- AI and machine learning are reducing the constraints of traditional SOC operations.
- Time saved through resulting automation can be put to use on high-priority investigation and response.
Recently, classic rock band The Kinks brought out a previously unreleased track called “Time Song,” which muses on the slippery ubiquity of this thing called time:
Time is ahead of us
Above and below us
Is standing beside us
And looking down on us…
While the song’s message is universal, that last part of the quoted lyrics above may be true when it comes to the key realities of security operations management. The number of person hours available does not come close to the number required to investigate every incident reported by an organization’s systems and users. When it takes a security analyst 10 to 15 minutes to research each incident, but the number of incidents pouring in via collected intelligence is in the hundreds or thousands daily, it can indeed feel like time itself is “looking down on us” and cruelly watching us fail to keep pace.
Machine Learning for Time Saving
The Information Security World UK 2018 conference hosted by NTT Security this week included a number of sessions devoted to the possibilities of using artificial intelligence (AI) and machine learning in improving cybersecurity intelligence. The driver here in almost every use case was not so much efficiency or speed but rather conservation of limited human – and therefore time-based – resources. From the broader impacts of AI on the digital world to more specific ways of applying automation, machine learning, and AI to project data and devices, the topic was not an official theme of the event, but it probably could have been.
We go on, drifting on
Dreaming dreams, telling lies
Generally wasting our time
Suddenly it’s too late
Time has come and can’t wait
There’s no more time
During a conference session on advanced SOC capabilities, business decisions and tradeoffs which all involve the precious commodity of time were top of mind for delegates and the speakers representing key SOC vendors. Time is wasted in battling internal stakeholders over the costs of investing in security intelligence, time which is lost when it comes to fighting the organization’s actual adversaries who happily exploit the situation. Time is also lost in managing vulnerabilities. By focusing on a small number of the highest-rated vulnerabilities (in order to prioritize time!), large numbers of lower-rated vulnerabilities go unmanaged. But, the most exploited vulnerabilities aren’t actually ranked as critical, according to NTT Security partner Skybox. Low, medium, and just plain old vulnerabilities are what is letting adversaries get in through doors that are too often overlooked. By implementing end-to-end best practice processes in vulnerability management – as painful as the initial exercise may be – significant time can be saved while still taking a comprehensive approach to the full set of vulnerabilities. Skybox helps enterprises implement such processes and supplies a powerful big data platform which helps them understand their heterogeneous technology environments and generate insights from security controls across multiple vendors, apps, managed security service providers (MSSPs), and networks.
When it comes to security analytics applied to vulnerabilities and attack methods, machine learning is already being used by vendors like LogRhythm. Its aim is to help organizations use its analytics platform to deal with both known and unknown vulnerabilities and attack methods, using its scenario-based approach. Time saved from use of unsupervised machine learning can be better applied to deeper statistical analysis and targeted use of supervised machine learning to investigate unknowns.
Orchestrated Savings in Incident Response
In addition to detection and identification of incidents, machine learning and automation can also be used in developing the appropriate response to those incidents. NTT partner FireEye, following its 2016 acquisition of Invotas, can offer a solution for orchestrating the SOC’s response to incidents. Without enough people – or time – to manage all of the individual alerts generated by each app, device, cloud, and network, automation can be used to bridge the gap between the large number of alerts needing a response and the great lack of people available to do so. Threats that can be attributed to known sources can be prioritized, giving SOC analysts the most relevant incidents to focus on first. Assigning attribution is automated using machine learning, which can also be used to enrich existing intelligence of those incidents without a known attribution (through further automated data collection and analysis).
Using security orchestration can help provide context and organization to collected intelligence, saving time in vetting, rating, and ranking alerts. This helps reduce the window of risk exposure while increasing staff efficiency and performance. It also helps ensure consistency in the intelligence process including incident response. But, the bottom line is much simpler: in an environment of chronic skills shortages, security orchestration delivers time back to security operations staff.