The ever-evolving landscape of cybersecurity demands both enhanced vigilance and efficiency. That's where artificial intelligence (AI)-powered security automation is becoming crucial by offering a potent blend of human expertise and machine intelligence. This article deliberates how AI is playing a key role in security automation, specifically in the context of security orchestration, automation, and response (SOAR) solutions, to bolster cyber defense capabilities.
The Need for SOAR
Modern cyber defense capabilities in several organizations primarily consist of diverse solutions, products, and tools. Thus, managing these capabilities in dynamic and advanced cyber threat environments is a very challenging task for security operations center (SOC) teams.
Specifically, SOC analysts are facing challenges in effectively managing and monitoring the current levels of data volume, variety, and velocity across security information and event management (SIEM) devices, intrusion detection systems (IDS), and firewalls.
A SIEM system collects, correlates, and stores security events and generates proper security alerts for the SOC operational needs. The functionality of SIEM systems has evolved since their inception to include different levels of threat intelligence (TI), which allows the basic enrichment of previously generated alerts and the generation of security alerts with higher accuracy.
However, threat detection technologies like SIEMs, next-gen firewalls, and IDSs lack awareness of an organization’s overall IT ecosystem. Additionally, organizations lacking a single security tool to meet all security operations requirements often install several tools and products from different vendors, which leads to complex security stacks that result in increased time and cost for SOC establishments.
Thus, automating and orchestrating the security processes by plugging in different tools using vendor-specific application programming interfaces (APIs) are necessary to empower analysts to make and investigate decisions that enhance the incident response process effectiveness.
The Importance of AI in SOAR
SOAR systems have been designed to extend incident response beyond SIEM limitations by providing an orchestrated and automated response throughout the identification, containment, eradication, and recovery phases. SOAR is a critical component for cybersecurity threat mitigation as these solutions integrate and automate disparate security tasks, applications, and processes while responding to security incidents to empower SOC teams.
Leveraging AI and machine learning (ML) in SOAR solutions can significantly improve cyber threat detection, prevention, and mitigation efforts, further empowering SOC analysts. AI/ML-based cyber defense systems are essential to effectively deal with the rising complexity and number of threats and to ensure substantially automated and rapid responses to threats.
AI/ML prevents large-scale cybersecurity attacks, is suitable for anti-virus defense and malware detection, and does not depend on static signatures utilized in conventional anti-virus systems. In the SOAR system development, the role of cybersecurity analytics and machine intelligence is critical for automating threat prevention and detection. Thus, ML/AI techniques can be leveraged to develop intelligent security automation strategies. Intelligent security automation is defined as a security orchestration platform that consists of existing automation tools and AI/ML capabilities to orchestrate and automate the incident response processes.
SOAR Solutions Leveraging AI/ML
AI/ML has been leveraged in different ways in several SOAR platforms. For instance, an ML PowerShell detection engine has been implemented by FireEye to detect PowerShell attacks, and to detect commodity malware like Kovter and red team penetration test activities successfully. A production end-to-end ML pipeline has also been developed that constantly evolves with adversaries through re-training and re-labeling. Similarly, FireEye's MalwareGuard utilizes an ML model to prevent and detect malware.
The SOAR platform of Siemplify leverages ML to better investigate and prioritize alerts and assign the best SOC analyst to a case. The ML constantly prioritizes and analyzes an analyst's case queue to ensure that the analyst addresses the critical cases on a priority basis. It assigns a higher priority to cases that resemble the cases that were previously deemed malicious and assigns a lower priority to cases resembling the cases that were previously labeled as false positives.
The ML algorithms utilize the performance of the previous analyst to make case assignment recommendations instantly while assigning the best analyst to a case to maximize an analyst's effectiveness and productivity. Siemplify's SOAR platform possesses an ML capability that provides a list of similar cases to analysts. These cases can be used by analysts in their current investigation based on historical contexts to inform the response actions they can take for the issue.
Splunk has implemented an ML toolkit (MLTK) that leverages Python's Scikit-learn ML package's features in the backend. This MLTK is suitable for security problems like forecasting and prediction, events classification and clustering, user behavior analytics, and anomaly detection.
DFLabs IncMan employs ML algorithms in the form of automated responder knowledge (ARK) and supervised active intelligence (SAI) to support the dynamic interaction capabilities of the SOC analysts during all incident response workflow phases to quickly deal with emerging and existing threats.
The ML models maximize the efficiency and effectiveness of security operations teams/augment human analysts and decrease the time from the onset of breach detection to resolution, which increases the return on investment (ROI) for the existing security technologies.
IBM Resilient is utilized for analyst assignment and incident categorization and prioritization. The ML model trained using historical data forecasts the severity of new incidents, identifies similar incidents that were previously closed, and estimates the time to resolve the incidents. It hastens incident response by dynamically classifying incident attributes while the attacks unfold.
An AI-based cybersecurity strategy has been implemented by Demisto to deliver automated threat response and prevention for security teams. This solution uses AI algorithms to support intelligent functions like incident triage and offers suggestions to SOC analysts for the next steps. Additionally, it assists analysts in collaborating on automated incident response investigations, with the action being documented automatically for post-incident reporting.
ThreatConnect leverages ML/AI through integration with Exabeam's Security Intelligence Platform, which utilizes ML and behavioral modeling for automated incident response and advanced analytics. The solution supports intelligence-led patch management, infected host containment, phishing email triage, detection and alert enrichment in the SIEM, and intelligence report sharing and creation.
The ServiceNow platform ingests metrics, logs, and events to deliver a holistic solution with AI/ML-based correlation, predictive intelligence, and anomaly detection. This SOAR platform applies advanced analytics and ML to correlate events, automatically adapting to rapidly evolving cloud and virtualized environments.
It employs ML/AI to model normal behavior automatically for performance metrics and identify anomalies for new metrics that remain outside of the predicted thresholds, leading to quick and accurate mitigation, diagnosis, and detection of anomalous events, which results in a significant reduction in mean time to detect (MTTD) and mean time to respond (MTTR).
Using ML, the Interset platform identifies unusual behaviors that indicate an attempt at data exfiltration and informs the ATAR platform. Then, this ATAR platform connects suspicious endpoints to obtain evidence, automatically isolates them from the network, and locks the user accounts. The SOAR platform of D3 Security has been designed to respond to adversarial intent with MITRE ATT&CK framework-based automated kill chain playbooks that also involve other tactics, techniques, and procedures (TTPs).
This solution integrates with other tools that are crucial for the SOAR platform to ensure repeatable and efficient workflows, centralize security operations, and leverage the power of orchestration and automation in a SOC environment. The SOC team sends security alerts through D3's MITRE ATT&CK correlations, which detect related events to predict the next steps of adversaries.
Despite the extensive application of AI/ML in SOAR solutions, several challenges, like false positives and negatives, integration complexity, and lack of skilled personnel, exist in this field, which must be addressed to exploit AI capabilities fully.
A study published in the 2021 6th International Conference for Convergence in Technology (I2CT) proposed an AI-based SOAR system in which the data from different sources, like IDS and firewalls, is obtained with individual event profiling using a deep learning (DL) detection method.
Initially, the collected data from various sources is converted into a standardized format to categorize the data. The proposed system identifies the true positive alert from the standardized format for which the needful/proper steps must be taken, such as generating compromise report indicators and additional evidence using the SIEM system. The security alerts will then be notified to security teams with the threat level.
Overall, AI-powered SOAR platforms effectively automate security processes and leverage ML for improved threat detection and mitigation. With the constant escalation of cyber threats, AI-driven SOAR platforms will become increasingly relevant to stay ahead of adversaries.
References and Further Reading
Vast, R., Sawant, S., Thorbole, A., Badgujar, V. (2021). Artificial intelligence based security orchestration, automation and response system. 2021 6th International Conference for Convergence in Technology (I2CT), 1-5. https://doi.org/10.1109/I2CT51068.2021.9418109
Kinyua, J., Awuah, L. (2021). AI/ML in Security Orchestration, Automation and Response: Future Research Directions. Intelligent Automation & Soft Computing, 28(2). https://doi.org/10.32604/iasc.2021.016240
Islam, C., Babar, M. A., Nepal, S. (2019). A multi-vocal review of security orchestration. ACM Computing Surveys (CSUR), 52(2), 1-45. https://doi.org/10.1145/3305268