Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are great when adversaries are on the outside looking in. For enemies already inside the walls, however, it’s time to arm your team with the superpowers they need to find and eliminate those threats. Don’t get me wrong, the security solutions deployed at the edge of the security stack are a necessity and will likely evolve with threats as they get more and more complex. As we learned with the SolarWinds breach and the more recent Exchange Server exploit, the enemy is already living and expanding inside the infrastructure. What solutions and capabilities do we need to arm our analysts with to discover, understand, and eliminate these threat actors that are so deeply entrenched?
In short, the analysts combatting threats like SolarWinds must be empowered… no, superpowered, to meet and find the complex infections that plague us. While we don’t have an iron suit or magic space stones, we do have a variety of AI solutions that can help us. Coupling that AI with the ability to correlate data from a myriad of sources integrates and augments the capabilities of the existing security stack. Creating a level of normalization across the vendors enables an automated, orchestrated response regardless of platform. This allows rapid, if not automated, correlation that when presented to the Security Operations Center (SOC) analysts, empowers them to make decisions at machine speed. Super-powered speed even.
Why is AI so important to this concept? The threats that are facing the analyst are moving far beyond simple signature-based detection. Basic indicators of compromise (IOC) no longer consist of one or two behaviors that show an intrusion, but instead are comprised of multiple clues that are not easily shown to be related without a true AI there to sift through the noise. Both unstructured machine learning and supervised AI design must be leveraged to find the anomaly hiding in plain sight. This empowered X-Ray vision must be coupled with the ability to take immediate action, while at the same time providing our augmented analysts with the power to make far-reaching decisions at near-machine speeds.
Lastly, this detection engine needs to be deep in the core of the infrastructure, not just at the edge, because if the threat is already inside the environment, you only see the threat when your data waves goodbye on its exfiltration journey. Instead, why not look for that pattern of life deep inside your network? Let the AI map the relationships and behaviors of your users, devices, and applications in their daily lives before enacting its swift enrichment and response.
Only with AI can we readily identify that a trusted system has been compromised, allowing the analyst to be empowered to act. AI isn’t there to see the threat but to confirm the threat and take large-scale remediation, while the analyst must be able to gather the data to justify their response. This is where security orchestration, automation, and response (SOAR) in particular shines, as these repeatable actions must be automated to cut down the response time and get ahead of the intrusions.
It’s all well and good to be concerned about content, but it’s really the behavior that tells the story. In the case of SolarWinds, the enemy hid in the white noise that makes up the background of every network. AI, however, could (and did) recognize those abnormalities, alert the SOAR platform, and drive the correlation that finds and fights enemies already inside the walls.