Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

10/10/2019
12:00 PM
Justin Fier
Justin Fier
Justin Fier
50%
50%

Encoding the Analyst: Why AI Security Tools Are Thinking Like an Expert – Only Faster

Despite our best efforts, human defenders simply cannot process information at machine-speeds - and cyber-criminals are taking advantage. When human knowledge meets AI's precision, Cyber AI can augment the human at every stage of safeguarding the digital business.

We're firmly in a brave new world of cyber defense. Soldiers now fight with ones and zeros and the digital enterprise is the new battleground. Both sides are arming up, trying to stay one step ahead of their opponent. But despite our best efforts, human defenders simply cannot process information at machine-speeds — and cybercriminals are taking advantage.

Whereas security teams take an average of 196 days to identify a data breach, modern strains of ransomware can encrypt an entire digital infrastructure in minutes, a disparity that illuminates why a data breach on average costs US businesses $3.92 million. Neither humans nor machines can overcome this fundamental challenge — at least, not alone. Rather, the solution requires synthesizing the intuition and knowledge of human professionals with the speed and precision of artificial intelligence.

Information overload
For one, investigating threats is time-consuming, a resource that is increasingly in short supply for the teams tasked with containing them. When confronted with a fast-acting threat, security professionals have mere moments to discern its nature and assess what response is necessary. And yet identifying this pressing threat amongst the countless alerts generated by an organization's numerous tools is like finding a needle in a haystack.

It's no wonder that nearly three-quarters of security teams report alert fatigue. Between managing various security tools, triaging incoming alerts, and attempting to respond to threats at the speed which cybercriminals target businesses, analysts are racing to keep up. By the time an analyst encounters a genuine threat, they may have already run out of time.

The abundance of alerts is due in part to the intrinsic shortcomings of conventional security tools, which rely on black-and-white "rules" to detect threats. Such rule-based tools are limited to two, equally sub-optimal strategies: either the rules they use to trigger alerts are extremely specific, flagging only a limited number of predefined threats, or they cast a wide net, catching lots of threats but generating a huge number of false positives. Most tools opt for the latter approach, leaving urgent security incidents buried under a mountain of irrelevant information.

Piecing the puzzle together
Further complicating matters is the fact that these conventional tools are, for the most part, designed to protect individual devices and applications, rather than an entire business holistically. This reality leaves the majority of security teams overwhelmed by point solutions that can detect threats to email, cloud, or IoT, but which fail to provide a complete understanding of a business's vulnerabilities.

This dynamic understanding is critical to differentiate a genuine threat from the noise of a network. A normal data transfer for an executive could indicate insider threat for an intern, and normal communications for a CCTV camera may be highly abnormal for a video-conferencing camera. That nuance and difference can't be captured without self-learning cyber AI.

Just one advanced threat can generate dozens of alerts across these numerous point solutions. Piecing these alerts together well enough to understand and respond to the threat can take days, even for experienced professionals. Security teams need technology that is not only capable of understanding what is normal for each unique user across the entire digital infrastructure, instead of applying uniform rules to individual devices, but that can help teams piece together these alerts together.

Where human meets machine
In the face of complex digital infrastructures, advanced attacks and a multitude of alerts, humans can't be expected to keep up.

Through its ability to learn "normal" for each unique user within a business, Bayesian AI can correlate hundreds of weak indicators of compromise to avoid false positive alerts, automatically prioritizing threats and allowing for rapid triaging. While AI offers speed, scale and precision, human intuition and knowledge are still critical to effectively piece together the story of an attack, which is why the Cyber AI Analyst learned from more than a hundred world-class human analysts for three years.

The AI Analyst also leverages unsupervised learning to "reason" on its own, functionally "thinking" like an analyst. Based on available evidence, it creates a hypothesis and then tests it, repeating this process as many times as it needs to arrive at a conclusion and then communicating that conclusion in the form of an easily understood narrative. This all happens at machine speed, buying back valuable time for security teams.

Accelerating tme to meaning with AI
The World Economic Forum estimates that by 2020, the world will have lost $3 trillion from cybercrime. In the last year, a third of businesses have detected they have been attacked. But that's only the incidents that have been identified -- countless breaches run undetected and uninvestigated across companies.

We cannot keep throwing more security tools or more security analysts at the same problems and expect to solve them. Security workflows are long overdue for an update. AI can close the "time to meaning" gap, sifting through alerts to compile a primary and actionable understanding of the most dangerous threats. It can investigate numerous threats at once and come to intelligent conclusions, enabling humans to focus their time on critical, high level tasks. When human knowledge meets AI's precision, Cyber AI can augment the human at every stage of safeguarding the digital business.

— Justin Fier is Director of Threat Intelligence & Analytics at Darktrace.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27886
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVE-2016-8153
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8154
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8155
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8156
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.