SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCM
Business Continuity Management

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCM

Business Continuity Management
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCM

Business Continuity Management

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

Artificial intelligence in information security

Artificial intelligence in information security
23.08.2021

|  Listen on Google Podcasts  |   Listen on Mave  |   Listen on Yandex Music  |     



Ruslan Rakhmetov, Security Vision


The speed of development and changes in cyberspace in the last 3-5 years amazes not only inexperienced users, but also venerable IT and IS specialists. It is not even the volume of data processed, the number of devices or applications/services connected to the Internet, but the concepts and technologies themselves that are evolving exponentially, while comprehensive digitalisation and the shift of most businesses online due to the pandemic have only accelerated this trend.


This speed is due, among other things, to the development of tools for creating new technologies and new and better tools, which entails further acceleration of the creation of already new technologies and tools. The widespread use of high-level and ultra-high-level programming languages, powerful frameworks and development environments, the development of cloud infrastructures and virtualisation and containerisation technologies make it possible to ‘build’ a new application in an unprecedentedly short time. Cyber threats are multiplying at the same rate, as attackers use the same high-performance development tools, but for their own purposes. This brings the level of cyber countermeasures to a new level: whereas previously the confrontation with attackers could be described as a battle of wits and customised information security tools, now it can be called a full-fledged ‘war of the machines’ fought by artificial cyberintelligence.


Talks about the practical application of artificial intelligence, including in information security, have been going on for a long time, but these tools entered the market when the maturity of such products allowed them to be used in corporate environments, the accuracy of their work began to justify their cost, and the capabilities of attackers became so broad that it became possible to effectively and promptly counter them only with the use of this technology.


If we turn to history, the prerequisites for the creation of the concept of artificial intelligence were scientific research in the field of building a mathematical model of an artificial neuron and neural network based on observations of living organisms and natural neurons. In 1943, American neurophysiologists Warren McCulloch and Walter Pitts in their scientific article ‘Logical calculus of ideas relating to nervous activity’ suggested that a network consisting of artificial neurons similar to natural neurons could perform logical and mathematical operations. The outstanding British scientist Alan Turing in 1948 published the article ‘Intelligent Machinery’ (English ‘Intelligent Machinery’), and in 1950 - the work ‘Computing Machinery and Intelligence’ (English ‘Computing Machinery and Intelligence’), which describe the concepts of machine learning and artificial intelligence. The term ‘Artificial Intelligence’ itself was introduced by American computer scientist John McCarthy in 1956. It was one of the first attempts to ‘digitise’ a living organism and present a living being as a set of algorithms that can be analysed and reproduced.


Since then, science has made significant advances in the creation of artificial intelligence: landmark events include the chess victory of IBM's Deep Blue supercomputer over grandmaster Garry Kasparov in 1997 and the victory of Google's DeepMind program AlphaGo over professional player Lee Sedol in 2016. In this case, the first victory was achieved in a well-algorithmised chess game, where it is enough to know all possible combinations and moves to win, and the second - due to machine learning, which was used by AlphaGo for self-training in the game of go.


So, let's give modern definitions to a few terms related to Artificial Intelligence (AI):

- Artificial intelligence (AI) involves information systems performing decision-making and learning tasks, similar to the intelligence of living beings

- Neural network is an interconnected set of artificial neurons performing simple logical operations, which has the ability of machine learning.

- Machine learning (ML) is a technique of training an information system on the basis of provided datasets without using predefined rules, it is a special case of artificial intelligence. The general task of machine learning is to build an algorithm (programme) based on the provided input data and given correct/expected results - thus, the process of ML-system operation is divided into the initial training on the provided datasets and the subsequent decision making by the already trained system.


There are several ways of machine learning, for example:

- Supervised learning (Supervised learning) - is a method of machine learning, in which marked-up datasets (proclassified objects with selected characteristic features) are used, for which a certain ‘teacher’ (a human or a training sample) indicates correct question-answer pairs, on the basis of which it is required to build an algorithm for providing answers to further similar questions

- Unsupervised learning is a method of machine learning in which no labeled data sets are used, no correct question-answer pairs are specified, and the information system is required to find various relationships between objects based on their known properties.

- Semi-supervised learning is a method of machine learning that combines a small number of labelled datasets and a large number of unlabelled datasets. This approach is justified by the fact that obtaining high-quality marked-up datasets is a resource-intensive and time-consuming process

- Reinforcement learning is a special case of learning with a teacher, in which the ‘teacher’ is the operating environment that gives feedback to the information system depending on its decisions.


Machine learning can also use other algorithms, such as Bayesian networks, Markov chains, gradient bousting.

- Deep learning is a special case of machine learning that uses a complex multilayer artificial neural network to emulate the human brain and process speech (natural language processing), sound (speech recognition) and visual images (computer vision). Computer vision is now widely used in security systems, transport and passenger control. Natural language processing and speech recognition systems help Siri or Alice to answer users' questions.

- Big Data is a large amount of structured and unstructured data in digital form, characterised by volume, velocity and variety. Specialised software tools such as Apache Hadoop / Storm / Spark, Kaggle, NoSQL class DBMS can be used to process Big Data. It is believed that to increase business-value when using Big Data it is necessary to move from heterogeneous data to structured information and then to knowledge (information). A processed, structured and labelled dataset derived from a relevant Big Data set is a necessary (and one of the most valuable) component for machine learning in modern systems.

- Data mining - structuring and extraction of useful information from heterogeneous and unstructured data, including Big Data.

- Fuzzy logic - application of non-strict rules and fuzzy answers to solve problems in artificial intelligence systems and neural networks. It can be used to model human behaviour, for example, to narrow or limit the conditions of searching for an answer to a question depending on the context.


Having considered the basic definitions and principles, let us move on to the issue of practical application of AI systems in cybersecurity. The use of AI in cyber security is justified primarily by two factors: the need for rapid response in the event of a cyber incident and the shortage of qualified cyber defence specialists. Indeed, in today's reality, it is quite difficult to fill staffing levels with qualified IS specialists with the necessary experience, and large-scale IS incidents can develop rapidly: the count is often in minutes. If a company does not have a 24/7 shift of IS analysts on duty, it will be difficult to provide quality protection after hours without a system for rapid autonomous response to cyber incidents. In addition, attackers may perform a distraction before their attack, such as launching a DDoS attack or active network scanning, distracting cyber specialists. In such situations, an artificial intelligence-based cyber incident response system that can simultaneously process a large number of IS events, automate routine actions of IS analysts and provide rapid response to incidents without human intervention can help. For example, our IRP/SOAR Security Vision solution makes extensive use of artificial intelligence and machine learning mechanisms: the platform, trained on previously resolved incidents, will suggest to the analyst the appropriate response action depending on the type of cyber incident and its properties, will assign the optimal response team from colleagues with the most relevant knowledge, and if atypical suspicious events are detected, the system itself will create the corresponding incident and notify the IS department staff about it. IRP/SOAR Security Vision uses algorithms for predictive response to cyber incidents: the trained system can predict the attack vector and its subsequent development in the infrastructure, show trends, and then automatically stop malicious actions and advise SOC-centre analysts.


Artificial intelligence-based protection systems will be indispensable for detecting anomalies in a large number of information security events, for example, by analysing security logs, data from SIEM systems or SOAR solutions. This information, together with data from already worked and closed IS incidents, will constitute a high-quality marked-up dataset on which the system can be easily trained.


As a rule, classical systems of deviation analysis are based on some rules predetermined by operators: for example, exceeding the volume of specific traffic, a certain number of unsuccessful authentication attempts, a certain number of consecutive triggers of protection systems. Systems based on artificial intelligence will be able to make decisions independently, ‘without looking’ at the rules previously created by IS employees, which may have lost their relevance and do not take into account the changed IT infrastructure.


Anomaly detection can help to protect user data - for example, an online banking service can collect and analyse data on customer patterns to quickly identify compromised accounts. For example, if a user has been connecting to the service from a Russian IP address on weekdays during business hours and using Internet Explorer browser for the last year, then if the user is connecting from China using Mozilla Firefox browser at night, the user's account may need to be temporarily blocked and an alert sent to the user. Financial institutions can also use machine learning and artificial intelligence systems for borrower scoring, financial risk analysis, and anti-fraud systems.


Another model of using artificial intelligence systems in cybersecurity is working with internal intruders: knowing the typical behaviour of a user, the system can send a warning to IS analysts in case of a significant change in the employee's work pattern (visiting suspicious sites, prolonged absence from the work PC, changing the circle of communication in the corporate messenger, etc.). Protection systems equipped with computer vision and speech processing will be able to promptly notify security about attempts to pass through the gatehouse by outsiders or employees using other people's passes, analyse the work activity of employees using web cameras, assess the correctness of communication between managers and clients by phone.


At the same time, we should not forget that cybercriminals also use artificial intelligence-based systems: there are known fraudulent methods of using Deep fake (creating a realistic virtual image of a person) to deceive anti-fraud systems, fake voices for fraudulent calls to relatives of the attacked persons asking them to transfer money, use of telephone IVR-technologies for phishing and stealing money. The malware also uses artificial intelligence elements that allow attackers to escalate their privileges much faster, navigate the corporate network, and then find and steal data of interest. In summary, the technologies that are available to the public are being used for both good and bad, which means that the most sophisticated defences can and should be used to combat these trained cybercriminals.


Recommended

Cyberattacks. Part 1: Technical Tools and Implementation Techniques
Cyberattacks. Part 1: Technical Tools and Implementation Techniques
information security SOAR

18.12.2023

A summary of NIST's special publications on information security. Part 1
A summary of NIST's special publications on information security. Part 1
information security

20.12.2021

Enterprise information security policy - example and tips for development
Enterprise information security policy - example and tips for development
information security

19.08.2024

The ethical hacker and his role in security
The ethical hacker and his role in security
information security

13.11.2023

Open software supply chain attack reference (OSC&R)
Open software supply chain attack reference (OSC&R)
information security MITRE

02.05.2024

Why and how to display information: object constructor
Why and how to display information: object constructor
information security

19.12.2022

Role-based security model and its differences from the attribute-based access control model
Role-based security model and its differences from the attribute-based access control model
information security

26.08.2024

Review of NIST SP 800-150 "Guide to Cyber Threat Information Sharing"
Review of NIST SP 800-150 "Guide to Cyber Threat Information Sharing"
information security

05.07.2022

Development without code
Development without code
information security SOAR

24.06.2024

Situational awareness in cyber security
Situational awareness in cyber security
information security

13.09.2021

Measuring the effectiveness of cybersecurity processes. IS metrics. Part 3
Measuring the effectiveness of cybersecurity processes. IS metrics. Part 3
information security

26.07.2021

Business Continuity Product (Security Vision BCP) as a link between IT and IS processes
Business Continuity Product (Security Vision BCP) as a link between IT and IS processes
information security

02.11.2023

Recommended

Cyberattacks. Part 1: Technical Tools and Implementation Techniques
information security SOAR

18.12.2023

Cyberattacks. Part 1: Technical Tools and Implementation Techniques
A summary of NIST's special publications on information security. Part 1
information security

20.12.2021

A summary of NIST's special publications on information security. Part 1
Enterprise information security policy - example and tips for development
information security

19.08.2024

Enterprise information security policy - example and tips for development
The ethical hacker and his role in security
information security

13.11.2023

The ethical hacker and his role in security
Open software supply chain attack reference (OSC&R)
information security MITRE

02.05.2024

Open software supply chain attack reference (OSC&R)
Why and how to display information: object constructor
information security

19.12.2022

Why and how to display information: object constructor
Role-based security model and its differences from the attribute-based access control model
information security

26.08.2024

Role-based security model and its differences from the attribute-based access control model
Review of NIST SP 800-150 "Guide to Cyber Threat Information Sharing"
information security

05.07.2022

Review of NIST SP 800-150 "Guide to Cyber Threat Information Sharing"
Development without code
information security SOAR

24.06.2024

Development without code
Situational awareness in cyber security
information security

13.09.2021

Situational awareness in cyber security
Measuring the effectiveness of cybersecurity processes. IS metrics. Part 3
information security

26.07.2021

Measuring the effectiveness of cybersecurity processes. IS metrics. Part 3
Business Continuity Product (Security Vision BCP) as a link between IT and IS processes
information security

02.11.2023

Business Continuity Product (Security Vision BCP) as a link between IT and IS processes

Other articles

Cyberattacks. Part 1: Technical Tools and Implementation Techniques
Cyberattacks. Part 1: Technical Tools and Implementation Techniques
information security SOAR

18.12.2023

Security Vision's ‘Chips’: building an ecosystem
Security Vision's ‘Chips’: building an ecosystem
information security

13.03.2023

How the technical side of data leakage protection is organised
How the technical side of data leakage protection is organised
information security

22.08.2022

IDE for development of no-code security features
IDE for development of no-code security features
information security SOAR SIEM

06.06.2024

How malware works. Part 1
How malware works. Part 1
information security

19.11.2024

Directory of Information Security Legislation of the Russian Federation
Directory of Information Security Legislation of the Russian Federation
information security

15.01.2024

Review of the publication NIST SP 800-61 "Computer Security Incident Handling Guide". Part 1.
Review of the publication NIST SP 800-61 "Computer Security Incident Handling Guide". Part 1.
information security

21.11.2022

The role of the cyber polygon in IS assurance
The role of the cyber polygon in IS assurance
information security

19.04.2022

SCA in the language of the safety officer
SCA in the language of the safety officer
information security

05.09.2024

Other articles

Cyberattacks. Part 1: Technical Tools and Implementation Techniques
information security SOAR

18.12.2023

Cyberattacks. Part 1: Technical Tools and Implementation Techniques
Security Vision's ‘Chips’: building an ecosystem
information security

13.03.2023

Security Vision's ‘Chips’: building an ecosystem
How the technical side of data leakage protection is organised
information security

22.08.2022

How the technical side of data leakage protection is organised
IDE for development of no-code security features
information security SOAR SIEM

06.06.2024

IDE for development of no-code security features
How malware works. Part 1
information security

19.11.2024

How malware works. Part 1
Directory of Information Security Legislation of the Russian Federation
information security

15.01.2024

Directory of Information Security Legislation of the Russian Federation
Review of the publication NIST SP 800-61 "Computer Security Incident Handling Guide". Part 1.
information security

21.11.2022

Review of the publication NIST SP 800-61 "Computer Security Incident Handling Guide". Part 1.
The role of the cyber polygon in IS assurance
information security

19.04.2022

The role of the cyber polygon in IS assurance
SCA in the language of the safety officer
information security

05.09.2024

SCA in the language of the safety officer

This website uses cookies to ensure you get the best experience.