Obstacles to stronger cybersecurity
The three biggest obstacles to stronger cybersecurity are all about skills and resources: lack of skilled employees, followed by lack of budget and lack of security awareness among employees.
The skills gap was not created just by a lack of proficient security professionals. The exponential growth in connected devices means the amount of work required to monitor and analyze all of them has grown in parallel.
My personal experience is that we have made it too difficult for some very smart people to enter our industry while asking some very talented people who are already in cybersecurity to take on a larger amount of busy work.
Investment priorities
To address evolving security needs in the coming year, most organizations plan to train and certify existing IT staff to become security experts. Most cybersecurity professionals started their careers in IT and then migrated toward cybersecurity over time, usually due to personal interest and self-taught ability. There is something to be said about real world training.
However, we can’t rely on just career professionals; we also need new recruits in truly entry-level roles. We need our schools to start building the security analysts of tomorrow.
What we have discovered about AI is that it not only reduces the workload for existing security staff, but it also reduces the barrier of entry to security.
Most critical security skills
Attacks frequently compromise organizations, and fast response is the only hope to reduce the impact. Performing incident response effectively is a complex undertaking requiring a high level of knowledge and a lot of work. Establishing clear procedures for prioritizing the handling of incidents is critical, as is implementing effective methods of collecting, analyzing, and reporting data.
Without a well-trained and capable staff, incident detection and analysis will be conducted inefficiently, and costly mistakes will be made. Augmenting existing analysts and junior staff using AI to create repeatable process and the ability to manage large volumes of data at scale is the best way to combat this problem.
The trick is to understand the correct way to apply machine learning and what problem are you trying to solve. The wrong tool can increase the time to accomplish a task, waste valuable resources, or worse. Leveraging the power of machine learning is no different.
Use attack complexity to your advantage.
So how does all this data science really ensure we find attackers? It boils down visibility of the entire attack lifecycle, which becomes a big data problem well suited to data science. Attacks fundamentally all perform a lot of the same behaviors as there is a certain sequence of events they must follow to succeed.
By looking for all the behaviors that an attacker could perform across the entire attack lifecycle, we dramatically increase the probability of detecting attacks.
The more behaviors that are detected, the better the awareness of the attack. By combining behaviors, we also move away from the purely human based decision-making process of what is an incident.
Cognito prioritizes the highest risks
Prioritizing the handling of the incident is perhaps the most critical decision point in the incident handling process. Handling should be prioritized based on the relevant factors.
The outcome of the combination of multiple methods of data science is the ability to instantly extract the attacks that truly matter from the rest of the noise in the organization, real or not. Machine intelligence detects events, triages those events to a single host, and then prioritizes the ones that matter most for fast analysis.
Improve incident response
Containment is very important. A good containment strategy provides time for the security team to develop a remediation strategy. An essential part of containment is decision-making.
Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. You need well-defined playbooks and options for response based on the type of incident. By providing the right context about an attack right when it happens, AI provides the intelligence needed to make decisions about what the right containment strategy is.
The best place to perform containment is within the existing infrastructure already in place and to drive intelligence into that infrastructure to create an intelligent incident response process.
Workload reduction on analysts
When AI or machine learning is the foundation behind a product, the promises that the product makes should be specific and measurable. The power of these technologies is in the numbers.
Man + machine delivers real world efficiency
The results speak for themselves. Across every type of organization, there is a measurable trend with organizations that have implemented AI to automate tedious incident response tasks to augment the SOC manpower.
About the Author
Chris Morales is head of security analytics at Vectra, where he advises and designs cyberattack detection and response programs for large enterprise customers. With nearly two decades of information security Chris is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.