teissTalk: Where AI-driven threat detection can streamline your SOC

On 28 March, teissTalk host Tom Langford was joined by Mike Johnson, Global Cyber Threat & Incident Response Manager, Verifone; Matt Hardy, Head of Security, Liberis; Kiarash Kia, Founder, Stealth Startup; and Dan Crossley, Director, Security Engineering, Vectra.ai.

Views on news

Wuhan XRZ, a tech firm suspected to be linked to Chinese state-sponsored threat group APT31, and seven other individuals have been sanctioned and indicted by the U.S. for their involvement in a widespread operation targeting U.S. officials and U.S.-based dissidents. Similar action has been done by UK officials against APT31 following the group’s attack against anti-China members of the British Parliament. Although there is nothing new about state-backed attacks coming from China, North Korea or Russia, attribution is difficult. Naturally, little information is released regarding how victims of these cyber crimes found out about the countries behind the cyber criminal gangs. One of the purposes of publishing articles about these attacks is to bring the issue into the forefront. When an MP’s account falls victim to phishing, it’s not specified whether it was a government, corporate or private account, and no details of the attack a revealed. The press and the public also tend to cry wolf and suspect a cyber-attack even if the cause is a simple IT problem. 

Is AI the cure or the problem for SOCs?

AI is very useful for SOCs, where you need quick and accurate responses. It is the most useful for narrowing down the number of automated alerts to those that require immediate attention by humans.  What could really be a breakthrough is AI detecting zero day threats and attacks on the fly but it’s not happening yet. At this stage of technological development, sometimes it’s easier to turn off alert systems – for example the ones supplied by cloud service providers – thanks to the high number of false positives. A good use case for AI is asset tagging for visibility that can also improve the effectiveness of a SOC team. The number of false positives will, however, decrease as ML models get trained after deployment. You always need to strike a fine balance between adequate detection coverage and the clarity of the signals to avoid alerts getting normalised.  

But SOC teams must make sure that they use GenAI without putting data security at risk – like when developers put confidential source code onto ChatGPT to get it debugged. From a data privacy regulation perspective, it’s likely that training data sets will need to be made available in the long run. But there is also the threat of bad actors making use of new AI technology to attack systems more efficiently and at speed. 

There is such a thing now as general adversarial networks with a detector based on AI looking for, for example, data exfiltration trained on how much data typically leaves the host. Adversarial AI networks, however, can learn what good AI knows and  send the maximum amount of data that is possible without triggering an alert. 

The panel’s advice

• To detect AI’s underestimating cyber risk, run some kind of control testing to see when alerts are not generated when they actually should be.  Red teams can also be handy, but they come at a cost. 
• Loud noises (e.g., DDoSs) are easy to detect, but the question is whether incremental, stealthy attacks can be identified.  
• AI might be the security investment of 2024, but the advice to do the basics first will continue to hold true.
• Use AI at first to get the low-hanging fruits and use the time thus  gained to ramp up your security efforts elsewhere.

To check out the Vectra threat detection platform, click here.