IoT, Machine Learning and AI in the Security Operations Center

A tsunami of security data from Internet of Things endpoints could break the will of SOC analysts. What is needed are better tools for analyzing that data, including the use of machine learning. But AI and machine learning aren’t magic bullets. In this opinion piece, RSA Chief Technology Officer Dr. Zulfikar Ramzan presents a 5 point plan for using analytics in the data center.  

While William Shatner is famous for his portrayal of Captain James T. Kirk in Star Trek, he also played Commander Buck Murdock in the movie Airplane II. In a scene filled with trademark histrionics, Shatner’s Murdock unknowingly alludes to what life can be like as an analyst in the modern security operations center.

“We’ve all got our switches, lights, and knobs to deal with, Striker. I mean, down here there are literally hundreds and thousands of blinking, beeping, and flashing lights, blinking and beeping and flashing – they’re flashing and they’re beeping. I can’t stand it anymore! They’re blinking and beeping and flashing! Why doesn’t somebody pull the plug!”

Zulfikar Ramzan is the Chief Technology Officer at RSA

See also: Report: Organizations say IoT devices pose ‘catastrophic risk’, then shrug

Murdock’s lament may soon become common. We’re moving to a world in which IoT devices are proliferating at an unsettling pace. Security teams find themselves deluged by a sea of noise, while desperately searching for the tiniest sliver of meaningful signal. The tens of billions of IoT devices coming online in the next year will easily overwhelm, if not entirely obliterate, the last vestiges of a SOC analyst’s sanity.

As the threat landscape continues to morph, what was considered an advanced threat a few years ago, is mainstream today. Security analysts have long lamented that they lack visibility; the prevalence of IoT, however, might be a case of “being careful what we wish for.” While visibility is foundational for security, the scope of threats make analytics necessary for operationalizing that information.

Analytical tools have always been in the arsenal of the advanced security operations center. But security analytics have gone from being a nicety to a necessity. To implement analytics techniques in the modern Security Operations Center with the deftness that is required in an IoT enabled world, you should leverage the following five-point plan:

Pre-process your data

Pre-process your data to extract relevant metadata that can be more readily searched and analyzed later. Failing to do so can cause your data lake to morph into a data landfill. There is zero value in collecting voluminous data now only to realize that you cannot readily analyze it in times of need. Don’t stockpile food only to have it spoil when you’re hungry

Group alerts around attack campaigns

Group alerts around attack campaigns to eliminate duplicative efforts. If applied correctly, unsupervised machine learning techniques, like clustering, help ensure that alerts that go together are analyzed together.

Pivot among different visibility points

Pivot among different visibility points from the network core, to the edge, to the cloud and beyond. The two most important goals of security teams are to fully scope incidents and identify root causes. Both goals require pivoting among your resources with analytical capabilities that navigate data from multiple sources. Not being able to pivot during an investigation is like trying to compete in Formula 1 with a car that lacks a steering wheel.

Prioritize incidents using a risk orientation

Prioritize incidents using a risk orientation. The term risk is often misused, but here it refers to the likelihood of the incident being an actual issue (versus a false alarm) coupled with the probable impact (e.g., loss to the organization). Artificial intelligence techniques can determine the likelihood that a given incident represents malice. For example, user and entity behavioral analytics techniques typically assign a score to an incident through a combination of supervised and unsupervised machine learning techniques. Still, determining likelihood is only one component of risk. It’s also crucial to determine impact. An attack on a production server or a system containing sensitive data has greater potential impact than one whose only content is a PDF of the lunch menu to the cafeteria. Operational uptime or fines for violating a compliance regime have entirely different implications than whether pasta is being served tomorrow. Integrated Risk Management systems that have evolved from traditional Governance, Risk, and Compliance (GRC) systems often already possess critical business context for understanding impact; bringing this data into the SOC leads to effective business-driven security incident management.

Leverage SOAR technologies

Leverage security orchestration, automation, and response (SOAR) technologies. We need to ensure that security teams are engaged in meaningful tasks rather than being overwhelmed with busywork that can easily be automated. Your top analysts shouldn’t be cutting and pasting URLs. SOAR technologies leverage AI techniques to better engage with analysts, for example through chatbots based on natural language processing. They can also use AI to automatically create and implement response playbooks.

Ultimately, the ubiquity of IoT devices can create a coruscated display of “blinking and beeping and flashing” lights. Don’t get blinded and pull the plug in exasperation. Leverage analytics to help realize that these lights form meaningful patterns that, when followed, allow you to mine for truth and protect your organization on its quest towards a brighter digital future.

One Comment

  1. An excellent piece by Zulfi. Even a more formidable challenge when it comes to industrial control systems for the critical infrastructure, something we address at