Machine learning, a subset of artificial intelligence, is the practice of using algorithms and large data sets or Big Data to develop insights ranging from which movie a Netflix user may want to watch next to recommendations about cybersecurity incident handling.
According to consulting firm McKinsey, “the unmanageable volume and complexity of the big data that the world is now swimming in have increased the potential of machine learning—and the need for it.”
For security professionals, machine learning capabilities can increase responder productivity and enable leaner, more efficient security operations. Humans however, not machines, must direct and guide machine learning algorithms to achieve the business goals and objectives that the computers are given.
Machine Learning, Big Data, and Security
The best way to understand how machine learning can be beneficial for security analysts is to perhaps look at another field with similar operational efficiency goals that is currently taking advantage of Big Data, and prospering - Marketing.
Marketers are using machine learning for marketing automation to increase profits and operational efficiency, while reducing costs by leveraging new and existing data sets available to their businesses and mining them for insights. Capgemini Consulting found that “58 percent of enterprises are tackling the most challenging marketing problems with AI and machine learning first, prioritizing personalized customer care and new product development.” With machine learning tools and platforms, marketers, armed with Big Data are now adding more value to an organization than ever before.
Like marketing automation, the use of machine learning for security is a fast-growing trend due to the large amount of data generated by security incidents and threats. By leveraging machine learning algorithms, security staff can more easily manage their operational environment and focus on higher level strategic tasks that add value to the organization instead of more menial tasks.
Machine Learning Use-Cases for Security Analysts
One security machine learning use case is security expert suggestions. End-to-end handling of incident response is rarely an isolated process yet analysts often operate in silos while performing investigations, unaware of their colleagues’ specific skill-sets for handling complex incidents. Additionally, junior analysts may operate in the dark while handling incidents that senior analysts could easily solve if they weren’t occupied with day-to-day operations.
A machine learning enabled collaborative space can provide a needed platform where analysts can invite their teammates to conduct joint investigations. Machine learning can enable the mining of historical references of all closed incidents, specifically looking at manual actions performed by analysts in the past. After parsing through the data, automated suggestions by the top analysts can provide relevant assistance for an incident.
Such a collaborative space will provide a consistent decrease in resolution times and increase in resolution quality. It will also act as a guide for junior analysts by highlighting which experts can help them through specific incidents, thus reducing error rate and analyst anxiety.
Another machine learning use case is playbook task creation. After playbooks make the initial journey from paper onto a Security Orchestration, Automation & Response (SOAR) platform, they facilitate automated response but may not undergo any further measurement and review. Unless analysts capture better knowledge from elsewhere and feed it into the platform, the benefits of these playbooks plateau after a period of time.
A Security Orchestration, Automation & Response (SOAR) platform with machine learning enables security staff to better harmonize actions across products, manage incidents within a platform, collaborate in real-time, and learn from the latest data.
By facilitating the creation of custom playbook tasks using machine learning to accelerate only the most relevant tasks, analysts can be presented with suggestions for arguments and parameters that fit best with the most relevant inputs and commonly used arguments. This not only reduces alert fatigue and lead to quicker incident triage, but the playbooks that use machine learning also help alleviate the eventual stagnation in efficacy of static playbooks.
The Future of Machine Learning for Security Operations
Machine learning enabled security operations are an emerging trend that will only accelerate as threats and data volumes increase, coupled with the need for knowledge management and expert advice. By leveraging machine learning algorithms, tools and platforms, security staff will more easily be able to manage their operational environment and focus on higher level strategic tasks that add value to their organization. Like the marketers armed with Big Data and machine learning tools and platforms who are increasing profits and operational efficiency while reducing costs, security operations can also now add more value to an organization than ever before.
To learn more about specific machine learning applications in security operations, you can download our whitepaper that highlights how Cortex XSOAR uses machine learning to enhance incident response efficiency.