Human and machine intelligence: Artificial intelligence in security operations

Most commercial AI success is related to supervised machine learning ML. Examples include smart home assistants’ understanding of spoken language and self-driving cars’ object recognition, all leveraging the vast amounts of labeled data and computation required to train complex deep learning models. However, in the field of network security, although AI can be used to improve the efficiency and scale of security operations teams, it requires a high degree of human participation, otherwise it cannot solve most network security problems, at least for now.

#In addition, the digital noise generated by human behavior in the enterprise environment makes anomalies in the system common, making it impossible to determine whether they represent attacks. . Therefore, the effect of abnormal behavior detection based on artificial intelligence is not ideal. For example, a large enterprise that produces 1 billion remote sensing data per day uses machine learning to detect threats. Even if its accuracy is 99.9%, it means finding the real attack event among 1 million false positives. Overcoming this imbalance in detection data requires a lot of professional knowledge and a multi-pronged approach. detection strategy.

But obviously without AI, things can only get worse. There are still ways to harness the power of machine learning to improve operational efficiency. Here are three principles that security operations teams are advised to consider:

1. Human and machine intelligence

Artificial intelligence is a supplement to human intelligence, not a replacement. In the environment of complex systems, especially when confronting rapidly adapting and intelligent opponents, automation technology with active learning as its core will bring extremely high value. The main job of humans is to regularly check the machine learning system, add new examples, and continuously adjust and iterate.

2. Choose the right tools

#You don’t need to be an AI expert to make good decisions, but the premise is to make sure you choose the right tools The right tools.

• First, it’s important to understand the difference between anomalous behavior and malicious behavior, as they are often two different things and rely on very different detection techniques. The former is easily discovered through unsupervised anomaly detection and does not require labeled training data. But the latter requires supervised learning, often requiring many historical examples.
• Secondly, alerts with a high signal-to-noise ratio are critical for security operations teams to fully understand the possible impact of detection results, as these systems will not be 100% accurate.
• Finally, although almost all kinds of machine learning techniques are already used in the field of network security, it is still very important to accumulate a large number of threat intelligence signatures, because once running into these signatures, the attack is almost certain, saving a lot of correlation analysis work. At all times, signatures are a critical baseline for detecting known threats.

3. Security operations require automation

It’s ironic that many cybersecurity professionals who trust AI to drive their cars, Skeptical about the role of artificial intelligence in cybersecurity countermeasures. However, today, when massive amounts of data and alarms need to be processed, automated operations are one of the most effective ways to improve the efficiency of the security operations team, and it is basically the only solution in the future.

Automation frees creative minds from time-consuming operational tasks, especially useful when detecting advanced threats, correlating analysis, prioritizing, and automating low-risk control measures (such as quarantining suspicious files or requiring users to re-verify), these can significantly improve security operation efficiency and reduce network risks.

To sum up, artificial intelligence or machine learning cannot become the only cybersecurity strategy, at least in the foreseeable future. When looking for clues in the vast sea of ​​data, combining machine intelligence with the human intelligence of security experts is the most practical and effective technical means.

The above is the detailed content of Human and machine intelligence: Artificial intelligence in security operations. For more information, please follow other related articles on the PHP Chinese website!