This is a guest post by Randy Conner, VP of IT Security, Large Hospitality Company
There have been over 3,600 data compromise breaches through Q3 2018. With the recent flood of additional cyber breaches affecting millions, everyone is looking for answers to stop this seemingly unending cycle of hacks and the bottom line risk that comes along with them.
While the recent breaches occurred for various technical reasons, the common factor is the volume and lack of visibility of alerts for threats, patches, and the like. In many cases for the 2018 breaches, the breach was detected by someone other than the victim organization’s own staff! Such a result is not surprising given a limited set of resources, prioritization, and execution for the typical cybersecurity staff.
The State of the Art (?!)
The default for many organizations is to leverage MSSP’s and SIEM tools. Clearly that alone is not working. Some MSSPs have proprietary software they run which hasn’t been independently vetted. MSSPs also fight the same labor battle as every other company and you have to wonder how they are able to deliver true security for lower costs when they are up against the same restraints everyone is. The answer is not economies of scale - the more customers an MSSP adds the more diluted every other company’s oversight of alerts gets. The answer is automation.
Fifteen years ago, we were building automation into a SIEM—I helped develop one for IBM and we tested it in the forge of fire by actually running it in our IBM SOC. So, I often wonder what has happened in that time? We still use SIEMs that take in a bunch of logs the old way and correlate them virtually the same way we did 15 years ago. Why have we not moved beyond these basic functionalities? This cannot continue to be the best the security industry, and us as practitioners, have to offer. We must, as an industry, move past and take advantage of what other industries are doing. Take Tesla for example, they are re-inventing the car industry through their use of artificial intelligence. Can we do the same?
What does AI look like?
I agree with many in the industry that AI will no longer be an optional step, but rather a requirement for us to keep up with the threat volume and sophistication we are seeing. Artificial intelligence and machine learning have been used in many ways, so let me share what my view on these technologies is.
I see the definition of AI in cyber security as follows:
- Machine only analysis (i.e., unsupervised learning).
- Use analyst inputs to create pre-trained AI models (i.e., supervised learning).
- Use ongoing security analyst inputs to fine tune and continue training supervised AI models (i.e,. active learning).
I truly believe that without ongoing security analyst input, AI/ML models may work, but may not capture organizational or industry specific threats. In the world of AI, security is hard due to the lack of examples (i.e., data). And while malware and the like is easy to find, not as true for more sophisticated attacks like data exfiltration (which is, in the end, what hit many of the organizations we hear about as of late).
AI Benefits for the Security Operations Center (SOC)
The practical outcome from leveraging AI is that you get events that are more actionable and provide more context than ever before. You only work on those alerts that make their way to the top of the heap. This is critical because even the largest SIEMs are not capable of ingesting the number of logs that we should be bringing in. The additional requirements of GDPR, other regulations, and tightening down of PCI requirements all are pushing us to log from more systems and applications than ever before.
Organizations can now shift spending from triaging false positives into improved analyst productivity. And with the ability to create and/or tune AI security models, analysts can share their knowledge to benefit an organization, even if they leave.
I am confident that our current model of multi-tier SOC analysts, SIEM, and basic machine learning alone is not our future. A lot more innovation is yet to come for AI and cyber and I look forward to being on the front lines to help be the champion for my users and customers.