AI, Machine Learning, and Open-XDR Make it Easier
By Albert Zhichun Li, Chief Scientist, Stellar Cyber
Most enterprises and service providers are building security operations centers (SOCs) where a team of analysts evaluates and remediates cyberattacks. Traditionally, these SOCs use a dozen or more stand-alone security tools, each of which focuses on endpoints, the network, servers, users, applications, or other parts of the attack surface. This system results in hundreds or thousands of false-positive attack alerts, causing analyst “alert fatigue,” and forces analysts to manually correlate information from the siloed tools to determine whether complex attacks are real or false. This activity can make it a matter of weeks or months to respond to complex attacks.
Ideally, users would like a single security dashboard that accurately identifies complex attacks and automatically correlates inputs from multiple security tools to reduce false positives and reduce the time it takes to spot and remedy attacks. Today, some security software vendors are leveraging artificial intelligence (AI) and machine learning to find and correlate detections from across the entire attack surface and present them in an easily-digestible manner. Let’s look at how these technologies improve SOC operations.
A Day in the Life of a Security Analyst
In a large SOC, there are typically three levels of analysts:
- Level 1 analysts are triage specialists who monitor and evaluate incoming alerts and identify suspicious activity that merits attention, prioritization, and investigation.
- Level 2 analysts are incident responders, performing initial analysis and investigation into alerts, assessing the scope of the attack, and identifying and researching indicators of compromise (IOCs) for blocking or mitigated identified threats.
- Level 3 analysts are threat hunters, conducting malware analysis and network forensics and working proactively to recognize attackers and advanced persistent threat activities while working with key stakeholders to implement remediation plans.
How AI and Machine Learning Change the Picture
Here’s how AI and machine learning in an intelligent SOC change the dynamics. For Level 1 analysts, an intelligent SOC can automate almost all activities related to monitoring and evaluating incoming events. Level 1 monitoring and identification of incoming threats are generated through basic automation and the event correlation of ingested logs. Machine learning and AI can provide a SOC Level 1 Analyst with the identification of more data-driven events with more accuracy, allowing for the precise categorization of specific threats for a more rapid response.
At Level 2, AI and machine learning can provide the analyst with an immediate assessment of the scope of the attack and sometimes can recommend initial steps for remediation. At Level 3, these technologies can reduce over-all remediation dwell time as machine learning and AI can immediately identify and correlate detections and forensics data to identify malicious activity and implement protection measures.
With all teams looking at detections through a single dashboard, companies can use an intelligent SOC to eliminate manual event correlation and significantly speed the time to attack identification. AI can spot attacks and recommend steps to remediate them, and machine learning can make the intelligent SOC smarter over time because it learns and remembers attack scenarios so it can spot them more quickly the next time.
The Journey to the Intelligent SOC
So how can companies update their SOCs to intelligent SOCs? There are two scenarios.
In Scenario 1, the company buys intelligent SOC software from a vendor with a closed platform. This eXtended Detection and Response (XDR) platforms aggregate security tools obtained through internal development and acquisition, and implementing the platform means abandoning the existing security solutions your company is already using. This method causes disruption, impacts the company’s bottom line (because it is abandoning tools that are already paid for), and locks in the company’s fortunes to that single vendor.
In Scenario 2, the company buys intelligent SOC software from a vendor with an open platform. These Open XDR platforms deploy non-disruptively, capture inputs from your existing security tools, and add their own capabilities to enhance detection, correlate events, and present them all in a single dashboard. This method saves money, reduces training time and disruption, and allows the company to choose the best-of-breed tools for its security infrastructure.
There are sharp contrasts between these two scenarios, and each should be considered carefully as your company makes the journey.
Intelligent SOC Advantages
Level 1 SOC analysts can see the results of ML/AI firsthand when organizations perform external pen testing and red team adversary simulation to validate that the SOC is correctly optimized for monitoring and identifying alerts. Although there has been some discussion as to whether ML/AI will start to replace human SOC analysts, industry experts agree that these deep learning tools can complement and improve your current SOC Level 2 staff’s ability to perform analysis and investigation to detect advanced threats. In a Crowd Research Partners survey conducted last year, more than 55 percent of the respondents cited their inability to detect advanced threats as the biggest challenge for SOCs.
ML/AI security tools can deliver substantial improvements in threat hunting, detection and forensics analysis for your Level 3 SOC analyst. This can translate into reduced dwell time, mean time to detect (MTTD) and mean time to remediate (MTTR). AI and machine learning will provide for a highly automated and efficient SOC that will empower analysts and eliminate complexity.
The Promise of an Intelligent SOC
To understand the promise of an intelligent SOC, let’s look at what it brings to the role of analysts at each level. For Level 1 analysts, it provides rapid detection capabilities across multiple endpoints and network monitoring tools and components from a central location and single dashboard. This helps eliminate alert fatigue from false positives and makes it easier to quickly spot complex attacks. Some users report that thanks to an intelligent SOC, detection times for complex attacks have been reduced to minutes from days or weeks. Automated orchestration provides Level 1 SOC analysts with rapid detection capabilities across multiple endpoints and network monitoring tools, all from a central location and single dashboard. Automated security orchestration will improve the efficiency of SOC processes and the identification of malicious activity, allowing for Level 1 SOC analysts to forward potential security incidents that merit attention to Level 2 staff more quickly.
Level 2 analysts get the ability to remediate security challenges quickly and accurately. The intelligent SOC platform’s AI and machine learning capabilities deliver highly accurate detections and suggestions for how to remediate them. Automated orchestration enriches Level 2 SOC analyst with additional data, rapid remediation capabilities, leveraging multiple protection tools and components from a central location and single dashboard. These automated platforms will help scope events into true incidents for human responders
Automated orchestration provides Level 3 SOC analysts with rapid evidence collection of simultaneous processes across multiple tools from a centralized location and a single dashboard. Most importantly, automation and orchestration can provide a more rapid response capability across multiple security components and tools whether they are on-prem or located in the cloud.
Intelligent SOCs bring dramatic improvements in a company’s ability to protect itself from ongoing attacks by consolidating and analyzing information from across all security tools, correlating detections found by multiple sources, and presenting attack information and remediation options in a single dashboard. For the sake of overall security protection, the journey to an intelligent SOC is one well worth taking.
About the Author
Albert Zhichun Li is the Chief Scientist at Stellar Cyber. is a world-renowned expert in cybersecurity, machine learning (ML), systems, networking, and IoT. He is one of the few scientists known to heavily apply ML to security detection/investigation. Albert has 20 years of experience in security and has been applying machine learning to security for 15 years. Previously, he was the head of NEC Labs’ computer security department, where he initiated, architected, and commercialized NEC’s own AI-driven security platform. He has filed 48 US patents and has published nearly 50 seminal research papers. Dr. Li has a Ph.D. in system and network security from Northwestern University and a B.Sc. from Tsinghua University.
Albert can be reached online at firstname.lastname@example.org and at our company website http://stellarcyber.ai