The average SOC analyst typically has the capacity for a thorough review of 10-15 alerts per day—what if they were only required to connect the dots without having to tag each warning manually?
Shelby Skrhak speaks with Adam Mansour about:
- The challenge of preventing malicious attacks
- How AI supports the prevention of ransomware
- Three critical metrics for measuring software success
The challenge of preventing malicious attacks
Ransomware payments exceed $20 –to $40 billion a year, with the cybersecurity space reaching an expense of $200 billion annually with less-than-ideal results.
“When people think of ransomware, they think of encrypting files. But they have to understand it is a larger pass at extortion,” Adam explains., “This is all part of a design to ensure compensation for their activity.”
Attackers will aim for any area they believe will give them the most leverage, from supplier applications to workstation encryption. The surfaces vulnerable to attack are growing, creating constant cat-and-mouse games between attackers and cybersecurity measures.
How AI supports the prevention of ransomware
AI brings a level of speed and automation to monitoring alerts and potential threats that humans seldom reach. Though imperfect, AI software decreases the chance of a threat slipping through the cracks.
“Most people think you have to cover every surface, that you have to find the attacker at every opportunity that they could use to close the loop on them, and get them out of the environment,” Adam says., “However, you only have to be right once. You have to disrupt the attacker, find, and get rid of them.”
The job of AI is to go through sizable amounts of data and take action to replace the review process of going through all of those different data points, removing the stress of trying to be fast enough to block a threat buried in a mountain of data.
Three critical metrics for measuring software success
Adam cites three key metrics to ensure a piece of cybersecurity software is operating efficiently and driving the needed results:
- Block rate—how many steps in the attack process can it block without direct human involvement?
- Dwell time—how long can an attacker persist in the environment running their methods before escalation and removal?
- Signal-to-noise ratio—what will the software explain about the situation when it's happening?
“What the AI is doing is tagging things so it can say, ‘I predict this as a virus because it's deleting your backups.,’ It can label alerts to be for one workstation or another, but it's still the job of the person to connect the dots,” Adam explains.
With those three metrics and the collaboration between AI and analysts, the chance of catching ransomware attacks increases.