When it comes to Big Data, some see it as the beginning of a new world. But others are frightened of what it represents; namely, a gigantic volume of data. If one thing is sure, it’s that Big Data is at the heart of some of our biggest concerns today. Our ecosystem, brimming with personal information systems (smartphones, tablets, etc.) and connected objects, is sending the volume of available data into exponential growth, to the point where human intelligence alone simply isn’t enough to process it anymore.
With regard to cybersecurity and SOCs, the following question should be asked: how can we expect this nexus of information to monitor, in real time, the high level of incoming data, particularly when we know that an attack is generally fragmented and dispersed across several sources? Couldn’t we, then, consider Artificial Intelligence (now able to examine and process massive quantities of data) as a solution for identifying the set of weak signals related to a threat?
If Big Data is the disease…
The wide availability of Big Data and the growing interconnection between information systems are leading to information overload and going beyond individual capacities for analysis. All of these mini computers are still interconnected information systems, capable of producing data. We’ve reached the point where the volume is so great that it’s no longer addressable by a human system. Just imagine, sitting in front of 100 monitors all at once (all connected to different programmes, each one in a different language), and trying to conclude a global, coherent vision. It’s clearly impossible, and yet it’s exactly what we’re trying to do in cybersecurity by monitoring activity in real time using SOCs. These incoming clusters of information require a certain technological vigilance, and all with the help of Artificial Intelligence.
…Then Artificial Intelligence is the cure
On the contrary, Big Data has led to improved veracity for Artificial Intelligence systems in laboratories. In an Image Analysis exercise, while we were learning to recognise one chair out of a set of around 10 images maximum (from a Louis XV to a child’s car seat), Big Data provided billions of photos of chairs, all of which were annotated by their owners on Facebook or the internet. The photos were then passed over for research.
With the arrival of sufficiently powerful and cheap GPUs, labs have been able to test and validate the power of their algorithms by exploiting this wealth of data. In 2012, Geoffrey Hinton and Alex Krizhevsky found fame at the ImageNet competition by laying down the foundations for what would go on to become Deep Learning. This was the dawn of a new era for Artificial Intelligence, and along with it came a solution to the inherent intelligibility of Big Data.
Today, AI offers the technological means to examine a massive quantity of data and to filter out noise to extract weak signals. It can bring these together to create new meanings and information that is concise and easier to understand by humans. All in all, it’s offered up as the cure for this level of data saturation that’s so typical of the era of information.
Deep Learning and AI are spreading out everywhere and outperforming humans in Image Analysis exercises for example. They’re also opening up the possibility for automating information processing in record times thanks to powerful hardware. The question regarding their application to cybersecurity, particularly within SOCs, has never been more relevant.
Watson, or rather, how we can improve work for analysts now
IBM was the first to contribute to cybersecurity with Watson. As the first reputable cognitive system in the world, Watson is a language analysing supercomputer. In 2011, it hit the headlines after its triumphant win over the two biggest former champions in the history of the US show Jeopardy!, and resultantly winning $1million. Watson, able to read sentences (words and letters), analysed the questions in terms of their syntax, grammar, and then semantics. It hit the buzzer in under 3 seconds, offering the most viable answers. Before the show, Watson had wolfed down 200 million pages of natural language from Wikipedia amongst other sources, to be able to find the right answers during the game.
Quiz shows aside, today Watson is promising great things in the healthcare arena. It has recently been able to diagnose, in less than 10 minutes, a rare form of leukemia by cross-referencing data from a female patient in Japan (symptoms, family history, etc.) with 20 million publications on cancer.
Thanks to over 20 years of cybersecurity research under its belt and the ability to take in the latest on cyberattacks, Watson is going introduce this firepower into future SOCs.
Watson will sharpen up the vision that SOC analysts have of incidents through:
- Better decision making
- Considerable reduction in incident reaction times
- Improved rates of attack detection
The real challenge is that this will only be achievable if Watson understands and can be understood by the humans manipulating it.
SOCs of tomorrow
In the short-term, thanks to Artificial Intelligence, SOCs should be able to make sense of Big Data. On a long-term basis, AI could be the cause of a transformation in SOCs; transforming from an organ of detection and reaction to a true IT brain. SOCs would then not only be capable of deploying equipment but predicting attacks and adapting the network’s security level in real time.
We should therefore move towards a single human/machine ecosystem. We can imagine more intelligent predictive systems based on cognitive intelligence, where technologies such as Watson will be able to understand their environments and adapt to attacks in real time. Interconnected SOCs will be equipped to identify an attack and trigger signals to other SOCs so they can predict and prevent the attack. AI will allow the “detect and respond” paradigm to move towards one of “predict and adapt”.
If we’re sure of anything, it’s that AI is making machines a little more intelligent than they were. Now they’re intelligent enough to – at least partly – provide a solution for the level of data saturation that we’re subject to today. AI should allow us to better understand our current digital environment to be better armed to act. The SOCs of the future will create a single ecosystem, perhaps a platform or even a place to test the relationship between humans and the machines of tomorrow.
Derniers articles parRudy Guyonneau (voir tous)
- Why we need governance to support the development of AI in cybersecurity - 11 October 2017
- Artificial Intelligence will boost the SOCs of tomorrow - 24 January 2017