451 Research, a leading information technology research and advisory company focused on technology innovation and market disruption within S&P Global Market Intelligence, recently published a free report titled, “Self-Learning Technology to Address Cybersecurity Blind Spots and Reduce Analyst Burnout.” In the report, 451 Research explains why security analytics needs to include advanced Third-Wave AI, which autonomously learns normal behavior and adapts to constantly changing network environments, to address the next generation of cyberthreats and increase SOC productivity.
The 451 Take
Many legacy security information and event management (SIEM) platforms are based on rules, searches and signature matching to detect threats. While these approaches were state of the art 20 years ago, many SIEM platforms can experience blind spots, which are increasingly exploited by bad actors. Unlike known threats, which have published signatures, tactics and techniques, unknown “novel” threats, including zero-day attacks, advanced/blended attacks and signatureless malware, are difficult or impossible to detect using traditional techniques. Malware authors increasingly employ stealthy tactics such as self-modification, compression and obfuscation to bypass detection. Another key threat is malicious user behavior, which is notoriously difficult to model and detect using traditional approaches.
Adding to the problem, security teams are chronically understaffed and overwhelmed due to many false positive alerts that lead to “alert fatigue.” Inadequate tooling requires repetitive manual analyses, typically across multiple tools, further exacerbating the problem. This can lead to staff burnout and turnover. Today’s threat environment requires an approach to detection analytics well adapted to these nuances.
The graphic below, from a survey of 524 qualified cybersecurity professionals, illustrates this need. Nearly all respondents indicated that integration of advanced analysis methods, including machine learning and/or behavioral analytics, is very important (51%) or somewhat important (41%), showing that most (92%) security practitioners believe this is a key need — a need that current SIEM platforms may not deliver.
Importance of Integration of Advanced Analysis Methods When Selecting a SIEM/Security Analytics Vendor