We spoke with Tejpal Chadha, Global Head, Digitate SaaS Cloud and Cyber Security to discuss how AI neutralizes false positives and boosts cybersecurity.
When it comes to cybersecurity, organizations tend to believe that it’s better to be safe than sorry. However, conventional approaches to security yield a glut of false positives and unnecessary alerts. Enterprises get so bogged down sifting through this noise, they eventually end up missing legitimate security events, leading to potentially catastrophic breaches and attacks. Businesses must be able to filter out this noise so they can address real threats. AI is key to bridging this gap.
What does security monitoring look like for most organizations?
When it comes to cybersecurity, conventional wisdom dictates that it’s better to be safe than sorry. It’s no surprise then, that traditional security monitoring solutions tend to deliver a glut of notifications - including false positives and low priority alerts. To make matters worse, SecOps teams on average rely on 10 different security tools (firewalls, email security, endpoint security, etc.) to protect their company’s data and infrastructure. Sifting through this noise (up to thousands of alerts daily) across several different platforms is incredibly difficult. As a result, enterprises end up missing legitimate security events, leading to potentially catastrophic breaches and attacks.
What causes all these alerts?
It varies completely. Some notifications are purely informational (for example, telling you that an employee logged in from a new device) while others are level three security alerts (such as a ransomware attack). This is a major part of the issue. Most organizations have no method for differentiating the low-level alerts from the serious ones. That leaves them with two options: Either check out every notification or start ignoring many of them.
And even when SecOps attempts to review all of these notifications, it’s likely that they’ll eventually suffer from alert fatigue and take their eye off the ball. Just compare it to your corporate email. Imagine if you received thousands of messages in your inbox every day – 70% are spam emails that aren’t being filtered to your junk folder, 25% are legitimate messages but not urgent, and 5% are serious and demand immediate action. You’d inevitably miss some of the important emails, and that would have a serious business impact.
What are some of the approaches that enterprises are taking to address false positives?
There are a few monitoring tools that offer extra functionality to minimize false positives and excess alerts for an additional cost. But most solutions don’t support these capabilities, so IT still has to deal with the noise from the many other tools they use. Even if all these products were able to suppress low priority alerts and prioritize the critical ones, you’d still have to switch between 10 different tools to manage your security end-to-end.
Some organizations try to solve the problem by outsourcing monitoring to lower cost analysts overseas. But this approach relies strictly on humans, who are fallible and unable to detect increasingly sophisticated cyberattacks. Of course, humans should play a role in security, but automation and machine learning are needed to supplement their efforts.
So what’s the answer for this problem?
The struggle to effectively manage high volume security alerts and the complexities associated with traditional Security Information and Event Management (SIEM) solutions is driving the demand for a whole new approach to the issue. Manual, piecemeal approaches won’t work. AIOps provides the foundation for a new approach. AIOps-enabled SIEMs allow enterprises to effectively addresses challenges in the Security Operations Center (SOC) using automation and intelligence, enabling them to analyze, diagnose and mitigate security alerts in real-time.
How does AIOps help?
At a high level, AIOps enables IT to minimize false positives and redundant alerts via AI-based reasoning techniques. This eliminates the vast majority of the time that SecOps has to spend manually monitoring security. By relying on automation and machine learning, security dramatically improves.
AIOps further allows IT to:
Create a unified view of complex enterprise IT deployments
Autonomously determine the probable cause of a security incident, then recommend a fix and heal them quickly
Automate the management of all aspects of the alert lifecycle, from detection to remediation
Drastically improve incident response time, minimizing or eliminating business impacts
Automatically remediate potentially malicious actors and blacklist their IP address permanently
Predict and prevent repetitive issues, risks, and anomalies by leveraging learned contextual knowledge of enterprise systems and applications
Gain an extra layer of security to bolster defenses against cyberattacks when pairing with other cybersecurity tools