Cyber threats are evolving at an unprecedented rate, as COVID continues to open doors for a more organized cohort of bad actors. For George Nastasi, Associate Partner, Threat Management, Cloud & Cognitive Software, with IBM Canada, AI-fuelled systems are the best line of defence.
A subject matter expert with extensive experience in security operations, Nastasi outlined the challenges of modern threat management during his keynote address at Security & AI, one of the three sessions in ITWC’s MapleSec Satellite series. “We don’t typically do a very good job or consistent job in incorporating past knowledge, primarily what we’ve done before, how we did it, and how we can use that knowledge moving forward,” he said.
Streamlining Threat Management
Citing an example aligned to his area of expertise in cybersecurity operations, Nastasi looked at the three phases of a threat management lifecycle, from insights and discovery through to restoration of systems. “If you really think about it, a lot of the work in these three stages can be augmented with AI and machine learning to improve our work,” he said. “There’s a good portion of effort done and resources spent that can be better delivered that way.”
Deriving Significant Insights and Saving Analyst Time
According to Nastasi, some tools have matured significantly over the years and the adoption of user and entity behavior analytics (UEBA) with machine learning capabilities provides us with significant insights. By continuously monitoring activities and building a baseline of normal behavior, machine learning can detect deviations from that normal baseline and identify malicious activities. Machine learning can also generate detailed risk scores for the individual users and entities tracked and automatically connect the dots for more decisive threat escalation.
In another example of the integration of AI, machine learning, and threat investigation analysis, Nastasi said IBM typically invests a great deal of time analyzing security events, many of which turn out to be either false or benign. “This happens all the time, so why not run the security events through machine learning models and get a disposition or verdict in seconds instead of hours,” he asked. “If we can get machine learning to do that for us, then we save our analysts valuable time that they can then use in more high value work, such as investigation or follow-up.”
Driving a Faster Response Time
Nastasi is also an advocate for using AI and machine learning to augment response capabilities. “We spend hours researching indicators of compromise,” he explained. “AI can gather that information in seconds or minutes and correlate the information for easy incorporation into analysis. The time saved makes a big difference in how fast we respond to legitimate threats and the faster we can get to respond, the lower the impact of that cybersecurity incident is going to be.”
As remote work continues to erode the perimeter of IT infrastructures, the risks are coming fast and furious. Detecting threats is an important first step, but the differentiator, in Nastasi’s estimation, is using AI and machine learning to spot behavioural abnormalities, reduce response time, and thwart serious attacks.