1 Introduction
As companies go through the digital transformation, they are facing problems like the growing complexity of their IT infrastructures, massive amounts of sensitive data spread across multiple clouds, and the increasing shortage of skilled people to deal with them. Even large businesses with strong security teams manning a security operations center powered by a Security Information and Event Management (SIEM) platform cannot keep up with the latest digital risks and the rapidly increasing number and sophistication of modern cyber-attacks.
The security market’s response to this is a new class of security intelligence tools that harness the power of machine learning to reduce the number of false positives and other noise generated by traditional SIEMs and provide a forensic analyst with a low number of context-enriched alerts ranked by risk scores and often accompanied by actionable mitigation recommendations.
This rapid development of ML and AI applications in recent years has given many businesses the idea that their overworked security analysts will soon be completely replaced by an artificial intelligence dealing with cyber threats and breaches without human intervention. Unfortunately (or fortunately), this prospect seems to be quite far from reality for several reasons: from the inherent limitations of ML algorithms to numerous legal and ethical implications of autonomous AIs. However, some of the latest developments in the field of cognitive technologies may give us some hope after all.
The concept of Security Information and Event Management (SIEM) has just recently turned 15 years old. Back then, SIEM products were hailed as the ultimate solution for managing security operations, and they still form the foundation of modern Security Operations Centers. However, visibility into security events alone does not help analysts to assess each discovered threat: with the number of manual tasks and disparate tools needed for a thorough analysis, analysts lose too much valuable time. More often than not, they have to deal with hundreds or thousands of alerts and there is simply no time to deal with every single one properly.
Modern security intelligence platforms (or the “next-generation SIEMs” as they are often called) like QRadar utilize machine learning algorithms to correlate multiple security events, to substantially reduce the number of false positives, and to provide an automated assessment of each event’s risk score. Some solutions go as far as to offer recommended mitigation actions based, for example, on the history of similar incidents. However, the much-discussed idea of letting an AI mitigate security incidents without human interaction does not find many supporters among IT experts – in most real-world scenarios it’s still considered too dangerous for potentially disrupting business or even manufacturing processes.
So, every discovered incident still must be properly investigated by an analyst – a process that usually involves a number of the same routine, largely manual tasks for collecting artifacts from different systems, searching for additional information like IP reputation or malware hashes, and looking up external threat intelligence to finally make an informed decision on mitigating the problem. With the growing number and sophistication of cyber-attacks, even the largest expert teams sooner or later reach their capacity limits and are no longer able to invest enough time into every investigation. Various sources estimate that such analysis may take not just hours, but days, leaving companies unprotected from threats and their experts unavailable for more productive activities.