Security Data Strategies in the Age of AI-Driven SecOps

Today’s SOC is inundated with data from numerous sources, overwhelming analysts and making it increasingly difficult to manage the sheer volume of daily alerts generated from this data. The challenge of making sense of this data, let alone identifying threat actors, has surpassed human capability. To keep up with the pace and complexity of modern threats, SOCs require AI augmentation to effectively detect, investigate, and respond to security incidents. The efficacy of an AI-driven SOC depends not only on the breadth and quality of the data ingested but also on how we interpret it to generate meaningful insights. 

Organizations should approach data in five steps to achieve AI’s full potential for supporting security operations (SecOps): ingestion, interpretation, correlation, comprehension, and discernment. Improving each step and infusing AI into these various steps will enable more accurate threat detection, accelerate incident response, and strengthen overall security posture.

Data Ingestion: Breadth and Depth 

Traditional approaches to data ingestion are often constrained by cost and storage limitations. Limiting the initial data inputs for AI models in SecOps leaves crucial context behind. A more expansive, scalable approach to data ingestion will help AI models see the bigger picture of an organization’s security posture, empowering them to identify and respond to threats more effectively. This approach requires data from more sources than traditional security tools. Cloud services, endpoints, and business applications contain data that can be the missing puzzle pieces to an attack story. While the immediate value of some data might not be apparent, a more diverse and comprehensive dataset enables AI models to learn, adapt, and make more accurate predictions.

Data ingestion speed also plays a role in equipping AI models to deal with rapidly evolving threats. Real-time or near real-time data ingestion allows AI models to react swiftly to suspicious activities, potentially stopping attacks before significant damage occurs. For many organizations, embracing real-time ingestion requires an investment in scalable infrastructure and a shift to the mindset that more data, delivered quickly, is a strategic asset to SecOps.

Data Interpretation: Context and Flexibility

Ingesting vast amounts of raw security data is only the first step. That data needs to be interpreted from a jumble of logs and events into meaningful contextualized information to be useful to AI models. The interpretation process involves normalizing and standardizing the data and ensuring consistency across different sources and formats—for example, unifying timestamps, reconciling user identities, and categorizing event types. Interpretation creates a common language for the AI models to understand, allowing them to analyze the data more accurately. 

Interpretation goes beyond standardizing formats. AI models need to understand the context of the data. For example, SecOps AI models should recognize that a failed login attempt at 3 AM by a user who typically works 9 to 5 is more suspicious than the same event happening during regular business hours. Interpretation requires models to dynamically map and re-map data schemas as new threats emerge and our understanding of existing threats evolves. This flexibility is crucial for AI models to adapt and accurately identify threats. Rigid systems that lack this adaptability will struggle to be effective in an increasingly dynamic threat landscape.

Data Correlation: Connecting the Dots

Data interpretation lays the foundation for the crucial next step: correlation. This step is where seemingly isolated security events are woven together to form connected information. A single failed login attempt might not be a cause for alarm, but when it correlates with suspicious emails, unusual file access patterns, and geographical anomalies, it could point to a targeted attack.

Data correlation isn’t just about connecting the dots; it’s about understanding the context of those connections. AI models need to consider factors like user roles, the sensitivity of accessed data, and relevant threat intelligence. Was the failed login attempt made by a low-level employee or a system administrator? Was the accessed file a confidential document or a publicly available resource? Was it accessed in the user’s usual working location? By incorporating the context pulled in from the broader datasets during ingestion, AI can distinguish between harmless abnormalities and genuine threats. 

Data Comprehension: Behavioral Context 

Data comprehension is the next step in this process, which allows AI models to understand what’s happening by combing through massive volumes of correlated events. From there, the models can start generating maps of all the activities happening within the environment, both standard and abnormal, to generate behavioral context. For example, AI models can understand when a user logs on to a machine, what processes were executed on the user’s behalf, which network connections were made, and whether the connections pointed to file movement or remote execution. This comprehension of data allows AI models to contextualize various behaviors and question the risk associated with each sequence of observed behavior.

Data Discernment: AI-driven Security Insights

Data discernment allows the AI models to look at sequences of behaviors and discriminate between normal and suspicious behavioral sequences. This is when insights around adversary activity start bubbling up. The AI model can summarize these suspicious behavioral sequences for the analyst to provide context and quickly bring them up to speed. Large language models can be used effectively for this summarization and can provide easily-readable summaries of attacks. 

Rethinking Data Strategies for a Smarter SOC

These five steps allow organizations to convert raw data to security insights, allowing security analysts and incident responders to move through security threats effectively and quickly. However, AI-driven SecOps isn’t about replacing human expertise. It’s about fostering a collaborative relationship between humans and machines. Analysts play a crucial role in validating AI’s findings, applying their experience and intuition to assess the severity of a threat and determine the best course of action. This partnership ensures that AI’s analytical power is complemented by human judgment, leading to more informed and effective security decisions.