Despite being a relatively new concept, Machine Learning (ML) has an almost infinite range of applications. The ability to ingest vast datasets and analyse them automatically for trends, patterns and anomalies is a feature that can be applied to almost any data-driven activity – including IT security.
The concept of security information and event management (SIEM) is relatively mature, but the technology is not without its problems. By collecting event logs and alerts from across the entire IT estate, your security team are drowning in data. With tens of thousands of new events being logged every day, it is little surprise that nearly half of alerts go completely ignored.
SIEM relies on experience and time
Although it is possible to configure basic filters to try and limit the “white noise” generated by logging systems, the process is still manually intensive and prone to errors. Your security team needs enough time to examine all the logs for issues. You are then reliant on the skills and experience of your engineers to spot anomalies that indicate a security incident.
No matter how skilled your team, in most cases they are trying to identify issues based on what is known. Their experience tells them what they should be looking for – but this approach leaves you at a disadvantage.
Introducing ML into the mix
ML is typically used to solve complex problems, such as identifying cancerous cells in medical images or analysing sentiments being expressed on social media. ML remains something of a new addition to SIEM and incident response, so the true value of the technology is yet to be realised.
ML technology does have a natural place in event log monitoring and analysis though. Algorithms can comb through log archives to create an understanding of operations and to establish a baseline reading of ‘normal operations’. Every new incoming log is then processed and compared, refining the ML algorithm and understanding of your operations.
This baselining process is extremely important because it prepares your SIEM platform to deal with known and unknown issues. Incoming events and alerts are individually compared to the established baseline to confirm they are within the established parameters of normality.
When an anomaly is detected, an ML-enabled SIEM like Microsoft Sentinel will raise an issue with the security team automatically. Because it uses a baseline built from your own system activity, Microsoft Sentinel does not rely on known patterns or signatures to detect threats. This is how the platform can detect unknown threats and help your security team to shorten the mean time to detection (MTTD).
Using ML to detect – and block – anomalous activities is becoming increasingly important when faced with the sophistication of modern cyberattacks. By monitoring activity on an event-by-event level (including user behaviour analysis) ML can help to spot the tell-tale signs of a rogue user on the network – or even a zero-day exploit.
Faster and smarter security
Detecting unknown threats is absolutely crucial to strengthening your security posture. By reducing the MTTD, you can limit the potential damage caused by security breaches, saving time and money. And because ML does the majority of the heavy lifting, your security team can be more responsive – and proactive – using threat intelligence to address risks before they can be exploited.