4 min read
The cybersecurity market is loaded with ambiguous buzzwords and competing acronyms that make it very difficult to clearly distinguish one infosecurity capability from another.
If your efforts to understand what cybersecurity components you need to focus on have left you frustrated, you’re not alone.
Let’s cut to the chase and separate fact from fiction regarding cybersecurity’s biggest buzzwords.
Artificial Intelligence, Machine learning, and User and Entity Behavior Analytics
That’s right. These big three really all belong in one group.
Artificial intelligence (AI) and machine learning (ML) are two very significant concepts right now, and often seem to be used interchangeably. However, while related, they are not quite the same thing.
Artificial intelligence is the wider concept of machines being able to carry out tasks in a way that we would consider “smart” while ML is the application of AI based on the idea that machines should be able to learn on their own from the data provided to them.
An actionable security intelligence platform uses machine learning to understand and predict normal system activities and event occurrences within an enterprise. In the context of cybersecurity, machine learning is leveraged for User and Entity Behavior Analytics (UEBA).
UEBA capabilities use machine learning to gain an understanding of how users (humans) and entities (machines) typically behave within an environment. It looks for risky, anomalous activity that deviates from normal user behavior, and alerts accordingly based on what may indicate a threat.
Common examples include a user accessing a system at an unusual time or location, or simply accessing a system not in their routine. In terms of entity behavior, an example would be a compromised computer being used as an entry point to attempt to log into various other servers and assets.
All of this analysis, correlation, and reporting is done by first collecting and storing event and log data within the SIEM (Security Information and Event Management) technology – bottom-line, an actionable security intelligence platform.
Security Information and Event Management (SIEM)
But wait, you may be asking yourself “Didn’t some vendor tell me ‘SIEM is dead“? Nothing could be further from the truth. What’s really being said is the first-generation SIEM platform is dead. That being the one that was nearly impossible to deploy, collected massive amounts of logs, and spit out an umanageable pile of false positive alerts for an analyst to ignore. Of course, that SIEM is, and should be, dead.
What’s misleading in that statement is today’s understanding and expectations of a SIEM is much different. Any SIEM solution worth its salt is going to incorporate functionality originally delivered by point-solutions such as endpoint threat detection and response (EDR), intrusion detection system (IDS), user and entity behavior analysis (UEBA), threat intelligence feeds, and more.
Furthermore, today’s most effective SIEM solutions should offer practical pricing models, deployment options, and managed services.
Security Orchestration and Automated Response (SOAR)
Machine learning capabilities allow a platform to more effectively find the proverbial “needle in a haystack” by detecting and alerting to real threats and minimizing false positives.
But security analysts still need to respond to such incidents.
EventTracker incorporates SOAR functionality to reduce response times, improve remediation consistency, and increase SOC productivity. For instance, unknown processes can be immediately terminated, monitored for propagation of suspected malware, and placed in an incident report in an enterprise’s IT management platform (Security Orchestration).
In such case, when EventTracker detects a threat, it does not just “say something”, it “does something” (Automated Response).
Intelligence-Driven Security Operations Center (iSOC)
Technology is only part of the equation. Many organizations lack the staff and resources to realize the full potential of their investment in threat lifecycle management.
A comprehensive managed solution includes a team of security analysts armed with global and local threat intelligence, which is layered on top of a SIEM platform to perform 24/7 monitoring, analysis, and incident response.
This is basically SOC-as-a-Service. The “i” in iSOC means that this group includes a threat research lab, which in some cases is an entity in and of itself.
An iSOC typically consists of:
- SOC Analysts: Tier 1 and 2 security analysts monitoring events, delivering critical observations reports (COR), and responding to early warning health alarms
- CSIRT: Tier 3 incident response analysts reviewing the COR and managing priority 1 incidents
- Threat Research Lab: Analysts focused on collating indicators of compromise (IOC) from multiple sources
- Platform Specialists: SIEM administrators who collaborate with engineering on product enhancements and fixes as well as perform routine tuning to optimize the installation
With Netsurion’s Managed Threat Protection solution, the iSOC understands the unique needs of an organization and manages systems administration and tuning, builds out response play books, and conducts regular executive summaries using critical observation reports (CORs).
This co-managed SIEM solution is, for many organizations, a much more cost-effective method to achieve security and compliance results.
So, there you have it. Artificial intelligence (AI), machine learning (ML), User and Entity Behavior Analytics (UEBA), Security Orchestration and Automated Response (SOAR), and Intelligence-Driven Security Operations Center (iSOC) are concepts that are often misconstrued or misused, but when properly understood, they really do convey beneficial cybersecurity concepts and capabilities.
The best way to apply these concepts to your organization, depends on your unique situation. Talk to a Netsurion expert to find out what cybersecurity solution is right for you.