By: Shimon Brathwaite
June 25, 2021
How Is Machine Learning And AI Changing SIEM Technology?
By: Shimon Brathwaite
June 25, 2021
SIEM stands for security information and event management. It is a central hub for all of the security-related alerts within a company. Typically, An agent is installed on every machine on the network. It will monitor activity on that computer and send that information to a central repository where that information can be stored and analyzed.
When a security admin logs into their management account, they will be presented with a dashboard to pull up whatever information they need in real-time. SIEMs have been a core aspect of cybersecurity for large companies for many years, but in the last few years, machine learning and AI have contributed to big improvements in how SIEMs operate. Here are some main ways that machine learning and AI are improving SIEM technology.
Reduction of false positives and false negatives
One of the biggest issues with SIEMs and almost any security monitoring tool is dealing with several false positives or false negatives. A false positive is when the software claims a security issue, but it turned out to be nothing upon investigation. A false negative is a situation where a security solution fails to flag an event that is malicious, which means that the attack will go through unhindered. False negatives are significantly worse than false positives because they lead to network compromise, while false positives are simply distractions. Using machine learning and AI SIEMs can now add more context to events. SIEMs are more accurate in their detection, identifying true incidents instead of flagging every potential security incident as an issue.
In the past, many SIEMs were basing their alerts and decisions on predefined rules. If you could not build a rule beforehand, then the SIEM would not detect it. However, the next generation will be able to identify potentially malicious behavior using behavioral analytics. Rather than just looking at the IP addresses, domain names, or other set variables, they will establish a baseline of normal behavior and flag events that do not fit into that baseline.
Reduce the need for human intervention
One of the big advantages of AIand machine learning across every industry is that you can automate more complex behavior, freeing up your employees to focus on other activities that can not be automated. One example of this is through the automation of threat hunting activities. SIEMs are getting better at integrating threat intelligence into their decision-making. You or your vendor can upload the applicable IOCs, and SIEMs will be able to contextualize that information and identify any threats related to those IOCs within your environment. Once it finds activities that it deems to be malicious, it will have the capability to stop processes and quarantine/remove files, etc. This prevents damage before an incident even begins and notify the appropriate person to review the findings.
SIEMs are one the most important aspects of a company's security strategy. Especially for larger companies where you may be dealing with thousands of machines, you need a reliable solution to monitor these machines for the latest threats. It is not enough to have an antivirus installed on all machines, and it's been shown repeatedly that hackers can circumvent such simple security solutions. To prevent zero-day attacks, you need a solution that can analyze based on context and behaviour rather than just signatures. AI-driven SIEMs will detect issues faster, more reliably, and act without any human intervention making it one of the most valuable security solutions in today's market.