Rise of the machines – Using AI, machine learning, and automation to improve your security posture

We live in a world where everything is being automated – from the “smart” gadgets in your home to, eventually, the self-driving car that takes you to work. Now and in the future, it will be difficult to find something that is not suited to automation. 

If we move the conversation to business, automation is even more commonplace. From business processes and software-as-a-service applications (SaaS) to more complex network and cloud automation, it’s all part of digital business already. So why does it sometimes feel as though cybersecurity is still playing catch up?

Cyber criminals are leveraging automation to launch effective malware and phishing campaigns, as it provides them with scale, speed and repeatability. As a result, we’re seeing these types of sophisticated attacks occur more frequently. This creates a challenge for security operations teams because they become overwhelmed with repetitive processes and tedious investigations into false positives. Put simply, there are not enough resources or time to keep up.

Security automation can help. The technology reduces the number of monotonous tasks that take up an engineer’s valuable time, yet ensures they are always completed accurately, regardless of frequency and quantity. This frees up the engineer’s time and skills to focus on other more business strategic tasks while maintaining network health and safety.

Automation Is the Answer

In Juniper Network's recent webinar, they discussed the importance of using security automation to combat today’s complex and persistent attacks, including malware that camouflages itself to remain in stealth mode until it arrives at the intended target. IBM was able to demonstrate this with its DeepLocker concept that was embedded into video conferencing software and only triggered when the targeted individual was seen on camera.

Security automation can help here, too – from monitoring unusual network behavior or data movement to creating rules for the network, the possibilities are endless. Here are a few key areas to keep in mind, when you are considering deploying this technology:

• Every day, analysts receive hundreds of alerts, most of which are benign. However, they still must watch for threats that may be serious. Automating this task reduces the number of alerts that must be looked at in detail, increasing analyst efficiency and reducing the risk of missing an important alert.
• Analyst fatigue can be aggravated by performing repetitive actions. Any alert has three possible states, known as good, bad, or unknown. This leads to an analyst performing the same actions over and over again, increasing the possibility of error. Automation can use rules based on previous experience to determine if action is needed, resulting in only alerts that require further investigation to be flagged to an analyst.
• When an alert is deemed to be bad, an analyst must manually investigate and understand what has happened and what remediation actions are required. Even the most complex alert will require common and repetitive actions to establish remediation. This may include quarantining devices infected with malware or deleting phishing attachments from emails. Although security automation cannot yet be used to detect these attacks, it can be used to perform the repetitive actions and allow the analyst to move onto the next task that requires attention.

Now that we’ve established security automation can significantly reduce the workload of the SOC team, where do the two big technology buzzwords of today – machine learning and artificial intelligence (AI) – come in to play?

We’re still in early days, but machine learning and AI are going to be big – in fact, many experts predict these technologies will dominate cybersecurity in the future. There is an obvious need to improve the capability of automated security to provide clearer analysis, recognize behavior and patterns and help solve problems for analysts. Together, machine learning and AI could be key enablers, helping to reduce human effort and make cybersecurity faster, more consistent and accurate.

By Laurence Pitt

Published with permission from forums.juniper.net/t5/Blogs/ct-p/blogs