Given the continuous buzz dinning around data science, it’s easy to imagine it as the panacea to cure almost everything ailing the enterprise. In cybersecurity, specifically, the application of data science can combat alert fatigue, better detect abnormal behavior, and improve security operations efficiency.
But, as game-changing as marrying data science and cybersecurity is, it might not be the silver bullet you’re expecting, at least not if you try to build it yourself. My colleagues and I have written before about why you cannot “bolt” data science onto your existing security operation and tools. Data science and cybersecurity are different disciplines, and their professionals naturally approach the problems of security and mitigating risk differently.
In this blog, I’d like to further explore data science by looking at some of the biggest challenges CIOs and CISOs face, and why you can’t simply flick a switch to use data to magically solve these problems.
The Case for Data Science and Its Challenges for Mid-Sized Enterprises
The need to apply data science principles to cybersecurity looms large for IT and security executives. As such, my peers sponsored a recent report, Evolving Cybersecurity Essentials: A CIO Guide to Protecting the Enterprise, which takes an in-depth look at the market shifts introducing complexity and vulnerabilities to cybersecurity, and importantly the successful approaches IT executives are taking to mitigate them - including applications of Data Science principles.
Let’s look at a few of the outcomes that a clear data science strategy can achieve, and why IT leaders, and even some security companies, struggle to implement them.
1. Operate at scale and at machine speeds
Outcome: With an ever-growing attack surface and high volumes of complex data, response at machine speeds is a must-have capability, and one that obviously can’t be achieved by humans alone. The logical answer is adopting AI-based automation fueled by good data science.
Why it is difficult to implement: Here’s the rub: a single company just doesn’t have enough data around actual attacks to effectively train an AI without irreparably biasing the results. Even some of the largest enterprises, when armed only with information on attacks made on them, won’t have the volume and diversity of data to effectively achieve this outcome.
Think about it, how can even the most powerful AI think outside the box if all it has to work from are the experiences and events occurring inside your own box? So, instead of achieving the scale and speed you need, you are biasing the system based on the company’s limited data set — potentially forever.
2. Embrace data-science principles to increase maturity and improve operations efficiency by reducing false positive alerts
Outcome: Data science and machine learning can be used to improve detections to reduce false positives without missing attacks. Achieving security operations efficiency is no easy task today, as security teams face high volumes and a wide variety of data and must contend with an untenable number of false positives making it hard to pinpoint actual threats.
Why it is difficult to implement: Organizations struggle to embrace data science for several reasons. The first is that they have not built the capability from the ground up. Again, data science capabilities aren’t something you can just bolt onto your existing operations, they must be developed and that takes years of time and investment.
Equally challenging is a lack of unified and centralized security solutions. Organizations today are burdened with countless legacy security tools — the majority of which are fragmented and unable to act together — and they often lack a centralized data repository from which to analyze events. This is crucial since, typically, an actual attack will be hidden amidst several days or weeks of disjointed weak signals and can be missed without a big picture view.
A third challenge to embracing data-science principles is that many organizations, especially midsize enterprises, still manage their tools manually which makes them unable to achieve scale. For data science to bring efficiency to the SOC, investment must be made in AI-based automation and human intelligence to make the most of it.
3. Deploy AI-enabled detection and response capabilities to mitigate a shortage of security workers
Outcome: Machine learning and AI-driven detections and response can mitigate the need for more security experts. Fewer, better alerts mean fewer security personnel are required in your organization. Recognizing that security breach is an inevitability, this is the brass ring that most organizations today aspire to achieve. AI and machine learning overcome the natural limits of manual efforts and even help alleviate the shortage of human talent.
Why it is difficult to implement: Equipped with data drawn from attacks against only your company, AI-based detection and response can’t be effectively implemented. At best, you’ll guard against attacks that have hit you in the past and recognize anomalies
you’ve already seen, but you’ll never catch what is hitting your competitors and the industry at large. At worst, you add to the false positives and noise that distracts the security team from real threats.
In addition, as we saw in the past with SIEM, without the right level of confidence in your AI solution, you can’t trust it to identify which data is innocuous versus suspicious, and you become once again burdened with false positives. Attaining such confidence requires significant investment in data science, a strong signal-to-noise ratio to cut the din of false alarms, and, importantly, a high volume and variety of data that most organizations simply don’t have.
Nevertheless, data science and AI-based automation are vital to overcoming many of the challenges organizations face today around cybersecurity — to break through the noise and recognize real threats. And while it’s not impossible for organizations to build data science into their own SOCs, it’s a bit late to jump on that bandwagon. It’s expensive, time consuming, and — for a non-security company — takes investment away from the core business and other valuable digital transformation efforts.
Need Help? We’ve Already Done the Work
ActZero recognized years ago that to achieve the security operations efficiency that our clients needed required a rethinking of our own SOC to leverage data from across clients and across the globe. We rebuilt our SOC from the ground up to leverage AI and data science to enhance the ability of our human threat hunters, and we took advantage of machine learning to cut through the noise generated by false positives so they can vet low-level signals. We did the work so our clients wouldn’t have to, knowing that many couldn’t.
Today we looked at only three of the outcomes of adapting a data science-centric approach that benefit CIOs and CISOs in combatting the increasingly sophisticated and high volume of attacks they are facing, and how building your own data science capabilities to aid in the fight is likely an unattainable dream.
To learn more steps IT leaders are taking to protect their organizations, check out the entire report: Evolving Cybersecurity Essentials: A CIO Guide to Protecting the Enterprise.