver on their promises? In addition, how can you use this new technology to improve your operational security capabilities to face today’s challenges? There’s little doubt that these technologies will be beneficial, but they all want to automate incident response. Look at how these new technologies can provide operational teams an advantage over their enemies when it comes to cybersecurity.
Operational Security’s 3 Technology Categories
Artificial Intelligence (AI), Machine Learning, and User Entity Behavioural Analysis (UEBA) are three technologies that have recently found their way into operational security systems (UEBA).
Misunderstandings and misrepresentations of AI are common. At the heart of AI is the creation of computer systems that have natural human characteristics such as reasoning and perception as well as intuition, learning, and planning, as well as the ability to transform data into knowledge. Artificial Intelligence (AI) is a discipline of academic research that models mountains of data to make sense of it in the actual world. Automated physicians, attorneys, and even self-driving cars are all the outcomes of this. One of the most significant technological developments of our time, and one that will have a profound impact on the way computers are used in the real world. Event log data, network trace information, and system-to-system dialogues are ideal for AI algorithms to harvest in cybersecurity research. While integrating AI capabilities into cybersecurity products is important, we must first understand the goals of doing so and how they assist us to accomplish our intended outcomes.
For operational security detection systems, machine learning serves as a feedback loop that enhances detection accuracy as algorithms learn from their mistakes (and successes). When it comes to machine learning systems, Amazon and Alibaba are the most well-known examples. Based on your purchase history, browsing habits, and search history, these show you products that may be of interest to you. Your News Feed can also be improved by using machine learning, which connects intriguing postings from friends with advertisements for things you’ve expressed an interest in. Automated learning is a critical component of cybersecurity. To improve the overall effectiveness of the SOC, any solution that increases the likelihood that an alarm is real while cleaning away the chaff is beneficial.
Unusual user behaviour can be an indication of an insider threat, which is where UEBA comes in. It is possible to detect unusual behaviour, such as a user trying to gain access to a file store or database that they don’t usually use, using profiling systems that understand what normal looks like from the perspective of end-users. This abnormality can be flagged by the SOC, which can then decide whether to investigate further. As straightforward as it is to install in a large company using UEBA’s insider threat assessment, baseline, and alerting, learning about the organization’s context (systems and architecture) and what normal looks like still take time. As a matter of fact, any SOC’s operational threat management strategy should include UEBA.
SOC Automation and Threat Response
Automating the threat response process to shorten the time between detection and eradication is the major goal of every data modelling and feedback system. False flag investigations can account for at least half of an analyst’s time in most security operations centres (SOCs). There are hundreds (if not thousands) of potential incidents that need to be investigated each week, even with a well-tuned SIEM system. For analysts, this is a demoralizing and time-consuming task when 99.9% of their investigations are against false positives. However, the recent change in incorporating threat intelligence into the SOC’s ecosystem has made this problem even worse because millions of extra correlation items are added to the mix every month, increasing the number of false positives rather than decreasing them. As a result of hiring experts in cybersecurity, we gain their ability to go outside the SOC and investigate real incidents, piecing together lines of investigation from both inside and outside the ICT systems. However, this aspect of the job is overwhelmingly underserviced because they spend most of their time pursuing false leads.
We may look forward to a brighter future thanks to the three pillars of cyber security automation that we’ve examined here:
- Eliminating the analyst’s burden by spotting and eliminating false positives.
- Automated responses to real threats (scripts, network architecture changes, and quarantining compromised systems)
- Organizing the investigation in advance to make the analyst’s job easier.
There are several obstacles to overcome when adding automation, and one of the largest is trust; remediation attempts can entail a loss of service to the business, which is rarely acceptable when it’s unneeded. The firm will invariably lose money if the SOC automatically quarantines machines, eliminates user rights, and shuts down customer-facing websites. If these service interruptions are caused by false positives, the business’s bottom line suffers, and long-term confidence in the SOC is undermined as a result.
To properly automate security operations and incident response capabilities, SOCs must rely on technology. AI, Machine Learning, and UEBA systems can be supported by SOC analysts by combining proactive threat identification and security testing (penetration testing is a good example of this because it appears to SOC systems as a real attack). As more automation is introduced and tested, the SOC can build trust with the business that its security investments are worthwhile.
Stay in control of your cyber security with automation
Automation of the incident response process is made possible by AI, ML, and UEBA. However, automation involves risk, therefore thorough planning and testing are necessary to build confidence in any automated response capability.
A company’s overall cyber security posture will undoubtedly benefit from the use of AI, machine learning, and UEBA technology, but the fundamental role of the SOC analyst must change in tandem with the evolution of the technology platforms to help them become masters rather than slaves to their underpinning technology. First, focus on responding to high-confidence warnings that are basic and straightforward. This will free up analysts to work on more complex threats and help your SOC management team gain confidence in the business.
This will soon become an essential part of every organization’s defensive security posture, and your SOC analysts will finally have an advantage over their competitors.