AI & Cybersecurity: Rebalancing a SOC Analysts Tasks

The hype cycle for artificial intelligence (AI) is in full swing and there is much confusion over what AI can do for cybersecurity. Unlike past attempts to build useful AI, we’re already seeing significant differences in available and upcoming technology. Advances in all areas of machine learning and AI are coming fast, enabled by the exponential growth of processing power and the prevalence of off-the-shelf libraries and algorithms. Image and natural language processing are hot beds of innovation. You’ve probably seen regular news headlines about AI beating humans in complex games.

Computers are good at tirelessly doing the same thing repeatedly and consistently. While AI is interesting and provides a useful research tool, the real impact of will come by automating tasks that humans find difficult. Humans are good at complex pattern matching, nuance and curiosity.

What is AI, Really?
There is much confusion over what defines AI. There are dozens of machine learning techniques that can be applied to solve AI problems. Many of these same techniques are also used to solve analytic types of problems. The distinction between AI and analytics is a key source of confusion to the practitioner looking for solutions in the market. An example of a basic analytic is taking a large set of data from an Intrusion Detection device and applying clustering in the hope of finding interesting events such as false positive signatures. This is not AI, but only creates another set of output data that must be interpreted.
True AI “exhibits behaviors that perceive its environment and takes actions that maximize its chance of success at some goal.”1  AI must and not just simply process data but be able to react to its environment and make intelligent decisions based on goals.

AI and Cybersecurity
The high volume and high velocity streams of data from security devices are a perfect match for AI and cybersecurity.  Humans, of course, are at the center of SOC’s, continually monitoring event streams.  In one of our previous posts, we covered “The 6 Top Reasons Why the SOC Analyst Role is So Hard” where we discuss the pitfalls of this position – how the demands of the job affect the analysts, managers and organizations.   Here’s where AI can perform many of these repetitive tasks so much better, presenting the opportunity to rebalance and help offload the data avalanche for security analysts.  AI has the capability of tirelessly and consistently watching the stream of events, deciding when a meaningful security incident has occurred and only then, when to engage a skilled human to investigate and remediate.

AI Success in the SOC
Bottom line, AI is successful when it accomplishes the designed goal. For example, for game play AI, the goal is to beat the human.  Similarly, for AI in the SOC, the goal is to be as good as the front-line analyst.  Only then can AI truly be a trusted partner in the SOC.

To be undeniably valuable, AI should be able to achieve its goal *out of the box* requiring no up-front training or large data sets.  Simultaneously, AI must also learn both on its own as well as with human feedback to improve the quality of decision making.  Just as an analyst improves with time and experience, so should AI.

At Respond, our solution represents the optimal combination of machine learning and security domain expertise, creating the first self-driving SOC that emulates decision making for security analysts. Our Probabilistic Graphical Optimization (PGO ™) enables this revolutionary capability and allows the Respond Analyst AI to reason probabilistically to achieve its goal and become a trusted partner in the SOC.

1. Source: Wikipedia, Artificial Intelligence