Ready to Start Your Career?

Has Machine Learning (ML) and Artificial Intelligence (AI) Yielded Benefits To The Security Operations Center(SOC)?

Pankaj Kamboj's profile image

By: Pankaj Kamboj

June 2, 2020

This topic has become a buzzword with the advancement of technology and glittering marketing by vendors around Machine Learning (ML) and Artificial Intelligence (AI). How it is benefiting the customer in real sense is a question that needs to be addressed from a quantitative and qualitative risk analysis perspective, which is a very subjective topic and requires a detailed analysis. Indeed, intellectuals make many statements that it will reduce the cost of people, remove skilled resources and level-1 people in a Security Operation Center (SOC), but what does it do in the practical scenario?

Before we dive in with both feet, let us first understand the foundation of ML. ML is an approach to the science of AI. First and foremost, the data scientist needs to build the model to perform data mining on a large amount of data. However, various aspects distinguish ML from other types of programming languages, which is the ability to learn from large amounts of data using human-built algorithms/models to complete tasks. The algorithm/models help the machine learn and adapt to data so that it can mimic a human. Below are some of the examples of ML use cases:

• Flag unnecessary access to IT estate on which the user is not authorized to access based on the algorithm/ model • Security risk around the device/asset based on the sudden spike in traffic, including the consumption, hardware failure, etc. • Predicts maintenance needs and other optimization metrics to help businesses run more smoothly

The basic need for AI and ML is data, but are we sure the data we are using is accurate? This seems to be cozy from a theoretical and training perspective while following certain standards and defined samples. When it comes to dynamic business needs, we miss the important piece, which is "Security Intelligence." This boils down to contextual, situational attributes such as profile, IP, identity, geolocation, time of day or type of endpoint device, etc. If we take this simple analogy of replacing level 1 analysts in SOC with AI & ML tools, then it might suggest that the offense has occurred, and someone needs to check and validate it. This could be a false or true alert, but you can't avoid human intervention. Imagine a scenario when an alert is generated by your Security Information and Event Management (SIEM) software that one of your C level executives is accessing the data from a country where you don't have any business. Is this a real threat? Or has the password been stolen? Maybe, just maybe, could it be a real user accessing the data during a layover at the airport? So, this shows that human intervention can't be neglected, and just relying on AI & ML automation for everything is not the right approach.

To summarize this, without practically seeing the use cases, business goals and alerts based on just probabilities of AI & ML could waste the precious time of security professionals with false-positive and unwanted alerts and create a panicked environment start implementing the false policies and compliance checks. Therefore, Security Intelligence is paramount in feeding the right inputs to these advanced tools, which should be prerequisites in defining the use cases followed by a judgmental approach to managing alerts through SOC.

Learn Benefits To the Security Operations Center(SOC) With These Courses:

Schedule Demo