Journey to the AI-Enabled SOC: Advancing the Science of Threat Detection

Artificial Intelligence (AI)-enabled analytics offer great promise for furthering the science of advanced threat detection. While it is difficult to imagine AI superseding the cognitive and instinctive power of talented security analysts and threat hunters in the immediate future, AI can and will advance the science of threat detection to accelerate speed and accuracy, while reducing that bane of all security operations centers—false negatives and false positives.

When discussing advanced threat detection, I’m referencing a class of threats able to evade the preventative and detective measures of both new and old security infrastructures. These are the class of threats that leverage zero-day exploits, develop targeted and stealthy malware, or operate from within the perimeter as a malicious insider or imposter. Organizations striving to detect this class of threat have long struggled to find the right balance between false negative risk and false positive frequency.

Reducing False Negatives and False Positives

For clarity, a false negative is a security incident that was not detected in a timely manner (e.g., a phishing attack resulting in a compromised user account that goes unnoticed by the security team until more damage occurs). False positives are alarms generated by security systems that indicate a security incident has likely occurred when, in fact, everything is normal. For example, a User and Entity Behavior Analytics (UEBA) product reporting a user to be a threat based on observed behavioral anomalies, when in fact, the user was traveling in support of a special project which resulted in an expected and authorized shift in authentication and data access behaviors.

Enterprises must find their own balance when it comes to false negative risk vs. false positive frequency.  Realistically, organizations that want to reduce false negative risk will need to accept increased false positive frequency and staff their security operations center appropriately. Unfortunately, some vendors sell AI and machine learning (ML)-based behavioral anomaly detection as an easy button for advanced threat detection and false positive reduction. Organizations that succumb to these snake oil salesmen are in for an unfortunate reality check—likely to be realized in the form of a high-impact and embarrassing data breach. You’ll recognize these vendors when their story sounds too good to be true.

But, where there is hype, there is also hope. AI/ML-powered analytics are revolutionizing the science of advanced threat detection and will continue to do so throughout the next decade. I believe AI’s greatest impact will be towards holistic threat analytics, which is the ability to detect and qualify threats with accuracy wherever they might originate and with whatever they might intersect—endpoint, server, application, device, or user.

Next-Gen SIEM Solutions

Enterprises that have invested in deploying a next-generation SIEM platform, such as LogRhythm, gain profound forensic visibility and contextual awareness across their broad IT environment and security infrastructure. This pervasive centralized visibility serves as the foundation for holistic threat detection, creating an incredible analytics opportunity for AI-powered technologies. Pervasive visibility enables sophisticated scenario analytics to continuously model data—recognizing the occurrence of complex scenarios that exhibit the tactics, techniques, and procedures (TTPs) of known threats. The same visibility also empowers deep behavior analytics, modeling a diverse cross-section of behaviors across the IT infrastructure and the users operating within, allowing us to detect subtle behavioral shifts that might indicate a potential or present threat.

Additionally, AI-powered analytics engines can uniquely leverage the rich contextual data that exists within next-generation SIEMs, such as asset value, user role, IP/DNS reputation, known vulnerabilities, etc. This contextual information can be applied to threats detected by other technologies (e.g., firewalls, endpoint protection, IPS, etc.) and threats detected through scenario and behavior analytics approaches, downgrading or upgrading a threat’s true positive likelihood and relative risk to the business.

Advancing Threat Detection with CloudAI

As I mentioned in the first blog of the Journey to the AI-Enabled SOC series, LogRhythm was founded with a vision of unlocking the potential of analytics-driven approaches towards advanced threat detection. In support of our holistic threat detection goals, we aim to be at the forefront of analytics approaches and technologies. With our recent introduction of our CloudAI technology, LogRhythm has taken yet another step forward towards our ultimate analytics vision of realizing the following outcomes for our customers:

  • Discerning patterns of known threats, on a global, geographic, vertical, and company basis and detecting in real time every observed instance going forward.
  • Discerning with security and risk relevancy the behavioral shifts across the IT environment that predict and detect with accuracy an active or emerging threat.
  • Enabling organizations to perform effective threat hunting – augmenting what is today an art few can effectively perform or afford.
  • Eliminate false negatives with a very low false positive frequency, and present alarms with real time risk context in support of detecting and neutralizing threats early in the kill chain.
  • And finally, realizing all the above with as little manual input, maintenance, and tuning as possible.

We have a grand vision for CloudAI in support of advancing the science of advanced threat detection. With our initial introduction, we have focused on evolving our User Entity and Behavioral Analytics (UEBA) offering, but trust me, we are not done there. Over the next few years we will see CloudAI quickly evolve through supervised and unsupervised machine learning approaches to become the most powerful and accurate technology available in support of holistic threat detection. CloudAI’s evolution will uniquely benefit from the quality of our data, powered by our patented Machine Data Intelligence Fabric. It will also benefit from our global customer base providing feedback in the natural flow of daily security operations – helping us build a smarter and self-evolving CloudAI.

CloudAI’s initial UEBA application greatly advances our behavior analytics capabilities. We are now able to more deeply and extensively model the behaviors of users than ever before. This allows us to further our goal of augmenting threat hunting activities by presenting to customers those users most likely to represent a threat based on a diverse and deep cross-section of observed behavioral shifts. Furthermore, every behavioral shift that CloudAI observes is scored with threat relevancy and sent to our AI Engine technology for threat corroboration and contextual risk scoring. This allows us to generate real-time alarms when a corroborated and high risk user threat is observed – with low false positive frequency. With CloudAI, we have further evolved the state of the art when it comes to detecting user-based threats with low false negative risk and low false positive frequency.

I am excited to see CloudAI strengthen the security posture of our customers through our initial UEBA application. However, our industry’s journey with AI-powered analytics is still relatively nascent. LogRhythm has been and will continue to be at the forefront of this journey, delivering customers advanced and pragmatic approaches that will best protect them from ever -evolving threats.