AI Offers Critical Assist to Incident Response
The security skills gap has limited what companies are able to do when it comes to incident investigation and response. And it isn’t just the lack of cybersecurity talent available to hire; security analysts already on staff may not have the specialized skills needed to meet the needs of the organization. The solution may be found in AI. At RSA 2021, Roy Katmor, GM, endpoint solutions, and Udi Yavo, CTO, endpoint solutions, both with Fortinet, explained what AI-based incident response can (and can’t) do to alleviate the skills gap.
Incident Response Process
To understand how AI handles incident response (IR), it helps to understand the incident response process. The Fortinet presenters broke the process into five stages:
- Preparation. What is the best practices you want to follow?
- Detection. What is the incident you’ll be tracking?
- Investigation and Analysis. How can you best understand the incident and what it is doing within your system?
- Containment and Eradication. What steps are necessary to contain or slow down the incident?
- Post-Incident Activity. What was learned from the IR process and how does that improve the preparation stage for next time?
During the investigative stage, the goal is to classify the incident and determine if it is something malicious or a false positive. If it is malicious, the next step is to look at the scope of the incident, find out what part of the network infrastructure has been impacted and then determine how quickly it must be remediated. During the containment stage, the goal is to remove all traces of the incident and recover the system to return to business operations.
Why AI for IR?
To meet the IR process effectively, it needs to be automated. Again, this comes down to the skills shortage and not having the necessary talent readily available, especially for SMBs. But response time is also critical, something that machines can do faster and more thoroughly than humans. Response time needs to be faster and more scalable across the board, particularly when dealing with threats like ransomware. AI can be used to create a dataset collection, consisting of both malicious and benign behaviors in the network. A good dataset is hard and requires many iterations, Katmor said, and different artifact types (URLs, databases, behavior patterns) require different data sets.
Machine learning is used to teach the AI model how to investigate incidents. In the investigation training, ML classifies each artifact and moves them into a scoping phase where the incident is either removed or expanded based on the classification. The information gathered and absorbed through ML is used by the AI throughout the entire investigative process. In the response to the incident stages, the AI model evaluates the classified artifacts from the investigation stage and then recommends the appropriate response.
AI Can’t Act Alone
The automation lifts a lot of burden from the shoulders of the security team, but AI can’t do everything—at least not alone. There is still a need for human interaction with AI functionality. While AI can collect the incident data, humans are needed to teach AI what data to react to and how to react. AI and human investigators need to be a partnership. For instance, during the response stage, while the AI model comes up with how to respond to an incident, the human security professional is responsible for confirming the response or correcting the analysis if a mistake is found.
“Machine learning is a hot subject and is being applied to more and more domains in cybersecurity, but it is not going to replace humans any time soon,” said Yavo. “That said, it is a great tool to complement IR and save human resources. The goal is not to automate everything, but to automate where possible.”
