Shankar Chandrasekhar is Azure CTO Palo Alto Networks.
Imagine you run a casino. Security is obviously a major concern, and there are multiple domains. Physical access control is paramount; you may have guards or bodyguards at all doorways to ensure that indecent or disruptive people don’t enter the premises and quickly remove unruly guests. There are also digital security threats, especially financial threats: given the large amount of money flowing in and out of casinos between bank accounts and credit cards every day (Fun fact: Casinos are legally considered financial institutions), the digital systems that control these processes must be well hardened and vigilantly monitored.Then there are security issues specific to casinos: casinos can be vulnerable to people trying to cheat, count cards, run away Eleven ArhatsFormal schemes, or otherwise disrupt legitimate game flow. With hundreds or even thousands of different games and bets going on at the same time, especially on weekend nights or nights when big games are going on, it takes a lot of eyes to monitor the playing field to make sure everything is on-going.
These discrete areas of security breaches all require consistent attention and robust data collection to account for the digital and in-person behavior of all casino guests in order to identify and mitigate threats before they become dangerous or costly security breaches. But hiring personal security experts (in gaming, financial transactions, access control) can mean a lot of people stepping on each other’s toes, literally and figuratively. So you might prefer to consolidate all these safe areas under one umbrella – but how can you do that with enough precision and control?
The Dilemma of Expertise and Integration
The question facing this hypothetical casino owner—whether it is better to have experts or consolidate operations under one umbrella—is particularly relevant to the state of enterprise-level security operations center (SOC) services today. Gone are the days when SOC administrators would introduce multiple security products to integrate with their own systems, assuming no one knows a specific telemetry better than the product owner. In today’s enterprise security environment, cobbling together systems from a range of different products and then using your own system as a service desk with a few security analysts writing reports and initiating upgrades if needed is considered a Very “old school”.
The importance of an intelligent data foundation
In the face of today’s sophisticated cybersecurity threats, it is important that companies not only have the ability to collect extensive telemetry data, but also integrate it and use this data foundation to support advanced analytics, resulting in actionable security solutions.
The platform’s data foundation should come from infrastructure telemetry, threat intelligence, and attack surface analysis; where there is an intelligent data foundation with the right metrics, accelerated response and beyond most threat changes due to the influx of diverse and actionable intelligence easier. It is important to collect, enrich and stitch all telemetry data from all tools to the MITRE Att&ck framework. Once mapped, the next generation of AI/ML based tools (now often managed as a service) can spot a range of attackers who are probing and injecting themselves into your organization.
New wave of SOC solutions
AI/ML-based SOCs have many advantages over traditional solutions, not the least of which is the ability to identify and neutralize an unlimited number of threats (malware, phishing, password attacks, SQL injections, insider threats, etc.) instantly, based on The ability to learn and identify standard behavior within a system and detect any abnormal changes. For example, if an authenticated and authenticated user logs into the system a hundred times a morning, the legacy system may not find anything suspicious; after all, this is an authorized user. However, a system built to identify patterns of behavior and zero change can quickly investigate incidents and, if necessary, respond faster.
In addition, these new SOCs are very “smart” at transcending threats, gathering intelligence on attacks and vulnerabilities affecting systems around the world, and applying this knowledge in their own systems. For example, if a virus is deployed in European markets at the start of the workday, when Americans log in, the threat has already been identified and incident response and proactive security measures are in place.
AI/ML-driven systems are also cost-effective: instead of relying on multiple disparate systems such as logging infrastructure, multiple SOCs, and then multiple threat intelligence subscriptions (each have their own overhead) transactions.
Defend against more sophisticated enemies
Today, our adversaries are far more sophisticated.If your SOC automation products don’t get full visibility, and your security telemetry isn’t centralized in one place, you’ll only find script kiddie Attack – not your more serious enemy’s attack.
The best data analysis systems not only help you identify the “right” points in your dataset, but also connect them together for a robust response. The end result should be an automated SOC capable of finding and remediating vulnerabilities quickly and efficiently, and outperforming future threats. With ML and AI based SOCs built on a strong and diverse foundation of data, in casino parlance, the casino always wins.