Over the past few years, more and more businesses have incorporated artificial intelligence (AI) and machine learning into their products or services, which increasingly begs the questions, “Will AI replace human jobs?” and, “Should we all be worried?”
Even though AI is the newest culprit, concerns over technology replacing humans date back to the Second Industrial Revolution and beyond. When the economy shifted and farmers transitioned into more manufacturing and railroad jobs, society worried that they would see the end of the days where actual humans produced results, not machines.
Looking back now, we see that this societal shift was responsible for forming the foundation of how business is run today. Similarly, we have to change how we think when it comes to AI. As AI and machine learning continue to advance, they will act as a tool to slowly replace the more menial tasks and ultimately, improve human workers’ experiences.
This is true in a cybersecurity context. AI will probably take over more menial tasks—everything repeatable and systemic—rather than replace human jobs. According to a recent survey, 75 percent of cybersecurity professionals agreed that machine learning and AI could make their job easier or better. The same percentage agreed that AI and machine learning could help with security. Resource-strapped teams will be able to save time and energy and better identify threats. They also can help to prevent breaches before they cause thousands (or millions) of dollars in damages. Businesses that recognize AI as their ally will ultimately make their security teams more effective.
Moreover, Gartner reports that by 2020, 75% of organizations will experience visible business disruptions due to infrastructure and operations skills gaps. With general unemployment rates at their lowest levels in 50 years, a skills shortage is likely to persist. AI will be able to fill some of the gaps allowing security analysts to focus on fighting the growing number of cyberthreats.
Recently, a SANS Institute survey identified security organizations’ top three priorities as:
- Better investigation functions.
- More staff with investigative skills to conduct searches.
- An improved ability to search and discover data and information.
Let’s look at why AI is the perfect complement to a team of security analysts and their approach to security management.
Limitations of Legacy Resources
Over the past several years as the cyberthreat landscape has continued to evolve, businesses have turned to cybersecurity companies that offer security information and event management (SIEM) platforms. However, the surge in cyberattacks, shortage of qualified security analysts and the growing number of devices to protect have caused operational issues with legacy SIEM vendors. For example, SOC teams complain about time wasted chasing false positives, being unable to catch unknown threats, missing distributed attacks and having to investigate and remediate issues manually. Enterprises also might face excessive logging costs.
Security analysts rely on correlation rules to detect potential threats most of the time. For them to work, analysts need to know in advance what they’re looking for. As an example, an identity and access management (IAM) log rule might entail raising an alert if the same user account is created and deleted within 24 hours.
Unlike legacy resources, security teams equipped with AI technologies can eliminate the need for prior knowledge of attacker tactics and techniques. Utilizing machine learning, security teams can preprocess logs and combine them with other data sources to identify anomalous user and asset activities.
Why Raw Logs Are Not Enough
Modern businesses have a large and growing number of endpoint devices, applications and services, making it impossible to manage security and IT operations with network monitoring and logs alone. Unfortunately, it can take hours for security analysts to sift through a broader array of events manually. In addition, relying on raw logs runs counter to the top three priorities identified in the survey mentioned above.
Raw logs limit how much event information is portrayed to analysts and leads to false positives. However, machine learning, coupled with the addition of contextual data sources and threat intelligence, can enrich log data.
Using AI for Investigations
AI and machine learning technologies remove complexities from the threat detection experience for the entire security team. Using these technologies, junior analysts are given the opportunity to do investigations, freeing up senior analysts’ attention so they can focus on solving bigger problems.
Machine learning assists in the investigation process by focusing on specific events tied to a user or device. If the particular user or device is showing red flags, AI can determine whether the specific behavior goes above-established thresholds and describe the underlying behavior to cybersecurity professionals.
AI and machine learning allow security analysts to gain the following information from their logs:
- Identify anomalous behavior by users and on devices.
- Determine whether an account belongs to a real person or a computer program.
- Identify peer groups based on user behavior and interactions with the IT environment.
- Automate host-to-IP-mapping.
Lean on AI as an Ally
Not all security solutions are created equal. Organizations need to stop fearing the incorporation of AI and machine learning into security solutions and platforms. Not only will AI play a vital role in protecting the enterprise from an attack, but it also will ensure that security teams are not wasting their time on tedious tasks.
Several decades from now, when society looks back on how technology has changed, we hopefully will find that AI has become one of our greatest assets and allies in cybersecurity and beyond.