Next gen SIEM: Unleashing the power of AI in cybersecurity
AI has been in the news over the past several months, but not everyone is welcoming it excitedly. Many renowned tech personalities have expressed their concerns over the risks associated with it and there are valid fears about artificial intelligence doing more harm than good. For example, there have been reports of AI helping cybercriminals produce less detectable malware.
It is reassuring to know that cybersecurity is among the early adopters in harnessing the benefits of artificial intelligence. Cybersecurity firms have been developing ways to integrate AI into their detection, mitigation, and prevention capabilities. Next gen security information and event management (SIEM), in particular, is gaining traction as organizations try to keep up with the growing aggressiveness and complexity of cyber threats.
SIEM has been around for nearly two decades. Introduced in 2005, this security solution brings together the advantages of log and event management systems, which used to be disparate. It became the foundation of most security processes in security operations centers (SOCs). It allowed organizations to boost their threat monitoring and attack handling capabilities by taking advantage of the vast amounts of security-related data obtained at various points.
However, as the threat landscape changed, SIEM no longer provides the benefits it has been associated with. It has been struck by log overload and scalability issues, as networks expand exponentially and IT infrastructures move towards cloud and hybrid setups. The growing complexity of network deployment and configuration also makes it difficult to keep up with advanced and persistent threats. Additionally, traditional SIEM is ineffective against zero-day attacks because of its rule and threat signature dependence, insufficient contextual awareness, and lack of real-time incident response.
Next gen SIEM addresses these weaknesses with the help of new technologies and strategies, including behavioral analytics, contextual intelligence and threat intelligence integration, real-time monitoring and incident response, automation, better scalability, and flexibility, integrated with other advanced cybersecurity technologies, and most notably, machine artificial intelligence.
Artificial intelligence is one of the highlight upgrades in next generation SIEM. It brings with it capabilities that target crucial weaknesses, especially in view of the rapid generation and evolution of attacks. Cybercriminals nowadays can quickly generate malware and scan for vulnerabilities with the help of new technologies, AI in particular. It only makes sense to leverage AI to optimize cyber defenses.
The dependence on predefined rules and threat identification (signatures) has been one of the biggest weaknesses of conventional SIEM. The system fails to detect and prevent zero-day attacks because it does not have information about the attacks. In some cases, the threat information arrives belatedly, which means the damage has already been inflicted.
Artificial intelligence is used in a number of security technologies such as user and entity behavior analytics (UEBA), next generation antivirus (NGAV), and extended detection and response (XDR). These advanced solutions go beyond threat identification and detection rules. They examine other factors to spot anomalies or deviations from activity patterns that are deemed regular or safe.
UEBA, for example, uses machine learning techniques such as Bayesian networks, supervised and unsupervised learning, reinforcement learning, and deep learning to become more effective at detecting threats, including those posed by insiders. With NGAV, the system employs a machine learning system that can perform string analysis, N-gram analysis, entropy, API command analysis, binary content visualization, and control flow graph to more effectively detect threats, especially unknown ones.
In XDR, artificial intelligence is used to analyze threat intelligence data together with telemetry from IT systems, conduct an in-depth analysis of dynamic data, perform real-time queries and run training models based on raw and unstructured data, and employ classifiers to anticipate attacks and determine the most appropriate response.
Contextual awareness is not completely absent in traditional SIEM, as it is possible to correlate security events and logs from various sources. However, doing so can be a tedious task without SIEM presenting everything readily and providing the necessary tools for quick comparison and analysis. With next generation SIEM, it is significantly easier to examine context with AI quickly running advanced analytics, user profiling, contextual enrichment, threat intelligence integration, Big Data analytics, as well as endpoint and detection response integration.
One of the biggest benefits of contextual awareness is the considerable reduction of false positives. Often, SIEM incorrectly flags activities as threats because of incorrect, mostly too conservative, detection settings. Artificial intelligence helps resolve this drawback by correlating security data from various sources and making sure that only genuine threats are flagged. Similarly, it addresses false negatives or the incorrect misidentification of a threat as harmless.
High instances of false positives may appear harmless, but they can prevent SOCs from addressing more urgent threats. A flood of false positive security alerts makes it difficult to respond to critical security incidents in a timely manner. They can also cause alert fatigue, which results in missed threats and overworked cybersecurity teams.
One of the goals of security information and event management, when it was developed, was to accelerate response to threats. Unfortunately, with the immense volumes of data generated nowadays, it is extremely difficult to promptly address threats, let alone attain real-time response. Examining all security-relevant data is a highly-challenging task, especially for networks that have a multitude of connected devices. Each device can generate data that add to the pool of security information cybersecurity teams have to evaluate.
AI enables some form of intelligent alert triage, wherein alerts are examined for their security and impact to make sure that the security teams can focus their efforts on the most urgent and critical incidents. AI-powered next gen SIEM makes it possible to contextualize data and prioritize them accordingly, significantly cutting down the amount of security data that would require human evaluation. It ensures that the most critical alerts are addressed first to prevent them from aggravating into worse issues.
Moreover, artificial intelligence enables automation and orchestration. Together with other security solutions such as threat intelligence platforms and centralized incident management solutions, AI-driven SIEM can automatically respond to certain alerts and bring only the more complex threat alerts to human cybersecurity analysts.
Next generation SIEM offers significantly better threat detection and prevention capabilities with its advanced threat detection functions, behavioral analysis, security information correlation, and real-time response functions. It is not a perfect cybersecurity solution, but with the help of artificial intelligence, it can do more in response to the new challenges posed by the modern cyber threat landscape.
As the cliche goes, AI has its pros and cons. However, it is an inescapable reality everyone has to deal with. The best way to coexist with it is to make sure it is used for the right purposes, and one way to do this is to take advantage of AI in cybersecurity through next generation SIEM. It is one of the many ways to unleash the benefits of AI and respond to worsening cyber threats intelligently and efficiently.
Photo Credit: Photon photo/Shutterstock
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.