AI Security Operations Provides Powerful Counterpunch to Cyber Threats
When I was a young boy, my grandfather taught me an important lesson about self-defense. He belabored that I should never seek out physical conflict with others; however, if it was unavoidable, then I should never throw the first punch. Then, he paused, looked me square in the eyes, and said that if I wanted to be on the winning end, then it was “imperative to throw the second punch…hard.” As cyber security leaders – who are constantly under barrage by adversaries whom are trying to exploit our networks, disrupt our business operations, and steal our data – it is time for us to strike back.
"Leveraging the unique power of AISecOps augments cyber defenders in their mission to effectively protect systems against incoming cyber threats and attacks"
To counterpunch against today’s prevailing threats, we need to better leverage Artificial Intelligence (AI) in our Security Operations (what cyber security leaders now are calling “AISecOps”). With threats growing in both number and capability by order of magnitude and the ability to staff our security teams with qualified, certified, and experienced people as difficult as ever, AISecOps could be a powerful force multiplier for our organizations and our efforts.
First, let’s define AISecOps. In operations, words have meaning, and most people in the industry are really thinking about machine learning (ML) when they consider AI in the operational space. However, AI goes beyond just ML, so we should implement those other aspects of AI to bolster our security operations (SecOps).
ML has brought amazing capabilities into the security space, leveraging heuristic functions to aid in user and entity behavioral analytics, end point security, and security orchestration, etc. While ML is a game changer for those whom can afford the capability, it is data greedy in that it consumes a lot of computational power and resources to process effectively. Additionally, ML can be fairly cost-prohibitive to implement, integrate, and configure a MLOps toolset within a software environment. Security professionals need to look beyond ML and leverage broader AI capabilities. Computer vision and natural language processing in concert with automation fuels robotic process automation that can assist the entire defensive cycle from preparation to response by completing necessary tasks that take time away from the defender. The real benefits of applying these capabilities include facilitating automation of common tasks, augmenting and enriching incident and event log data, and freeing up security analysts from tasks that consume time, but do not necessarily enhance their operational posture. AISecOps also is instrumental in enhancing automation efforts when identifying and rectifying simple changes from updates and patches that would normally throw one’s automation efforts into upheaval.
Computer Vision and Natural Language Processing, in concert with Robotic Process Automation, can assist the entire defensive cycle from preparation to response by completing necessary tasks that take time away from the defender. This includes threat research, intelligence digest generation, augmenting threat intelligence, indicator correlation and log analysis, patch deployments, scan analysis and augmented ticket generation, and user notification and ticket closures. AI and automation should go hand-in-hand and be integrated into one’s security framework.
Our opponent in this constant struggle within cybersecurity is not the payload, it’s another person. It’s a person who changes their tactics, techniques, and procedures on a whim, and who does not follow a particular modus operandi. . Unfortunately, the current state of AI/ML cannot combat this effectively. Consequently, we need to leverage our own people and enhance their capabilities through AI to create a human/machine team. This concept is akin to what the defense industry is accomplishing with ‘sensor to shooter’ technologies for aiding fighter pilots and others to fulfill their missions. If we belabor the “OODA loop” so much in security that it has now become cliché, we might as well steal this technique from that community as well!
Finally, if we cannot collaborate across the industry, then this is all for naught. Adversaries freely trade malware and target intelligence across the dark web. We need to share our own best practices including how we are automating and leveraging AI across our own tool sets and operations. This will allow for scaling and our collective knowledge and brainpower will sideline adversaries. Silos and compartmentalization are great for individual data sets, but less so for best practices and frameworks. With AI and automation becoming more ubiquitous and cost-efficient, cyber security professionals should leverage AISecOps to counterpunch against the adversarial threat together.