What is most known about security analytics and SIEM, as components of the enterprise cybersecurity suite, is not that they collect, aggregate, and analyze security data from throughout enterprise networks via detection algorithms. That is certainly true, but the most well-known aspect about them is that they are some of the most challenging solutions to deploy and manage properly. Both security analytics and SIEM require a good deal of human resources and time to monitor the plethora of security event data generated by even a modest enterprise.
Therefore, more and more enterprises are expressing interest in AI and machine learning as features in their security analytics or SIEM solutions. The prospect of automating the difficult processes involved is unsurprisingly appealing.
But AI and machine learning are still relatively new technologies in cybersecurity. They are still in the experimental phase, in other words. What do they mean for SIEM and security analytics?
Machine Learning, AI, UEBA: Branches of the Same Tree
Machine learning and UEBA are actually two different forms of artificial intelligence (AI) in cybersecurity. For security analytics purposes, AI scans the IT environment, finds patterns, and identifies anomalies. Machine learning more specifically receives human inputs for its scans and learns from the results it receives. User and entity behavior analytics (UEBA) monitors user behaviors, seeks out anomalies in those behaviors, and investigates security incidents that may be at the root of those abnormalities.
For machine learning, it is important to remember that it comes in two distinct flavors: supervised and unsupervised. Supervised applications of machine learning can sort through clean, structured data that allows for clear rules and algorithms. Unsupervised applications can examine unstructured data from multiple sources, as is commonly generated in SIEM and security analytics scans. Unsupervised models can be taught using neural networks and deep learning to detect previously unknown enterprise network threats.
Robots and SIEM: The Benefits
The most praised benefit of AI and machine learning is the relief it can offer your enterprise’s IT security team. The features can compliment your SIEM and security analytics scans, sorting through the gigabytes of security data that even a small enterprise can generate each day.
Under normal circumstances, IT security teams have to drop the security logs into a central database and then mine the data for security events—eating up time and energy. Machine learning does that work in real time, allowing human professionals to spend time focusing on more valuable tasks such as investigating the legitimate security events. In a time when cybersecurity talent is stretched thin, this can be a welcome boon to enterprises of any size.
Furthermore, machine learning can scan your enterprise’s network far faster than any human could, allowing your SIEM or security analytics solution to catch threats and data breaches faster. This is crucial—as too many businesses have learned, breaches can be quiet and avoid detection until it is far too late.
As stated above, AI in SIEM is still very much in its infancy and therefore can suffer from the issues that plague any new technology. Much like SIEM and security analytics overall, machine learning does require time and attention to make sure it is functioning properly and optimally. Furthermore, it is dependent on investigation triggers and understanding behavioral patterns—therefore its algorithms’ effectiveness can be hobbled by poor inputs.
Additionally, machine learning and AI in SIEM and security analytics were inspired in part by malicious AI programs created to make hackers’ nefarious tasks easier—it allows for larger and more sophisticated attacks. Whether security AI can stand up to its hacking doppelganger has yet to be seen.
Machine learning may not be a cure-all, but it is certainly a powerful feature to consider in your enterprise’s SIEM or security analytics solution.
Latest posts by Ben Canner (see all)
- What Do SIEM Components Actually Do For Enterprises? - October 10, 2019
- The 11 Top Enterprise Threat Intelligence Platforms of 2019 - October 9, 2019
- LogRhythm Releases True Unlimited Data Plan for SIEM - October 4, 2019