When PatternEx launched with its revolutionary AI2 technology, the AI revolution in cybersecurity was just starting. And now in 2019 - we are seeing significant discussions in the C suite about using AI in InfoSec. What would AI improve? What existing products would it replace? What processes will it impact?
The security industry has grown over time with tech and products that were geared to solving a specific, known threat type, or by providing a gate at a specific point in the network. As a result, people and processes evolved with this trend to manage the detection and response to threats – typically encapsulated by a security operations center – SOC.
The traditional process relies on people writing rules, developing attack signatures, or developing indicators of compromise (IOCs). These individual pieces are then added to the products deployed in a SOC. The process then spits out alerts that security analysts investigate - at various levels - Level 1, 2, 3. And all this happens even before involving incident responders to take action!
This traditional process was optimized for the type of technology that was available in the past. But, as the attack landscape has dramatically shifted, this tech/people/process stack is exposing significant weaknesses in our modern cyber defense architecture.
Challenges for Today's SOC
Let’s start with what’s wrong with this older stack for today’s challenges:
- Technology accuracy. The number of attacks missed is very high. Attackers have vast resources to do trial and error to circumvent the rule/signature based systems and since all processes are designed to work off alerts generated by rules, attacks get missed.
- People burnout. We are burning out people by making them triage alerts that are false positives or otherwise have no value for action.
- Post process. We can’t seem to create a learning process that can give us an early warning rather than an inefficient “after the accident” approach (aka remediation or orchestration) that seems to be the current focus of optimization.
A Better Way with AI
As we look forward, is this rule-signature-people-alert triage model the most optimal cyber security architecture? No, of course not. To see how a traditional SOC evolves into an AI SOC, let’s see what AI can provide:
- Automated detection at scale. AI can detect (and potentially predict) advanced attacks and respond automatically. This can be done at a much lower human analyst cost by reducing the volume of alerts and reducing the need for humans to triage alerts.
- Automatic correlations. AI automates the “blast radius” analysis of an attack. Connecting (aka correlating), various events and entities together helps create an attack story to more quickly detect sophisticated attack campaigns that move across entities over time.
- Transfer learning. AI can be created and trained by analysts, the SOC's most significant resource, and shared with other organizations - creating a higher-level intelligence sharing via analyst sourcing. AI drives efficiencies in their work and ensures knowledge is not lost when a star analyst leaves an organization.
- Active learning. AI enables continuous and contextual learning through analyst feedback and adapts to the local threat surface automatically so there is no need for manual tuning of rules.
Positive Impact on People and Processes
With the advances in AI and big data, now we can build AI systems that can dramatically improve detection efficacy compared to relying on rules and signatures. As these new capabilities find their way into a SOC, they will have dramatic impact on the processes. It will enable organization to move up from low impact L1 work to meaningful L3 work.
In summary, an AI enabled SOC would:
- Move from alert triaging to efficient threat investigation through automation of typical L1 analyst tasks. Analysts can focus on more productive tasks.
- Improve L2 / L3 analyst efficiency by over 5x through the reduction of false positives/negatives. This also reduces analyst fatigue and the expense in inefficient technology and processes.
- Make hiring L2 / L3 roles easier by automating complex tasks (e.g. automated correlations). Enable analysts to hunt efficiently by enabling them to create AI models on the fly without having to understand the underlying data science.
At PatternEx, we believe that when connected with the right AI approach, a SOC can enhance its people, process, and technology to be more productive and keep an organization more secure. We are excited to be leading and guiding the biggest global organizations in building a modern day, AI enabled SOC.