How We’re Using AI to Usher in the Era of the “Smarter SOC”

By on Aug 11, 2020

In 2020, months seem to feel like years. Amid rapid change, adaptation is essential. Cyber threats are no exception to this rule. Technology can solve complex problems but can also be destabilizing. We think about this paradox regularly as artificial intelligence (AI) and Machine Learning gain prevalence in our field. Will these technologies drive better outcomes, and improve efficiencies in our cyber defense workforce, or will they introduce more risk to our environment?

Businesses are having to deal with two crises simultaneously—the impact of a global recession and the acceleration of malicious cyber activity. With hundreds of thousands—often even millions—of data points streaming into enterprises on a daily basis, security operations center (SOC) directors need a way to reduce the burden on human analysts. AI abstracts the complexity of cyber defense such that less skilled individuals are capable of investigating highly sophisticated scenarios and executing at scale.

Machine Learning enables security professionals to keep pace with the scale and complexity of data in many important ways. AI is a sophisticated analytics capability that, once trained, can identify malicious situations that are similar to previously identified threats. However, tomorrow’s cyber-attack might be entirely new, flying under the radar of even the best models. We need human intuition and intellect to recognize new attack methods and differentiate them from benign activity.

Let’s examine why AI-driven human-machine teaming is a differentiator for security operations professionals.

How AI is Deployed

Machine learning is already in wide use—it has become a critical part of threat detection. But an AI model’s success is highly dependent upon the quality of available inputs. If machine learning isn’t analyzing the right data, there’s no magic algorithm that can produce a valuable output to accurately assess advanced threats.

Machine learning processes data in bulk and presents security operations teams with actionable intelligence freeing analysts from the burden of having to comb through massive data sets.

For instance, AI can help security teams conduct triage and prioritize potential threats. Without proper triage, minimally impactful events waste time and distract teams from focusing on more substantial threats. AI can help analysts identify the threats that matter most and prioritize them properly. This automated triaging is critical because the longer high priority threats go unaddressed, the more damage they can inflict.

There are many compelling aspects of AI but it’s not a cybersecurity silver bullet. Just as AI is driving innovation in the field, a few sophisticated attackers have engaged in adversarial AI, a means of tricking machine learning models through malicious inputs or poisoning the training sets. Most of today’s AI models are fragile because the field has traditionally focused on solving problems where an adversary was not incentivized to have the model fail. Conversely, cybersecurity defense is a field where there is an adversary whose objective is to evade detection capabilities, including the latest AI-based solutions. McAfee is studying adversarial AI to make our models more resilient.

Human-Machine Teaming

With more automation and new high-fidelity data, the SOC can focus on complex issues that require human intuition and insight, increasing a security team’s strategic abilities. With McAfee MVISION Insights, we’re turning the concept into a reality.

McAfee MVISION Insights, a key and unique component of the MVISION Endpoint Security platform, enables security analysts to significantly increase the proactive security posture of the organization’s countermeasures while reducing the amount of time that the SOC must spend to accomplish this goal.

We architected MVISION Insights from the ground up to operate on a Human-Machine AI teaming model. Effective analytic models prioritize potential threats by applying algorithms that alert teams to the high-impact campaigns they need to be aware of and provide prescriptive guidance on how to defend the organization.

This is a tremendous benefit to threat hunters who operate in environments where speed and precision in identifying the things that really matter make all the difference.

MVISION Insights does this by analyzing threat telemetry from over a billion sensors including those globally and within an organization along with the threat research developed by McAfee’s world-leading Advanced Threat Research team. Additionally, metadata describing an enterprise’s security posture, enables Insights to deliver a custom recommendation on what products and configuration are needed to defend against specific, high-impact, in-the-wild threats.

In addition to these core capabilities, McAfee will be able to build new modules on top of the Insights foundation. This is possible because we’ve developed Insights as a platform that allows easy integration of new capabilities. That means that as we identify the next generation of AI and data science technologies, we can deploy those features without requiring a customer to deploy new products.

Gain hands-on experience on this distinct proactive endpoint security capability that keenly drives actionable intelligence before an attack occurs. Check out MVISION Insights Preview on McAfee.com to see the top ten threat campaigns.

 

About the Author

Steve Grobman

Steve Grobman is senior vice president and chief technology officer at McAfee. In this role, he sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide. He leads McAfee’s development of next-generation cyberdefense and data science technologies, threat and vulnerability research, and internal CISO and IT organizations. ...

Read more posts from Steve Grobman

Categories: Security Operations

Subscribe to McAfee Securing Tomorrow Blogs