Artificial Intelligence (AI) and Security: A Match Made in the SOC

February 5, 2020
| |
5 min read

Change is constant in cybersecurity — continual, rapid, dynamic change. It’s impossible to maintain an effective defensive posture without constantly evolving. Security measures that worked in the past will not be effective today, and today’s security controls will not be effective tomorrow.

Many factors contribute to this rapid pace of change. Attacks are on the rise, and they are getting more advanced, persistent and stealthy each day, with some attackers even leveraging artificial intelligence (AI) to power their campaigns. Trends such as hybrid multicloud deployments, the internet of things (IoT), and mobile devices and services are making the attack surface larger and more complex. Traditional defenses are quickly outdated and the cybersecurity playing field has become a game of cat-and-mouse.

It’s no surprise that businesses struggle to keep up with defense. Too often, the consequences of falling behind are dire: large breaches make headlines, executives’ jobs are jeopardized, brands and reputations are tarnished, revenue is lost and more. It seems that today, businesses must engage in a mad dash to stay on top of maintaining adequate and effective security defenses.

Major Security Challenges Facing Organizations Today

Organizations face a number of obstacles when trying to stay on top of security controls and protect their businesses from cyberattacks.

Lack of Cybersecurity Talent and Analyst Job Fatigue

The widespread cybersecurity skills shortage is exacerbating analyst job fatigue. The tedious and time-consuming threat investigation process, when done manually, can take hours, days, weeks or even months to complete.

When security operations center (SOC) analysts spend most of their time on investigations and there are more investigations than there is time in the day to handle, this creates delays in moving to the remediation of risks, which in turn increases the organization’s security risk exposure. Security analysts are overworked and overwhelmed by the large number of alerts received daily, resulting in low morale and high attrition rates.

Unaddressed Security Risks

The average security analyst receives a large volume of alerts daily — in a lot of cases, more than can be handled in a single day. When analysts are overloaded and unable to sift through all of the alerts, they tend to spend more time on lower priority issues. This means significant potential security threats may go unaddressed, which increases the risk of undetected cyberattacks.

Long Dwell Times

Dwell time refers to the length of time an attacker has access to an environment to do as they wish. Longer dwell times mean bad actors spend more time in your environment accessing confidential and proprietary data, stealing funds or accessing sensitive information — and the more time they spend in your environment, the greater the extent of the damage.

Mean time to detect (MTTD) and mean time to remediate (MTTR) are the two components of dwell time. MTTD is the time it takes for an organization to discover a security incident, while MTTR is the time it takes for the organization to contain, remediate and remove the threat from the environment. Increasingly senior executives are being held accountable for these two key performance metrics.

Security teams can overcome these challenges and more by adopting modern SOC technology, namely AI.

How Integrating Cybersecurity AI Helps Businesses

It’s a daunting task to overcome the above challenges, but they can be mitigated by empowering security analysts with artificial intelligence. When SOC analysts partner with cybersecurity AI, they benefit in many ways.

Improved Threat Detection and Investigation

Manually investigating security incidents is very time-consuming and results in inconsistent threat analysis. Analysts spend a lot of time collecting information about network, data and application activity, as well as users and identities, vulnerabilities, threats from endpoints and more. Next, they try to correlate this information to establish local context leading up to an incident. Needless to say, pulling information from many disparate systems is a tedious and time-consuming task that is prone to errors and inconsistencies.

AI gives the investigation workflow a structured threat identification, context gathering, data enrichment, relationship building and prioritization process, which greatly reduces the time analysts have to spend researching threats early in the investigation process. This includes tasks that AI can automatically complete in a fraction of the time it takes a human, such as:

  • Identifying potential threats
  • Gaining local context
  • Performing threat research
  • Applying gathered intelligence to qualify an incident, prioritizing alerts as high or low priority

When done manually, these tasks can take hours, days or even weeks to complete, while AI can take mere minutes.

Enriched Research and Intelligence Gathering

Security analysts also have to spend a lot of time conducting threat research and gathering intelligence from a large number of internal and external sources before escalating for remediation. This can take anywhere from hours to months — and potential cyberthreats go unchecked in their environment while they are swamped with conducting much-needed research to further understand and qualify potential threats.

Many AI solutions are able to enrich security alerts by mapping them to tactics and techniques in the MITRE ATT&CK framework. These deeper insights help analysts understand the specific tactics and techniques being used by threat actors and the corresponding stage in the ATT&CK life cycle. With these insights, analysts can anticipate next steps and determine the most effective way to get ahead of potential adversaries.

Increased Analyst Productivity and Morale

When security analysts leverage artificial intelligence, it increases analyst productivity and streamlines threat detection and investigation processes, saving a significant amount of analyst time. AI does the leg work for analysts and helps them work smarter by taking over the most time-consuming and cumbersome parts of the threat investigation process, such as threat intelligence mapping, local data gathering, associating business context with potential security alerts, assessing high-value assets being targeted and more.

This saves a big chunk of time and frees up security analysts to focus on more strategic issues, higher-level alerts and proactive threat hunting — which leads to improved protection against cyberattacks. Automating your repetitive SOC tasks with AI empowers analysts to focus on more important elements of the investigation and increases analyst productivity and investigation process efficiencies and effectiveness.

Lower Cost of Security Breaches

By improving the overall security posture of an organization, AI also lowers the costs associated with security breaches. Reducing dwell times means attacks are identified and resolved in a shorter amount of time, minimizing the impact of security breaches. According to the Ponemon Institute’s 2019 Cost of a Data Breach Report, “… the faster a data breach can be identified and contained, the lower the costs. Breaches with a life cycle less than 200 days were on average $1.22 million less costly than breaches with a life cycle of more than 200 days ($3.34 million vs. $4.56 million respectively), a difference of 37 percent.”

The report summarizes that businesses deploying automated security solutions with AI, machine learning, analytics and automated incident response “saw significantly lower costs after experiencing a data breach.”

Add Value to Your SOC With Artificial Intelligence

In summary, when security analysts partner with artificial intelligence, the benefits include streamlined threat detection, investigation and response processes, increased productivity, and improved job satisfaction — analysts spend more time doing what they enjoy most and the cost of security breaches decreases. AI can add value to your security team by helping your analysts perform their jobs more effectively and efficiently.

Lolita Chandra
Sr. Product Marketing Manager

Lolita Chandra is a Senior Product Marketing Manager for QRadar Advisor with Watson at IBM Security. She is a seasoned solutions and product marketing profes...
read more