Using Machine Learning to enhance threat detection
Thursday 28th January 2021 | 2-3 minute read
Like every division of your business, the security team is drowning in the flood of incoming information. For them, every IT asset – hardware, software or OS – generates thousands of events every day.
In order to maintain effective security defences, threat detection is crucial. These event logs need to be collated, analysed and actioned when anomalous behaviour is detected. But even with signature-based rules, there are still too many to be processed. Unsurprisingly, a huge number of alerts and events are never investigated because there are simply not enough resources available to deal with them all, 44% according to Microsoft.
Applying machine learning to security information and event management (SIEM)
Machine learning (ML) is specifically designed to ingest, process and action vast datasets. This makes it an ideal addition to a SIEM platform, as it’s able to analyse events and potential threats faster and more efficiently than your engineers.
Better yet, an ML-enabled SIEM platform cuts through the white noise so that the security team can focus on the tasks that really matter.
Knowing the unknown
ML is a constantly evolving technology, the full applications of which have yet to be discovered. But it has proven exceptional for establishing a baseline of ‘normal’ operations when used for log management and analysis.
Once ML-powered SIEMs understand what your IT estate should look like, they can begin identifying anomalies. Unusual behaviour is a clear indicator that something is amiss, from system misconfigurations to active hacking attempts by malicious actors.
Identifying anomalies in this way allows you to detect and mitigate issues more quickly – even when they do not conform to known activities. With no need to wait for a template or signature to be published by the vendor or security provider, the security team can take action as soon as the ML engine raises an issue.
Driving down mean time to detection (MTTD)
One of the most concerning aspects of cybersecurity is the amount of time between the initial breach and the incursion being detected. According to research by Ponemon, the average breach lifecycle is now 279 days – or 314 days when part of a malicious attack.
The same report found that the MTTD of a breach was 206 days. By reducing the lifecycle to under 200 days, the cost of a breach fell by 37%, offering a clear incentive for detecting breaches earlier.
The baselining activities described previously are a key tool in efforts to reduce MTTD, as is the ML engine that powers it.
Introducing User and Entity Behaviour Analytics (UEBA)
ML-powered SIEM extends beyond monitoring of event logs generated by your infrastructure. UEBA uses ML to deliver similar outputs, establishing a baseline of normal user and host activity. The SIEM system can then quickly identify anomalous activities that may indicate a compromised account or rogue user.
ML is also the foundation for advanced security management and automation and orchestration using artificial intelligence.
The faster security issues are detected, the faster they can be rectified. ML takes a lot of the ‘leg work’ out of event log analysis, processing vast amounts of information quickly and efficiently.
As mentioned previously, reducing the length of a breach lifecycle dramatically lowers the overall costs. Plus, by freeing your security team of the responsibility of manually processing and sorting logs, SIEM ML also releases them to focus on real security tasks – or to undertake proactive detection and remediation work.
By empowering them to do more, you will see a greater return on investment that results in lowered costs.
To learn more about ML, SIEM and how Maple can help your business establish a valuable and effective Security Operations Centre, please get in touch.
To learn more about how to maximise AI and ML capabilities within your organisation, please get in touch.