Cyber Defense eMagazine November 2019
Cyber Defense eMagazine November Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Cyber Defense eMagazine November Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
insights from the same reports includes the fact that 90ZBs will be created on Internet of Things (IoT)<br />
devices, nearly 30% of all data will be consumed in real-time, and almost half (49%) of data will be stored<br />
in public clouds – all by 2025. Furthermore, the increase in data, especially real-time data, is correlating<br />
to the number of devices that are connected to private and public networks, which does not show<br />
indications of slowing down anytime soon. Next-generation cyber warriors will be dealing with volumes<br />
of data never seen before occurring in real time making it difficult to spot, assess, and act on future cyber<br />
attackers. Attackers will likely attempt to disguise and blend into the noise using AI and ML techniques<br />
to mask their malicious intent. The challenge for cybersecurity professionals and organizations is how to<br />
harness automation and build next-generation SOCs using AI and ML, which will be crucial for keeping<br />
up with the volume and velocity of cyber-related data, created by more users and more machines.<br />
The Alerting Nightmare Many SOCs Face<br />
Millions of daily alerts: This is a normal day as a SOC manager, and it raises several challenges:<br />
• Eliminating false positives to focus effort on prioritizing “real” alerts based on severity and<br />
probability.<br />
• Reviewing all alerts may be impossible.<br />
• Many SOCs will avoid some alerts because they are considered low-level or have fired off too<br />
many false positives. Remember, however, 10-15 low-level alerts that, when combined and based<br />
on the sequence or the nature of those alerts, could equal a high alert translating into a full<br />
compromise.<br />
• It is common for many SOCs to fall into the alert fatigue trap and not consider how adversaries<br />
operate. Just as military operatives, they always attempt to fly below the radar. Therefore, they<br />
focus on exploiting weaknesses to which that they feel SOCs are less likely to be giving careful<br />
attention.<br />
What are some of the solutions to these challenges? Writing correlation/behavioral rules can help, but<br />
this has its own limitations and they can be easy to evade if not written correctly. Writing behavioral rules<br />
is also complex and requires unique skills – which are in great shortage within the cyber community right<br />
now. A better approach is to save profiles for users, workstations, servers, networking devices, etc., and<br />
use ML to generate anomalies and determine behavioral patterns in the form of classifications. This<br />
approach is better because it more easily scales and can solve two major problems: The cybersecurity<br />
talent shortage and attacks that attempt to evade detection systems by hiding in the noise as we<br />
previously explained above.<br />
Using AI and ML together, anomalies can be generated that are then passed through a series of AI<br />
models to determine their probability and severity as well as to determine if any specific example crosses<br />
a threshold which should trigger an event/alarm. For example, an anomaly is triggered off a user<br />
behavioral pattern that has drifted from its normal operation. It is then analyzed by machines to determine<br />
if that anomaly occurred before, at what frequency, and if it can be predicted with a reasonable level of<br />
probability that the event is actually abnormal. If so, it may be passed to an AI-bot that triggers an alert<br />
to the user text or an alternative email address to ask if the action was prompted by them or not. If not,<br />
then an alarm is triggered by the AI intrusion system and the incident response process begins. This is<br />
34