The best learnings we get are from customers and prospects. And our community learned a lot during our webinar titled "An Overview of AI for Security Pros."I was impressed by the attendance mix and questions we received. First off, we had a good mix of large enterprise and MDR/MSSP attendees. Clearly, the need to understand, and more importantly utilize AI, for improving SOCs was hitting home.
We covered a lot of good content from our Chief Data Scientist, Dr Ignacio Arnaldo, so I would encourage you to see the webinar. We covered two of the critical elements of data science/AI applied to infosec (labeling and data variety) - and the other two we will cover in a follow on webinar.
From the questions and discussions, I picked out two questions (out of the many) that may benefit you as well:
Q: What does it take to build your own AI component for your security stack?
The answer was in-depth and gave a good understanding that it takes:
- People. Data scientists to create models, security analysts to describe attack vectors and patterns, and infrastructure engineers to build and maintain that stack.
- Hardware and software. While there may be open source tools or cloud services, in AI, compute and storage can quickly add up to large expenditures of time and money. So building your own needs a good analysis of how to build your data lake architecture, efficient AI model and feature computation, and a good data set of attacks to build a good model (ie lots of storage).
- Model training and data sets. All good models need good inputs. Unsupervised learning will ingest from historical logs. Supervised learning models will be driven by security analyst inputs. Additionally getting a diversity of attack patterns to cover all threats takes a wide range of data sets and inputs. And the need for transfer learning (sharing attack models) will help accelerate the effectiveness of the model coverage.
- Maintenance. While AI models don't need as much maintenance as traditional SIEM rules, the infrastructure, updating attack models, and learning how to apply new models/features requires skilled effort.
The summary? Buy—don't build—and spend the extra resources on tweaking the models and infrastructure for the various tenants/customers you will have to support and defend.
Q: How is the PatternEx Virtual Analyst Platform productized?
We covered the various ways the platform could be used, including:
- A ready-to-go "shrink wrap" approach including everything setup on VMs or in the cloud. This also includes many models that have been trained, out of the box. And the entire infrastructure needed to run and maintain everything and the GUI required by analysts or data scientists is included. For advanced users, data scientist notebooks and query tools are included.
- API approach. For a truly customized approach, leverage the API to put your own workflow, UI, and threat hunting approach. The UI will still be available. And with transfer learning import/export of models is easy to share across analysts.
Drop us a line if you too have questions after seeing the webinar. Or if there are other topics you would like our team to focus on - let us know.
(And to continue your AI learning journey, check out our ThreatEx Labs website - full of information, guidance, and tools for utilizing AI to improved cybersecurity.)