I have
written a lot about Generative AI in the past, both in books, at my full-time
job, my freelancing gig, and on this blog site.
As mentioned, it brings both its good and bad sides with it. But to stay positive today (despite what else
is going on in the news), a great big advantage that Generative AI is its
ability to harness through tons of data and provide the appropriate response to
a query. So, in this regard, it can be a
great boon for Cybersecurity as well.
One instance of this is filtering through all the
noise that are outputted in terms of the log files from the network security
devices that you may have implemented.
For example, this can include firewalls, network intrusion devices,
routers, hubs, etc.
They all present
information that is especially useful to an IT Security team. But the problem with this is that there are tons
of it comb through. It can take an IT
Security team days and even months to have go through all of this.
But by using
Generative AI and professionally training it, the model can sift through all of
this very quickly, in fact in just a matter of a few minutes. From here, it can then present the information
that is relevant to the IT Security team.
Once notable example of this is for the filtering of what are known as “False
Positives”. These are the alerts and warnings
that come through that are deemed to be illegitimate, or exceptionally negligible
risk.
A good model
can detect all of this, and either completely discard them or archive them for
later study. From here, only the real
alerts and warnings are then presented
to the IT Security team, which can then be triaged and responded to
appropriately.
This almost
eliminates the problem of what is known as “Alert Fatigue”. This is where there are so many of them to go
through, one can get burned out. But
this can cause severe repercussions as well, as a burned-out employee could
decide to totally give up, and not even respond to anything.
Another key
area where Generative AI can be used in quite well is in a field called “User
and Entity Behavioral Analytics”, also known as “UEBA” for short. It can be technically defined as follows:
“User and
entity behavior analytics (UEBA) is a cybersecurity solution that uses
algorithms and machine learning to detect anomalies in the behavior
of not only the users in a corporate network but also the routers, servers, and
endpoints in that network.”
(SOURCE: What
is User Entity and Behavior Analytics (UEBA)? | Fortinet)
Deploying and
using this kind of solution can be quite complex, depending upon how large your
IT and Network Infrastructure is, and how many employees that you have. But simply put, UEBA is the science of tracking
down any abnormal or unusual patterns in the usual flow of network traffic.
A scenario
where is used most is in trying to determine any anomalies that fall outside of
the baseline profile that you have established.
A great use case is when you have set up a limit of only three login attempts
after an account is locked out.
An outlier
here is if somebody keeps trying repeatedly to login. Usually, this is a warning sign that a Cyberattacker is on the prowl by launching
a Dictionary Attack, or it can be a frustrated employee that is legitimately trying
to login into their device. Whatever the
situation might be, this must be investigated.
But once again, having to go through all the data can be a nightmare. But by incorporating Generative into your
solution, any suspicious behavior that merits further attention by the IT
Security team will be presented very quickly by the model.
In fact, many
of the Cybersecurity vendors are already baking this into their solutions, so
there is no extra work that is required on your end. All you need to do is merely feed the data so
the model can learn and create a baseline profile. Once it has done this, you then need to set
up the criteria of what is deemed to be abnormal behavior.
UEBA solutions
are used quite heavily in Security Operation Centers (also known as “SOCs”), because
of all the monitoring that must be 24 X 7 X 365. But some of the areas where it has hardly
ever been deployed are the following:
*The Healthcare
Industry
*Government Agencies
*The
Educational Sector
The first and
last ones are hit the hardest by the Cyberattacker, because legacy systems are
still being used, and lack of funding, especially by the schools. But the good thing here is that most of the UEBA
solutions are now offered as a SaaS based product, which makes it affordable
for about any kind of entity.
It is highly
likely that UEBA will develop over time, especially as Generative AI quickly
advances further. Thus, if you decide to
deploy it, you will have to make sure that you deploy all the software patches
and upgrades to it.
My
Thoughts on This:
Making use of
a UEBA solution is of course a no brainer.
It is one of the best ways that you can defend your business from an Insider
Threat. It also comes very handy when
trying to secure those login credentials that are deemed to be “super user”
(this falls under the realm of Privileged Access Management). Consider these stats:
*In 2024, the
cost of a Data Exfiltration Attack rose from $4.4 billion to well over $4.8
billion, which is a 10% increase.
*Over 70% of
SOCs feel that they will miss a real threat with all the False Positives that
are constantly being bombarded with.
(SOURCE: Behavioral
Analytics in Cybersecurity: Who Benefits Most?)
But also, there
are two key things to keep in mind:
*The baseline
profile that you get is only going to be as accurate as the data you feed into
the model for it to learn.
*While using
an automated tool by Generative AI is advantageous, do not become overly
dependent upon it. Remember, great
Cybersecurity takes an equal combination of both technology and the human
element.
But best of
all, a good UEBA solution will reduce “Alert Fatigue”, and help ensure a sense
of proactiveness amongst your IT Security team.
No comments:
Post a Comment