Weissblick - Fotolia
Security Think Tank: Humans and AI machines in harmony
How can organisations evolve their security operations teams to do more automation of basic tasks and cope with dynamic IT environments?
The drive for automation is clear. In many walks of life, we are building systems that can take on activities humans would traditionally undertake, but where the labour/resource cost is a challenge. In cyber security, automation and artificial intelligence (AI) can really help by enabling the processing, analysis, data gathering and automation of tasks, so that software does the leg-work and takes on the onerous workloads, leaving skilled security professionals to see the outputs and make decisions.
For example, AI could anticipate questions that a human might ask such as:
- Has this malware detected been seen on any other systems?
- Have there been any suspicious flows of data?
- What else has this user done, accessed or connected to?
In addition, AI systems could take alerts or reports from detection systems and corroborate them to remove false positives, freeing up the team that has to respond, so they can focus on real issues rather than background noise. This is a major benefit. If you think about what takes the time, a large part is the raw volume of “things” that need to be ruled in or ruled out as issues.
The other advantage is that you gain certainty, repeatability and trust in the outputs of systems by having the ability to reinforce human operators and skilled personnel with automated systems and intelligence.
The security team can provide a more robust and responsive service to the business. For example, it would be brave to allow a system to take autonomous actions in response to a given alert if you were on average only 80% sure it was a valid issue. You would want to spend time looking at each case to decide whether to act.
However, if you can raise the certainty to 99%, you could configure an automated/AI driven response to all but the most borderline cases. This enables better use of skills to help alleviate the skills and resource shortage and give security teams a more interesting day job – solving problems that rely on expertise rather than trying to fish through a swamp of data trying to find answers.
Automation is inevitable
You can conclude that automation and the wider use of AI is inevitable and will likely find traction in the execution and ownership of specific tasks. As such, it is likely to be part of the cyber defence armoury companies use to detect and respond to threats.
However, the applications are likely to be specific and aimed at reducing workload, data gathering and analysis overhead and investigative processes. While this will attenuate the growing need for skilled resources and make them more efficient, it will not remove the need for people or solve the problem of the availability of key skills.
As a final point, automation, AI, machine learning etc., are techniques also used by attackers to craft, design and execute attacks or phases of their reconnaissance and lateral movement. This means that the threat landscape once again changes and the challenges bounce back to new levels.
Hence, as with any tools, techniques or processes, it is important to make sure it is viewed in the wider context and understood as a benefit to defenders as well as the threats it poses in the hands of attackers.
The question of how we harness automation and AI is a very timely and pertinent one. As director of the institute of information security professionals (IISP), we are trying to drive up the number of available, certified, trustworthy, skilled resources in cyber security, while security suppliers are delivering technologies and systems to detect, verify, triage and manage threats in real-time. The answer lies in make sure these two goals are aligned.