The cybersecurity landscape is looking at higher than ever threat levels, data volumes quadrupling every 36 months, computing power and data transfer speeds increasing just as fast, and a diversity of IoT devices ushering in a new era of automation.
To get a grip on this, more organizations are exploring how AI can help. The Next-generation security operations center (SOC) incorporates automation and orchestration — automation applied to both defense operations and threat hunting incorporating AI and machine learning, and orchestration managing how multiple sets of tools and platforms work together.
“AI and ML are not only used in a next-generation SOC to enhance detection and prevention activities, but also, increasingly, to augment incident response actions such as containment actions, ticket creation, and user engagement to triage and/or validate a suspicious action,” stated John Harrison, Director, Cybersecurity Center of Excellence for Criterion, in an article he wrote for Nextgov. “The applications of AI and ML reduce the time spent on each alert and improve the Mean Time to Detect as well as the Mean Time to Repair.” Criterion is a systems integrator focused on solutions for government agencies.
New challenges facing SOCs include: serving the needs of remote and teleworking employees, a dramatically increased number during the pandemic; managing multiple cloud platforms; and dealing with an exploding number of IoT devices that need to be configured.
“The structure of SOCs is already adapting and evolving to bring together defensive operations and the analysis of emerging threats with the strategic introduction of new technologies. The result is a mature, flexible, risk-based and cost-efficient approach to ensure the crown jewels of an enterprise remain secure,” Harrison stated.
Historical ways of doing things are being updated. Security information and event management (SIEM), a term coined in 2005, provides a real-time analysis of security alerts generated by applications and network hardware. Firewalls, malware protection and other signature-based options solve part of the problem. Successful threat hunting requires a preemptive search of large data sets, using AI and machine learning. The idea is to identify threats that may or may already have evaded the current detection capabilities.
“The application of automation to threat hunting enables faster response time and more agile and improved recommendations on responses. It reduces attack vectors, breaches, and breach attempts and enables organizations to move from a purely reactive response to operating ahead of threats,” Harrison stated.
AI Seen As Potentially Helping Extend Budgets by Delivering More Value
The push to incorporate AI into cybersecurity is also being seen as a way to extend corporate security budgets under pressure.
AI in cybersecurity until 2014 was a marketing term, stated Raef Meeuwisse, CISM, CISA, author of “Cybersecurity for Business,” in a recent account in infosecurity. He is not a fan of machine learning on its own applied to cybersecurity. “The problem with machine learning is that the AI is limited to the features that it has been taught to expect,” he states. “Fooling a machine learning security system is as simple as adding an unexpected/ unprogrammed feature into the exploit.”
Artificial neural networks, in contrast, effectively self-organize how the system reviews and manages the data it has access to. “It does not need to have seen the behavior before, it only has to recognize the outcome, or potential outcome,” he states.
Security programs using AI technologies, often running as local agents, can now understand and block rogue identity and access activities, identify and quarantine malware, prevent data loss, adapt the security configurations of devices, with few or no errors. “The progression and investment into artificial neural network technology means that some security software technologies have now reached a level of competency that was unthinkable 10 years ago,” Meeuwisse states.
In some SIEM environments, the AI applied to security can inspect, alert and block based on analysis that would be impossible to achieve manually. “The AI technologies are literally performing the equivalent of years of manual security work every minute,” he states.
As the AI technologies become more stable, the author sees the price point moving lower as well. The average AI anti-malware solution for home use is now priced at less than $1 per device per month. “My own experience using these technologies is that they are incredibly helpful,” he stated.
AI is a New Learning Requirement for Cybersecurity Professionals
Cybersecurity professionals working in enterprises now face a requirement to learn about how AI and machine learning can work within their systems. “AI/ML has a direct effect on cybersecurity teams and brings a whole new set of needs to the enterprise,” stated Bob Peterson, CTO architect at Sungard Availability Services, an IT service management company, in a recent account in .
The creation and maintenance of the AI/ML security system requires a joint effort from many contributors. “The team requires domain experts that understand the security data and how it is generated, data analysis and data science experts that understand data analysis techniques, and AI/ML experts that translate this information into the right models and algorithms,” Peterson stated.
When hiring, it’s good to be open-minded. Maybe a candidate has a needed skill but needs to come up the learning curve in cybersecurity. “It may be easier to educate them on cybersecurity versus the technology skill itself,” Peterson stated.
Cybersecurity also faces a challenge in diversity of staff. Only 20% of security professionals are women and only 26% in the US are from marginalized communities, according to Sivan Nir, a threat intelligence team leader at Skybox Security, a cybersecurity software supplier.
“This is a big problem because cybersecurity, in particular, is a field that thrives on diversity,” Nir stated. “If you think about who we are up against, cybercriminals come from diverse backgrounds, so it is crucial our teams have different points of views and a variety of thought processes.”
Nir emphasized the importance of making people—especially girls and underrepresented groups—aware of tech and cybersecurity as a career path from a young age. “Working in technological fields should be seen as exciting, not intimidating,” she stated. “Cybersecurity, in particular, is never boring—it tackles real-world challenges at a fast pace every day.”