SecurityBrief Asia logo
Asia's leading source of cybersecurity and cyber-attack news
Story image

Deep dive: How AI empowers today’s security operations analysts

FYI, this story is more than a year old

These are the droids you're looking for: Tireless, uncomplaining, able to work 24 hours every day, responding instantly to threats against an enterprise, service provider, or telco.

We're talking about artificial intelligence software, equipped with machine-learning algorithms, designed to work as part of a comprehensive security suite for the Security Operations Center (SOC).

“AI helps us go from hindsight to foresight,” says CA Technologies senior vice president Vinod Peris.

“If you take things like malware detection, they used to be pattern-based. You were matching some patterns. Now, you're trying to actually look at behaviors: behaviors of applications, behaviors of endpoints.

From matching patterns, the next step was looking from behaviors to anomalies.

“When you look at the SOC, there are certain areas where AI can help,” says security innovator Demisto's CEO, Slavik Markovich.

“First of all is identifying the needle from the haystack. That's one of the easiest things you would do with AI, because AI is used to take a lot of data and cluster it, and classify it, and try to find the outliers.

Another application of AI, says Markovich, is to reduce the repetitive workload for security analysts.

“Once an analyst identifies an alert, there are a lot of mundane tasks where you basically do the same thing over and over again, like get the reputation of a certain IP, check the provenance of a file, check logs, and all of those things.

AI can do those tasks instead.

“This is something AI is really good at, by looking at already-existing actions in the history and learning from them, and then feeding it back to the analyst whenever it's needed.

Security startup JASK CMO Greg Fitzgerald agrees about AI helping SOC analysts and adds that algorithms can augment the decision-making process.

“For example, AI can correlate disparate alerts and events that may be happening in different locations or at different severity levels that a human may not even pay attention to,” he says.

“So, AI captures all that, creates the links between those different alerts, and is able to aggregate those into things we actually call an insight.

“An insight is a collection of the activity that a human can use subjective capability to determine: ‘This is relevant for me and my organization at this time.'

Key AI technologies for the SOC

Researchers have developed dozens of AI technologies, algorithms, models, and learning techniques.

Two of the most common used in the security field are machine learning and predictive analytics.

Machine learning is a data-intensive technique that lets software progressively improve performance on specific tasks, particularly those involving classification of data, and predictions about future events.

In the AI domain, predictive analytics is used to swiftly detect anomalies or new patterns in the data, and make recommendations based on those anomalies and patterns.

Demisto's Markovich adds that security sometimes uses unguided deep learning, which is based on neural networks, as well as the guided techniques above.

Deep learning, which mimics the way humans behave more than machine learning, can produce results similar to what a human SOC analyst would do.

At the end of the day, there's a commonality: “Some software gets a lot of samples, and then based on various attributes classifies them,” explains Markovich.

“Others look at lots and lots of events, and then try to correlate and find the right things to do. Companies like Demisto look at analysts' intents and actions and derive the value from there.

It's all changing the world, says AISense CEO and founder Sam Liang.

AISense is focusing on using AI and speech recognition to create intelligent and contextually-aware mobile tools to enhance professional productivity.

Liang says, “AI is changing people's lives in a lot of different perspectives in terms of speech recognition, image recognition, and medical imaging.

AI can analyze an MRI or x-ray scan to quickly detect a cancer, correlate data to detect a malware incursion or a hacker's attack long before a human analyst would sense that something's wrong, he adds.

Faster time to triage

JASK's Fitzgerald agrees that AI is speeding up the detection of problematic events.

“The biggest impact that AI is making in the SOC is faster time to triage, because in the end, that's exactly what the human is trying to do.

We see lots of reports that talk about a compromise hasn't been found for 100 days, 150 days, or more.

AI is cutting that time-to-detection from months to minutes, he adds.

“When you look at detection, there's a mass of events out there and it's almost impossible for a human to look at all of them.

“AI is doing a pretty decent job in highlighting what's interesting.

Still, Markovich points out, AI can't do the job alone.

“We're not in a place where you can take the human out of the equation. AI can highlight the right stuff, but then allow the human to actually look at it, interact with it, and decide if it's a real incident or a false positive.

CA Technology's Peris says, “If you have a SOC issue, the first thing people do is get on a call and they try to figure out what's the root cause and go through the analysis.

“With AI, you could have this at your fingertips, hopefully even before that issue happens.

Peris adds that AI will play multiple roles in protecting networks, applications – and people. “Facebook recently had to put in place a system that could look at and prevent, fake news. They hired 10,000 people for this.

“What AI will eventually do is allow machines to do that first level of analysis, so it will cut down the number of people that you need.

What's next for AI in security

CA Technology's Peris sees a bright future for endpoint behavioral analytics.

“If somebody steals your password, unless they know your exact access patterns, your system can detect that it's not you through behavioral analytics.

“Similarly, you can do the same thing for applications.

“If you knew the application's behavior, and let's say we as application developers gave you a signature of the application's behavior, you could factor that in to figure out when an application is compromised. “

Demisto's Markovich says there will be more optimization – faster algorithms, more accuracy, fewer false positives.

“The big bet is actually in unsupervised learning or deep learning. Throw the bunch of events on enough computing power to let AI learn by itself.

“That will eventually get to a place where AI can actually identify the real positives and not false positives.

This level of deep learning might be 20 years away, says Markovich, but “that would be the real game-changer.

JASK's Fitzgerald believes that “AI for SOC will expand beyond just the analytics of the alerts, and the logs, and the information that's being ingested and head into the ability to respond without human supervision. “

“In the next couple of years, the SOC analyst will start to trust the decisions that are being made,” adds Fitzgerald, “and allow AI to automatically make the configurations that rectify the situation without the analyst's involvement, but with the analyst's supervision.

Related stories
Top stories
Story image
Mobile Device Management
How to easily scale your mobile workforce and devices for the peak shopping season
Retailers are under constant pressure to streamline processes and become more efficient while looking for ways to improve customer satisfaction levels.
Story image
Software-as-a-Service
Enterprises yet to fully commit to cybersecurity - CompTIA
“Digital transformation driven by cloud and mobile adoption requires a new strategic approach to cybersecurity, but this poses significant challenges."
Story image
Malware
Kaspersky uncovers new malicious malware NullMixer
Kaspersky researchers have uncovered a new malware stealing users credentials, address, credit card data, cryptocurrencies, and accounts.
Story image
Edge Security
Security practices for modernising the “spaghetti” of on-premises IT
Many organisations are wondering how to securely modernise their workload, often made up of a “spaghetti” of on-premises applications and management consoles.
Story image
Kaspersky
Cybersecurity loopholes prevalent in South East Asia
In terms of the share of vulnerabilities with publicly available exploits, three countries out of top five are located in Southeast Asia.
Story image
Cloud
How modern IT architectures are moving beyond network visibility
Dealing with multiple cloud providers makes it difficult to identify security threats and performance bottlenecks and troubleshoot issues.
Story image
IT Training
Six ways to transform your cybersecurity training and influence lasting change
If the goal is to win hearts and minds, formal awareness training can fall short and often doesn’t inspire people to care.
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from SearchInform
Val Novoselova joins us today to to discuss new trends in the information security space, and how SearchInform is adapting to some of the new trends we are seeing.
Story image
Cybersecurity
Confidence in security challenges of hybrid work improving
84% of IT professionals have some degree of confidence in their user access security systems to enable remote work securely and easily, up from 56% in 2021.
Story image
Cryptocurrency
Crypto giveaway scams continue to soar, according to report
There's been a fivefold increase in the number of domains used for crypto giveaway scams that involve fake YouTube streams in the first half of 2022. 
Story image
Artificial Intelligence
Ordr improves security and management of connected devices
It has implemented more than 80 integrations within the Ordr Data Lake while adding security enhancements to accelerate zero trust segmentation.
Story image
Network Security
20/20 visibility key to improving network security
IT leaders around the world share a ubiquitous appetite for greater network visibility, according to a new study from Infoblox.
Story image
Data Protection
Cloudflare brings Data Localisation Suite to more APAC businesses
This allows any business in these countries to service their data locally while benefiting from the speed, security, and scalability of Cloudflare’s global network.
Story image
Phishing
Vectra Protect team finds Microsoft Teams vulnerability
The Vectra Protect team identified a post-exploitation opportunity in August, allowing malicious actors to steal valid user credentials from Microsoft Teams.
Story image
Cybersecurity
StackHawk launches deeper API security test coverage
Expansion of test coverage includes custom scan discovery, custom test scripts and custom test data for REST APIs.
Story image
Cybersecurity
Aqua Security solution to stop software supply chain attacks
Development and security teams can now proactively address the most critical software supply chain risks from code through runtime.
Story image
Malware
SonicWall threat report mid-year update highlights significant threat variance
The 2022 SonicWall Cyber Threat Report mid-year update from SonicWall gives an in-depth insight into many of the current trends across the threat landscape.
Story image
Malware
Absolute Software extends persistence technology to Trellix
Customers can benefit from Absolute’s firmware-embedded connection, ensuring that Trellix's endpoint protection solution remains effective and healthy.
Story image
Customer Relationship Management
Why Managed Service Providers are the next big target
MSPs are now such an integral part of the digital ecosystem that companies trust more of their sensitive data with them
Story image
Threat intelligence
Trellix advances threat intelligence with new research centre
Trellix has announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Story image
Distributed Denial of Service
Reevaluating DDoS protection for a changing threat landscape
DDoS attacks are gaining in frequency, intensity, duration, and complexity, with attackers employing more vectors
Story image
Security vulnerabilities
Claroty finds seven vulnerabilities in Dataprobe iBoot-PDU
The Claroty research team (Team82) has found seven vulnerabilities in Dataprobe's iBoot-PDU, the company's intelligent power distribution unit product.
Story image
Cybersecurity
Hands-on review: Yubikey 5C NFC
Founded in 2007 and specialising in computer and network security, the Swedish company Yubico is now a leader in global authentication.
Story image
Cloud Security
CrowdStrike launches new partner program to expand routes to market
"We developed the CPSP program in partnership with GSIs, MDR vendors, MSPs, MSSPs and Telcos to ensure we were meeting their needs and empowering them."
Story image
Web Development
Oracle reveals and releases new Java 19 updates
Oracle has announced the availability of Java 19, which is set to deliver performance, stability, and security improvements for developers.
Story image
Malware
Cybereason delivers nation-state level of protection to enterprises
Cybereason has announced new advancements in Cybereason NGAV that deliver nation-state level protection for organisations of all sizes.
Story image
Secure Code Warrior
Secure Code Warrior announces Coding Labs innovation
Coding Labs mechanisms allow developers to move from learning to applying secure coding knowledge more efficiently, leading to fewer code vulnerabilities.
Story image
Partnerships
Concentric AI, Snowflake to enhance data security posture
The integration benefits joint customers by making Concentric AI's data security posture management capabilities readily available on the Snowflake Data Cloud. 
Story image
IoT security
Nozomi Networks and WALLIX strengthen OT network security
By combining WALLIX and Nozomi Networks solutions, end-to-end visibility and traceability for maximum security in an industrial environment is provided.
Story image
Cybersecurity
Kaspersky updates endpoint detection and response solution
"One of the goals was to make all the solutions capabilities accessible for all types of our users, even those who are making their first steps in EDR."
AWS Marketplace
Whitepaper: A practical guide for mitigating risk in today’s modern applications
Link image
Story image
Enterprise
Delinea shares the importance of PAM, partners and security for modern enterprise
Identity-based security is becoming a crucial tool for modern enterprises as they continue to adapt to different working environments.
Story image
Observability
Virtualisation Security Market to reach over $7 billion by 2032 - report
A new report from Future Market Insights has found that the Virtualisation Security Market is anticipated to reach a valuation of US $7.6 billion.
Story image
Artificial Intelligence
ForgeRock announces next gen identity orchestration capabilities
ForgeRock has launched identity orchestration capabilities to enable enterprises to deliver improved user experiences secured by threat protection.
Story image
Cybersecurity
Macroeconomic headwinds driving security up priority list
Current macroeconomic headwinds are driving security up enterprise’s priority list and reshaping the hardware Security Module market.
Story image
Ransomware
Absolute recognised in KuppingerCole Leadership Compass 2022
The company's Absolute Secure Access was recognised for its ability to protect users and resources while improving the remote worker experience.
Story image
Cybersecurity
Test your API Security with Infinite API Scanner
The effectiveness of API scanning technology can mean the difference between successful and unsuccessful programming outcomes, and often enterprises and IT leaders struggle to get it right.
Story image
Ransomware
Commvault unveils early warning system, Metallic ThreatWise
A first among data protection vendors, the new cyber deception service detects and contains ransomware threats.
Story image
Compliance
Security and compliance challenges halt innovation strategies
"What’s needed is a new mindset and a fresh approach, one in which security and compliance are continuous and actually speed innovation."
Aws Marketplace
Learn how to implement a backup and recovery plan for a new generation of Kubernetes-based modern applications
Link image
Story image
Firewall
Barracuda tackles intensified threat landscape with latest releases
"The Barracuda XDR solution combines data across our security stacks through a single dashboard view, giving us the visibility we need."