- Security Information Event Management (SIEM) systems are an outdated technology. It’s no longer enough to just manage information – today’s organizations need technology that can proactively detect and respond to dynamic threats as well.
- SIEM’s learning capabilities to face modern threats is limited but can be replaced with intelligent automation that is built on neural nets.
Security teams who are relying on SIEMs are using technology that is rapidly becoming obsolete. Dealing effectively with today’s threats — which grow more sophisticated all the time — requires an equally sophisticated solution.
In the early 2000s, SIEMs were fit for their purpose. The nature of threats during that era demonstrated a clear need for information management. With a firm handle on this, security teams could easily move onto the next thing: security analytics.
But over the last five years, the threat landscape has changed quickly. Focusing on information alone is no longer adequate. Organizations need technology that incorporates effective, self-directed threat detection and response.
Why SIEM technology is no longer enough
When the first SIEMs were created, artificial intelligence (AI) and machine learning (ML) were very much in their infancy. At that time, SIEMs worked because security teams couldn’t handle the information these systems generated about threats. SIEMs solved this problem by connecting firewalls and intrusion detection systems (IDSs) together with security infrastructure.
Flash forward to 2022: SIEMs draw on multiple sources to gather a large pool of increasingly unmanageable data. But what are SIEMs doing besides collecting data? To be effective, the data must be contextualized so that it can be actionable. This has been a well-known gap in SIEM tech. Intelligent automation solutions are finally beginning to tackle this problem.
Enter the neural net
SIEM technology has a learning problem. It is rules-based and simplistic and can’t adapt to customers’ needs. In contrast, systems built on neural nets learn progressively and evolve their decision-making process just like humans do.
How does this work? Below are three key instances neural nets are ideally suited for the high volume and sophistication of threats in today’s landscape:
1. Autonomous alert triage
Every SOC is besieged by false positives, so the triaging of alerts can and should be automated. For minimal or routine security alerts, autonomous alert triage not only reduces the number of false positives considerably, but also ensures that only critical alerts are escalated to analysts.
2. Automated incident response
User error is more common than we realize. The reason for this is because humans are not meant to perform repetitive actions day in and day out the same way machines are. To reduce inconsistency, we must consider the strengths and weaknesses of the human mind. By delegating repetitive tasks to machines, we allow our human analysts to use their minds creatively to solve the unique problems not suited for machines.
Smart automation is instrumental in reducing risk. Humans working in tandem with AI to create an automated approach to threat detection and response significantly reduces Mean Time to Respond (MTTR) while keeping humans in control.
3. AI-powered threat detection
Intelligent automation can sort through a gigantic amount of data generated by multiple sources hundreds – if not thousands – of times faster than a human. Machines never get tired, they never sleep, and they never burn out. Humans, on the other hand, do. By tasking AI that learns from analyst decisions and techniques to tackle threat detection and response, you allow your human experts to focus on what they do best.
Humans work better with bots
Take a security team of six people: one with 15 years’ worth of experience and five junior team members with just a few years’ worth of experience. Your senior analyst probably feels like the job is intuitive because it has become second nature to him or her. So how do you leverage the experience of the senior leader – or the ever elusive “tribal knowledge” of your most valued team members – to help junior analysts level up quickly?
Playbooks are standard operating procedure for most organizations, but for a company that’s not mature, security procedures may not be written down. And if an experienced team member leaves, all their “tribal knowledge” goes out the door with them.
Writing it down in a physical playbook is a start. But why not automate it as well? The principle of DRY — don’t repeat yourself — should apply for any repetitive task done more than two or three times. And it’s no different with security.
Automation executes the playbook within minutes and presents the output for the analyst to see. Viewed in this way, automation is an assistant that does all the heavy lifting, and then presents the finished product to the supervisor for sign off. All the work is completed, and all the analyst needs to do is review the decision and take the right action with the click of a button.
What happens here? Two things:
1. Error rates decrease
One of our earliest customers had two full-time security analysts dealing with hundreds of security alerts a month. When they implemented our automation for 30 days’ worth of data, just three real cases out of 700 were found. The machines had an error rate of 3%, and the analyst team had an error rate of 14%. What caused this? The analysts did not repeat every step in the playbook. This is not a problem with automation, which will run through these repetitive steps every time — at machine speeds and machine scale. These types of tasks are best left to AI. With AI input, a human security analyst can do what they do best: Make an important decision and take final, appropriate action.
2. AI as a junior analyst
Treating the AI as a junior analyst — an assistant to the security analyst, almost like an apprentice — enables the security team to train its decision engines through ongoing feedback. This is where machine learning (ML) comes into play, learning from both the data and the analysts, and becoming as good as (or better) at detecting 80% of threats. Based on the data and analyst input, ML will further improve AI decision-making to tackle the remaining 20% of threats — eventually hundreds of times faster than humans.
The power of the neural network
Four-year-old children can differentiate between a cat and a dog. Humans can’t explain how or why they know; they just know that they know. The web contains millions of (frequently labeled) cat and dog images. But humans don’t have labeled data. Attempting to automate this kind of decision-making without ML libraries — say, with a programming language — is extremely difficult.
Today, machine learning that uses neural nets can classify images or translate speech better than humans can. A decade ago, this wasn’t true. Deep neural nets across a vast array of different technologies can extract features, transform them into scores, and combine them into a final score. This is the architecture of a neural network, which can be turned into an expert system.
What does this look like in practice in a real security operations center (SOC)?
Thousands of security alerts are generated every day, both internally at our company, as well as among our customers. But our security operations team never needs to look at an alert, because our playbooks sift and classify them based on entities, user IDs, IP addresses and more – then take immediate action. The result: Instead of the team receiving 100 alerts, the AI fires off the responses, and surfaces – on average – just two cases for review.
Moving beyond SIEM
Taking advantage of intelligent automation is the way forward for security teams currently relying solely on SIEM technology. Evolving to AI and automation powered detection and response technology meets the moment and is ideal for today’s threat landscape. That’s one very human decision you can make with confidence.