The application of artificial intelligence (AI) techniques to analysing masses of security data may have become commonplace, but security incident-management specialist Demisto reports “great traction” amongst customers for an alternative platform that uses AI to learn from – and duplicate the actions of – human security specialists.
The company’s DBot technology is based around a highly developed scripting service, designed for use within security operations centre (SOC) environments, that integrates with nearly 110 security tools and supports almost 800 individual actions across those software applications.
Support tasks – for example, the method for helping employees deal with recent outbreaks of malware like WannaCry and PetrWrap – can be broken down into a series of decision steps that guide security staff through the process of resolution.
These steps can be wrapped into ‘playbooks’ that staff can access for dealing with common support issues, but the platform also generates new playbooks by watching security experts as they manually work through customer problems. Processes with successful resolutions are broken down, recorded, and made available as recommendations the next time a similar problem occurs.
By learning from the actions of skilled humans, the platform can help companies overcome market limitations placed by the chronic surfeit of skilled security staff. And that, head of marketing Rishi Bhargava told CSO Australia, is where AI technology will truly come into its own within security environments.
“Most machine learning in security has involved learning from data collected over time,” he explained. “But what we have not done in the security industry is to learn from the experts. Not only are they doing the mundane stuff over and over again, but they are not able to learn from each other, and not able to grow their skills. And when that analyst leaves, all the knowledge he has gained walks out the door with him.”
By learning the individual strengths of each security analyst, the platform also learns to triage new support tasks to the people best equipped to handle them – helping streamline the efficiency of the SOC and ensuring that junior staff aren’t thrown in over their heads too early.
“In this climate of skillset shortages, people have recognised the value of automation,” Bhargava said. “But automation only does one part of that, by taking away the mundane work. We’ve been looking at how you escalate the knowledge and skill set of the security analyst; nobody has the time to sit in long training classes, but in this way they can be part of a live incident and learn as it’s going on.”
The approach has proven popular with early customers such as security firm Cylance, mapping software vendor ESRI and managed service provider Wipro, whose Australian presence had helped bring the DBot technology to local shores. Future advancements will follow “a very strong learning roadmap” that expands the AI’s reach, looking for correlation between indicators from recorded incidents to further increase the relevance of its recommendations.
Demisto’s AI-based security analyst reflects an early entrant in a growing trend that analysts believe will surge in coming years: by 2020, Gartner has projected, investment in AI-based “IT resilience orchestration automation” tools will more than triple. Within the same timeframe, Gartner has predicted, 10 percent of penetration tests will be conducted by machine-learning-based smart machines.
“Automation is tailor-made for identifying where the failures might be, where they might be felt, and to build strategies for recovery,” the analyst firm suggested, noting that security practitioners should link security failures to business impact in order to get business buy-in for the trend.
“Machine learning has evolved to real-life applications. This means penetration tests can be done at the speed of a machine instead of being restricted to the rate of thinking a human offers.”
Cisco Systems is among the firms also looking to apply AI techniques to security remediation, with its newly-announced ‘intent-based networking’ architecture building on the software defined networking (SDN) strategies that are dovetailing the industry’s network and security strategies.
Early tests of Cisco’s Software-Defined Access (SD-Access) technology have helped automate day-to-day administration tasks – including machine learning-based analysis of metadata traffic patterns to identify threats in encrypted network traffic. Overall, the company claims its new approach can improve issue resolution by 80 percent and reduce the impact of security breaches by 48 percent.