Across a variety of industries, the adoption of automation and artificial intelligence (AI) initiatives has meant less of a burden and more opportunity for many employees and businesses alike. While security operations have made good progress here, especially in the last four years, there is still a long way to go. Today, it is both common and accurate to point out that warm-bodied, innovative human adversaries will invariably defeat a technology-based defense. But, the path to success requires focused and effective automation technologies like AI and machine learning (ML) to supercharge the expertise and experience of an equally innovative and warm-bodied defender working as part of an enterprise security operations center (SOC) and outsourced services like managed detection and response (MDR).
The Established Need for Human Decision Making
It’s a common misconception that more technology means less need for people. And that’s just not the reality. Automation, AI and ML will likely never entirely replace the need for human decision-making in security operations. The human mind is far too clever and can use abstract thinking to bypass defenses and penetrate a target network that technology tools simply cannot discern. For example, the most sophisticated endpoint detection and response (EDR) solution stands little chance against an employee who is socially engineered to give out an administrative password. The best chance to counter the unpredictable behavior of a cybercriminal is through human security analysts who can think and act as they do to even the playing field. As an industry, we shouldn’t focus on how AI, ML and automation can replace security analysts, but rather how they can be used to augment (and expedite) informed decision making against complex attacks and then drive response actions selected by an analyst who understands what the attacker is trying to achieve and how he is most likely trying to achieve it. Automated enrichment that puts all relevant information in front of the analyst must pull from various knowledge bases and research resources to enable analysts to understand the battlespace they are operating in and make informed decisions.
Where Automation/AI/ML Is Successful Now
Already, several areas across the security landscape are experiencing success from automation, ML and AI initiatives. Essentially, where bad actors are using automation, we can, in turn, also use automation against them. Take, for example, attacks involving credential stuffing, in which cybercriminals use stolen usernames and passwords to try to access multiple accounts elsewhere. With attacks like this, threat intelligence initiatives serve as guides to writing these tools that can detect bad actors (i.e., keystrokes, mouse movements, etc.) and inform security analysts on how best to establish indicators of compromise (IOCs) to monitor for them. On their own, an IOC may not pose a threat, but the sum of multiple related IOCs would warrant cause for a deeper investigation.
Automation and ML can also be incorporated into technology platforms to predict how malware will evolve and thus, can create a unique signature against malware that wouldn’t normally exist. This ML-generated signature can then drive detection and alert the analysts to run an investigation.
Another critical area these technologies are being leveraged is through the collection and processing of mountains of security data required to uncover and verify anomalous activities as real threats, finding the proverbial needle in but in a stack of needles. Automating lower-skilled SOC tasks that were often the work of less qualified or less experienced analysts protects the time of the security team and enables them to focus on the higher-skilled, higher-value tasks that protect the enterprise.
Leveraging the Benefits of AI, Automation and ML Across SOCs
The sheer speed and pattern recognition capabilities of automation and AI helps SOC operations establish a baseline for security activity and then track against it. By setting parameters for normalcy, these initiatives enable consistent monitoring and will flag activities outside established boundaries. Once a “normal” is established, analysts can catch suspicious activities that stray from the established settings to drive decision-making around what to discard or pursue further. Moreover, these tools enable analysts to proactively gauge how an attack would be executed, where vulnerabilities exist, and what happens next to combat bad actors effectively.
Equipping the SOC of the Future
For the foreseeable future, AI, ML and automation will not replace analysts but rather automate efficiencies across SOCs and provide analysts with more context in real-time. We can anticipate seeing more AI cases being leveraged not to mimic the analysts but rather using AI-garnered intelligence to mimic bad actors. For example - if we are able to use AI to scan a large-scaled environment, correlate with existing vulnerabilities and then predict the way a bad actor would exploit that environment, this becomes extremely valuable for an analyst because that then provides them with threat hunting intel to harden environments before attacks take place.
Additionally, we’ll likely start seeing AI and ML specifically used to enable scale. As of now, analysts have limits on the amount of data they can manually collect. Most data platforms work from the promise of big data analytics (the more data you have, the more patterns, relationships and insights you can derive), but the licensing model makes it restrictive to the volume of data permitted within a set budget. The future will ultimately commoditize the concept of infrastructure as a service. Thus, removing storage and data limitations from the equation and providing analysts with the ability to look at data sets in a much more strategic way and hone in on predictive analytics necessary to combat bad actors.
Even further, these tools build a strong - and more sophisticated - baseline for identifying bad actors’ patterns, initiating predictive analytics and acting on them faster than a human could. These initiatives will, over time, help make the SOC analyst more efficient, arming them with intelligence and insights to make more informed decisions.
With the ever-evolving threat landscape, bad actors are becoming increasingly more sophisticated in their tactics and approaches for evading detection. It is truly a modern-day cat and mouse game. As AI and automation improve and grows in adoption across SOC operations, the speed and accuracy of threat detection will increase as a result. Highly skilled security analysts will spend more time on countermeasures and threat elimination and much less time wading through mountains of data chasing and verifying alerts and false positives.