The advantage of ML and AI Security Operations Centers

Shankar Chandrasekhar is the CTO of Azure Palo Alto Networks.

Imagine you own a casino. Safety is obviously a primary concern and there are many areas. Physical access control is paramount. You would probably place guards or bouncers at all doors to make sure no nasty or disruptive people enter the premises and to quickly remove unruly visitors. There are also threats to digital security, particularly financial: Since large amounts of currency move between bank accounts and credit cards to and from the casino every day (fun fact: casinos are considered legal financial institutions), the digital systems that control these processes must be well reinforced and carefully monitored. And then there are casino-specific security issues: The gaming floor can be vulnerable to people trying to cheat, count cards, run Ocean’s Eleven-Press designs, or otherwise disrupts the lawful flow of the game. With hundreds or even thousands of different games and bets going on at the same time, especially on weekend nights or nights when there’s a big prize match, it takes a lot of eyes to watch the game floor to make sure everything stays on top – and up .

These distinct areas of security vulnerability all need consistent attention and robust data collection that represents the behaviors—digital and in-person—of all casino visitors in order to detect and mitigate threats before they materialize into dangerous or costly security breaches. But hiring individual security experts (in gaming, financial transactions, access control) can mean that many people will literally and figuratively step on each other’s toes. So you might prefer to consolidate all these security areas under one umbrella—but how can you do that with sufficient precision and control?

The Specialization vs. Integration Dilemma

The question facing this hypothetical casino owner—whether it’s better to have specialists or consolidate operations under one umbrella—is particularly relevant to the state of enterprise security operations center (SOC) services today. Gone are the days when a SOC administrator would bring in multiple security products to integrate into their own system under the assumption that no one could know that particular telemetry better than the owner of that product. In today’s enterprise security landscape, it’s considered very “old school” to cobble together a system from a number of different products and then use yours as a service desk with a few security analysts to write reports and initiate escalation when needed.

The importance of an intelligent data foundation

In the face of today’s sophisticated cyber security threats, it is critical that companies not only have the ability to gather extensive telemetry, but consolidate it and use this data foundation to power advanced analytics that provide security solutions that can be applied.

The database for this platform should come from infrastructure telemetry, threat intelligence and attack surface analysis. where there is a database that is intelligent and has the right indicators, it becomes much easier to speed up the response and overcome most of the threats because of the diverse and operational intelligence that comes. It is important that we collect, enrich and stitch all telemetry from all tools to the MITER Att&ck Framework. Once mapped, the next generation of AI / machine learning tools — now generally managed as a single service — can discover a range of attackers probing and breaking into your organization.

The New Wave of SOC Solutions

There are many advantages to AI/ML-powered SOCs over legacy solutions, including the ability to detect and neutralize infinite threats (malware, phishing, password attacks, SQL injection, insider threats, etc. .) instantaneously, based on the ability to learn and recognize typical behaviors within the system and detect any unusual variations. For example, if an authenticated and accredited user logs into the system a hundred times in one morning, legacy systems may not understand anything. after all, this is an authorized user. However, a system built to recognize patterns of behavior and zero variations can quickly investigate the incident and, when necessary, expedite a response.

In addition, these new SOCs are “smart” to outsmart threats, gather intelligence about attacks and vulnerabilities affecting systems worldwide, and apply that knowledge to their own systems. For example, if a particular virus develops in European markets at the start of the business day, by the time Americans log on, the threat will have already been identified and incident response and proactive security will be in place.

AI/ML-powered systems are also cost-effective: Instead of relying on multiple disparate systems such as logging infrastructure, multiple SOCs, and then multiple threat intelligence subscriptions (each with their own overhead), customers can have the their services consolidated as a package deal.

Protection against more sophisticated enemies

Today, our opponents are much more sophisticated. If your SOC automation product can’t have full visibility and your security telemetry isn’t centralized in one place, you’re stuck just discovering scenario kid attacks — not those of your worst enemy.

The optimal data analysis system will help you not only identify the “right” dots in your data set, but also connect them together for a powerful response. Instead of taking a human glance at thousands of indicators and responding (reducing the effectiveness of mitigation efforts and worsening the organization’s security posture), the end result should be an automated SOC capable of discovering and remediating vulnerabilities quickly and efficiently and overcome future threats. With a SOC based on ML and AI, built on a powerful and diverse database, in casino parlance, the house always wins.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?