Automation for Cyber Security and Artificial Intelligence:
An Overview

INTRODUCTION

Automation is an important component of any cyber security strategy, and plays an important role in artificial intelligence (AI).  While many organizations leverage applications and policies to safeguard from attack vectors, and action plans for when attacks occur, automation can play a critical role before, during, and after a system compromise.  Well planned automation reduces overall risk by allowing for the execution of immediate, real-time actions, which protect the integrity and availability of systems and data across the enterprise.

Automation

Employing automation is a common practice amongst systems administrators and cyber security practitioners. As systems and networks grow in complexity, administrators increasingly rely on automating many of the redundant tasks required to configure and maintain those ecosystems. Many systems have interfaces for monitoring status, and logs can be analyzed for certain conditions. Additionally, customized tools may be developed to monitor for certain conditions within a system that may not already be reported. As this information is collected, administrators, cyber security specialists, and even general users can automate reporting and responses relative to the system’s concept of operations, security plans, and other desired activities.

An enterprise automation strategy takes that concept further by applying customized monitoring and intervention utilities, for each component of the network, and applies them to the greater enterprise cyber security strategy, which may include AI support. The logging, auditing, and monitoring interfaces of the varying components of the enterprise network should be exploited to help identify threat vectors and actionable events. This includes the collection, storage, aggregation, normalization, and analysis of this data as it is produced. Once the data is collected and prepared, any actionable correlations will be made, and appropriate actions are taken without the need for human intervention. When applied properly, automation can be a very effective tool for taking rapid action, reducing risk, protecting proprietary information, and minimizing corporate liability.

Data Collection and Aggregation

A common method for optimizing the effectiveness of automation is the collection of event data and logs onto separate systems for analysis and the activation of automated responses and protocols. This involves the immediate routing of copies of output from monitoring tools and output logs to a separate system or storage device. This output may be sent directly to a database management system, such as PostgreSQL, which supports multi-level security protocols, or stored as raw data in files to be transformed into structured data or normalized during post-processing steps. Database management systems are especially useful because they often provide services for automating queries, which can increase the efficiency of the automation strategy, and reduce some of the burden incurred during data normalization.
By routing copies of the data onto a separate system, the majority of detection and response algorithms can run without increasing the load on the production systems. When the automation system detects an actionable event, it can be configured to send those actions to the proper servers, workstations, and other devices, while alerting relevant staff members. Remote aggregation also helps retain information and supports forensics analysis, in the event a production system becomes compromised. Analysis tools for automation, cyber security, and AI may use this repository for a variety of tasks including:
  • identifying current conditions requiring a response,
  • identifying trends indicating potential improvements and upgrades,
  • conducting incident and forensics investigations,
  • research for improving automation efforts.

Correlation

The heart of any automation effort is the correlation of activities with actions relative to the local ecosystem. Solutions that work well in one system or datacenter, may not be sufficient in another, and may be too restrictive in others. Automation rarely comes as a one size fits all solution. It is vital that practitioners identify what they are trying to achieve, and what information is needed. For cyber security, this involves identifying threat vectors, normal activities versus hazardous anomalies, and maximizing the immediate reporting of all relevant resources. From an AI perspective, this involves developing models, training algorithms, and maximizing the data reported from devices and components that are relative to the problem being solved. For AI, this can require a lot of processing to prepare data, especially during the learning processes, which is not a luxury that many cyber security efforts can afford. However, once AI algorithms are trained to identify and react to specific cyber threats, they can be very rapid and powerful tools to close the gap between event and response. Some machine learning algorithms are especially capable of discovering new anomalies and categories of previously undefined actionable data.

Heterogeneity

Processing and storage networks often have a mix of operating systems (OS). For example, the enterprise storage system might be running Berkeley Software Distribution (BSD) OS under the hood, ecosystem servers and user workstations may be running Windows, mobile users might be connecting with Android and iOS, the Internet of Things (IoT) devices may be running Raspbian Linux, and the compute cluster might be based on Red Hat Linux. These are just examples of the visible systems that are often thought of when discussing processing and storage.
Processing and storage networks often have a mix of operating systems (OS). For example, the enterprise storage system might be running Berkeley Software Distribution (BSD) OS under the hood, ecosystem servers and user workstations may be running Windows, mobile users might be connecting with Android and iOS, the Internet of Things (IoT) devices may be running Raspbian Linux, and the compute cluster might be based on Red Hat Linux. These are just examples of the visible systems that are often thought of when discussing processing and storage.

Deployment

Once the data for collection has been identified and tested, the detection algorithms are trained, and the responses are prepared and tested for each of the varying types of systems on the network, deployment may begin. Automation can generate anxiety among those who are responsible for managing the target systems, even when the process has been well vetted and tested. This is especially true if the automation strategy includes isolating or halting important systems or processes, when the automation algorithm detects a threat.

Caution should always be taken when employing automation that can affect the integrity and availability of systems and data. As systems are updated, patched, and replaced, their output may change, which could affect the way they are perceived by the automation systems. It is important to always update and test automation protocols, whenever a change is made to any component of the network that may alter the way it reports status and activities. A well deployed automation strategy, that is kept up to date with changes to the network, is a very powerful tool for maintaining the security, integrity, and availability of enterprise systems and data.

CONCLUSION

Automation leverages the collection and analysis of event data to provide planned responses. Administrators and cyber security practitioners identify relevant events and actions, while leveraging AI to find new anomalies that may merit automated intervention. When applied properly, automation can be a powerful tool to quickly respond to cyber security threats, as well as maintain the integrity of the enterprise network.
 

Interested in Sabre Systems?

LEARN MORE

Sabre Systems, Inc.

Experience. Quality. Results.

© 2018 Sabre Systems, Inc.  All rights reserved.

SABRE

MARKETS

SABRE SOLUTIONS

Contact