By Tom Le, CTO, Cognizant Security
Cybersecurity is one of the most pressing issues facing organizations around the world. In 2017 alone, U.S. companies averaged 40 security incidents at a cost of $1.3 million each.
While cybersecurity’s rising importance is spurring a wave of new technologies and innovations, humans are the ultimate masterminds behind cybersecurity defense, and talent is in short supply. According to the Information Systems Audit and Control Association (ISACA), cybersecurity job growth is expanding at three times the rate of overall IT jobs, and by 2019 the global shortage of cybersecurity positions will exceed two million.
Organizations can begin to close the skills gap by augmenting their workforce using artificial intelligence (AI) capabilities. AI is not intended to replace humans but instead offers a powerful combination of man and machine, designed to amplify human performance. One of the best examples of this is centaur versus supercomputer chess. While supercomputers beat humans at chess consistently, a centaur combines human intuition and creativity with a computer’s ability to remember and calculate millions of moves, countermoves and outcomes. As a result, amateur chess players with desktop computers consistently outperform both supercomputers and chess champions by a wide margin.
According to Verizon’s 2018 DBIR report, the use of stolen credentials was the most common method of obtaining unauthorized access. Previously, in the 2017 version of the same report, 81 percent of all breaches involved some type of user behavior activity.
However, monitoring thousands of malware-related and user activity events a day is time-consuming and tedious, leading to high turnover at the tier one security operations center (SOC) analyst level. Since not everything suspicious is malicious—and, in fact, most alerts are false positives—User Behavior Analytics (UBA) leverages AI to identify patterns and analyze anomalies that drastically reduce the “signal to noise” ratio, flagging those alerts that bear investigating.
This not only improves security and reduces human error but relieves workload and burnout, leading to greater job satisfaction. With an average turnover rate for SOC analysts at six to eight months, burnout is a serious issue as companies struggle to hire and retain talent. Ultimately, retaining tier one SOC analysts may become irrelevant as more sophisticated AI engines escalate salient alerts directly to tier two and three detective-level analysts. This will ease the burden of staffing tier one positions and reduce costs.
The use of AI can be extended beyond UBA as AI engines enable threat-monitoring programs to consistently apply the same analysis and rules across the same types of alerts by making recommendations based on specific attributes of an attack. These pattern detection recommendations involve a combination of AI and analytics and serve to highlight areas SOC analysts need to investigate and validate their decision-making. This is particularly useful for less experienced workers or those new to the industry. However, even two experienced analysts looking at the same alerts may come to two different conclusions. AI normalizes context across a high number of alerts and provides best practices to ensure the best result.
Organizations can evaluate the effectiveness of their current security efforts by identifying at what stage along the cyber kill chain attacks are detected. Early-stage detection enables companies to respond before a hacker enters the environment, however, alerts detected at later stages pose significantly greater risk. Given the volume of false positive events, most companies lack the capacity to analyze every event, especially during the reconnaissance or delivery phase of the kill chain. Event activity that raises an alert still requires analysts to identify those that warrant investigation.
However, AI is well-suited to examining an entire class of events, such as traffic logs and network flow records, which are often ignored by analysts during the early stages of an attack, and flagging those that require attention.
Injecting AI and analytics into the threat-monitoring process allows companies to evolve from a reactive to a proactive approach and address potential threats before they escalate.
If tier one SOC analysts are focused on addressing bona fide alerts instead of manually sifting through tens or hundreds of thousands of alerts to find a potential threat, lower-level workforce can be reduced, and companies can hire more strategic-level cybersecurity talent that can perform other work throughout the organization. AI can also reduce infrastructure costs since events no longer need to be sent to a SIM, log analysis or another environment that incurs storage, event processing and licensing fees. While AI will not magically solve every cybersecurity concern, when layered throughout the various threat-monitoring controls, it allows companies to more efficiently and cost-effectively defend themselves against ever more sophisticated cyberattacks that can impact all areas of an organization.