Every day, it seems, we read headlines about a new data breach or cyberattack. Then we talk about how to improve cybersecurity to prevent similar attacks from happening in the future. Chief among the issues to address is a lack of security personnel to fill vacant positions: How can we improve security if we don’t have the people to perform the work?
To uncover how to improve security, we must first consider that the way we perform security operations is broken. Security operations teams — often part of a centralized security operations center — are responsible for defending a given organization from the latest emerging threats. Teams of analysts monitor intelligence sources, including the news, social media, vendor intelligence partners and the FBI’s publicly available guidance, for information about potential new cyberattacks that might target their organization. We have supported our humans thus far with a complex deployment of layered cybersecurity defenses. This approach has proven to be fairly unsuccessful.
One way security operations teams can improve their ability to identify and combat threats is by improving the speed with which they process and react to those threats. Introducing speed into today’s security environment requires artificial intelligence (AI).
Human scale does not meet today’s cybersecurity demand
Analysts must collect information then quickly turn that data into something they can use — threat detection, response and remediation. Currently, this process is a manual, human analyst-driven activity that often takes too much time to complete: Just 33% of respondents to the 2016 SANS Institute Incident Response Survey reported they were able to remediate events in less than one day.
By some estimates, the average data breach now costs organizations $4 million, a sure sign that closing the gap between event occurrence and remediation should be a priority. To close the gap, companies are investing more heavily in information security, especially in the areas of security testing and data loss prevention. Organizations are making these investments in technology and security infrastructure in part to make up for the lack of humans to fulfill security analyst roles.
Yet, even if enough human security analysts existed to fill the open positions, the work humans do cannot scale to deal with the amount of attacks we see today. Security operations is at a tipping point. We do not have the capacity to process the amount of threats the average organization sees today. To keep pace, we must lean on machine learning technology and artificial intelligence.
AI’s maturity means it’s ready for security
Due to recent innovations in the last few years, AI is finally technically mature enough to apply to a security environment. Specifically, deep learning is far enough in its development to push us past this tipping point. Deep learning allows computers to go through large amounts of data and find abnormalities. The abnormalities a deep learning algorithm detects in a cybersecurity environment represent potential threats. The progress we’ve made with deep learning is important — computers endowed with the technology can collect, analyze and disseminate information much faster than a team of human security analysts can.
Human brains aren’t designed to work through millions of computer log messages each day. Deep learning AI is designed to do just that. Security operations teams can teach machine learning algorithms, via deep learning, to accelerate the process of what a security operations analyst would do, by a factor of 100 or even 1,000 in terms of time and efficiency. That 1,000-fold improvement is what operationalized speed looks like in a cybersecurity environment.
Organizations can start operationalizing speed today
Organizations can begin to operationalize speed in their security operations teams today. They must create an environment that supports and ingrains artificial intelligence, specifically deep learning-enabled algorithms. The following recommendations detail steps the heads of security can take toward operationalizing speed via AI:
- Develop a security big data lake. Organizations can train algorithms with existing data so that they will be better equipped to collect and analyze incoming threat data in the future.
- Implement data fusion. Once security operations teams establish a data lake — a holding tank for collecting and storing threat data — they must also ensure this lake collects data from a number of different sources into one easily accessible place.
- Hire a data scientist, or involve data scientists in the security operations team. While security operations teams must lean on AI to make their tasks more efficient, they will still need someone trained to analyze and understand data to help the team grasp what it is seeing.
The lack of cybersecurity analysts, combined with the glut of data they must analyze, makes for a problem that scales beyond what humans alone can handle. Today’s security analysts spend too much time on events like common malware infections — events that should not require their time and energy — instead of the threats that matter. To alleviate this problem, security operations teams must improve the efficiency with which they identify and remediate threats. They cannot scale their speed to meet those threats without leaning heavily on artificial intelligence.
Security need only look at Netflix for inspiration
We believe organizations can bring the same AI innovations that allowed Netflix to revolutionize how we choose our entertainment to security operations and the millions of security events and alerts that need categorization and prioritization.
Once security analysts can investigate real threats, as opposed to sifting through endless streams of alerts to determine what is worth investigating, we’ll experience the improvements in security necessary to combat the multitude and complexity of threats we see today. Now, it is time to look forward to a bright future for those bold enough to take advantage of these developments and innovate in this new security paradigm.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.