blog に戻る

2024年04月16日 Christopher Beier

How AI will impact cybersecurity: the beginning of fifth-gen SIEM

AI + cybersecurity = fifth-gen SIEM

The power of artificial intelligence (AI) and machine learning (ML) is a double-edged sword — empowering cybercriminals and cybersecurity professionals alike. AI, particularly generative AI’s ability to automate tasks, extract information from vast amounts of data, and generate communications and media indistinguishable from the real thing, can all be used to enhance cyberattacks and campaigns.

While AI is anticipated to increase the volume and heighten the impact of cyber attacks, a recent report from the UK’s National Cyber Security Centre (NCSC) states that the most immediate AI-enabled cyber threats come from the evolution and augmentation of existing tactics, techniques and procedures (TTPs).

While AI is an advanced technology, harnessing it doesn’t necessarily require sophisticated expertise and knowledge. The NCSC assessment noted, “AI lowers the barrier for novice cybercriminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations.”

More intelligent attacks

The AI threat landscape comes in two forms: attacks using AI and attacks against AI, i.e., adversarial AI attacks. Overall, AI/ML facilitates automating stages of the attack lifecycle, known as the cyber kill chain. This automation accelerates the speed and scale of attacks, enabling adversaries to target multiple organizations simultaneously and adapt their tactics in real time based on the defensive measures they encounter.

Each of the seven stages represents a crucial step in the attacker's process, and understanding these stages is critical to developing effective cybersecurity strategies. AI has given bad actors significant advantages in several stages of the kill chain, enabling them to carry out attacks more efficiently and effectively.

The seven stages of the cyber kill chain

Step 1: Reconnaissance
In researching potential targets to find vulnerabilities and entry points, AI can automatically:

- Find leaked and stolen credentials
- Identify targets with a specific vulnerability or information on a particular target
- Identify applications associated with specific technologies or platforms
- Accelerate identifying and aggregating stolen credentials for access brokers

Step 2: Weaponization
In creating new types of malware or modifying existing tools to use in a cyberattack, AI can:

- Generate polymorphic exploit code for a given vulnerability
- Improve obfuscation to hinder detection, including generating polymorphic malware variants, obfuscating malicious code and mimicking legitimate user behavior to evade detection
- Modify existing ransomware to mimic adaptive and intelligent behavior, enabling real-time dynamic responses to countermeasures
- Poison data that introduces vulnerabilities, backdoors or biases that compromise the security, effectiveness, or ethical behavior of large language models (LLMs)

Steps 3-5: Delivery, exploitation and installation

To infiltrate a target’s network and reach users, AI can:

- Improve social engineering, generating more convincing spear phishing and phishing emails with ChatGPT and other large language models leveraging generative AI
- Generate realistic “deep fake” audio and video to impersonate someone familiar with a target
- Prompt injection to hijack virtual assistance and chatbot conversations
- Execute software supply chain attacks through third-party software providers

Step 6: Command and control
In communicating with installed malware within a target’s network, AI can:

- Accelerate breakout time with automated privilege escalation and lateral movement
- Orchestrate multiple compromised machines
- Enable deployed malware to act independently without instruction

Step 7: Actions on objectives
In carrying out cyberattack objectives, AI can:

- Automate covert data exfiltration that is less detectable
- Identify data that meets specified collection requirements

Fighting against AI cyberattacks with AI-powered cybersecurity

In the fight against adversarial AI tactics, the NCSC published guidelines for secure AI system development. The guidance is closely aligned with the NIST’s Secure Software Development Framework and the United States government’s ‘secure by design principles’ published by the Cybersecurity and Infrastructure Security Agency (CISA).

Because incorporating AI capabilities increases existing systems' attack surface beyond traditional cyber-attacks, the standard MITRE ATT&CK framework isn’t entirely applicable. To help map adversary behavior, the MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a globally accessible, living knowledge base of adversary tactics and techniques based on real-world attack observations and realistic demonstrations from AI red teams and security groups.

Defending against AI-powered cyberattacks requires a proactive approach that leverages AI-powered cybersecurity tools. Security teams can utilize these advanced tools to enhance the security of their systems and respond effectively to evolving cyber threats:

  • Hardening the system: AI-powered code analysis tools can scan and analyze software code to identify errors, insecure practices, and potential vulnerabilities. By detecting these issues early in development, organizations can proactively address security risks (hardening the system) before attackers exploit them. Additionally, AI-powered penetration testing can simulate cyberattacks to uncover vulnerabilities and help organizations strengthen their defenses. Sumo Logic enables a single unified platform for communication and calibrations across DevSecOps teams to ensure security shifts left in the CICD pipeline.

  • Improve threat detection: AI-driven anomaly detection, behavior-based analytics, and user behavior analytics play a crucial role in detecting and mitigating cyber threats. These tools compare real-time data against historical and predefined baselines to identify deviations that may indicate unusual activity. AI can also conduct deep packet inspection to analyze network traffic at a granular level, helping organizations identify and respond to potential intrusions more effectively. Sumo Logic Cloud SIEM employs machine data analytics to fine-tune rule severity recommendations to preserve true positive/resolved counts and minimize false positives or no action and user and entity behavior analytics (UEBA), a signal clustering algorithm, and an entity relationship graph for threat detection.

  • Faster incident response: AI can significantly enhance incident response capabilities by analyzing security incidents' severity, impact and context. By automating the analysis of security incidents, AI enables security teams to prioritize their response efforts and focus on addressing the most critical threats first. Additionally, AI can help organizations conduct thorough investigations of security incidents by analyzing telemetry data and providing insights into the root causes of the incidents. In defense of AI attacks, Sumo Logic Cloud SIEM employs automated playbooks, containment actions, context enrichment, and notifications.

Overall, AI-powered cybersecurity tools are essential for defending against AI-powered cyber-attacks. At the heart of every enterprise SOC lies the SIEM, a critical tool for managing security incidents.

As threats become increasingly sophisticated, tomorrow's security landscape will demand an advanced AI-powered SIEM. This shift will require a stronger focus on shifting security measures left, prioritizing system hardening to prevent attacks. While current SIEMs can detect some threats, there is a growing need for them to serve as a central source of truth across the enterprise.

To predict the future of AI-powered SIEM we must understand past SIEM generations

The SIEM Market

To understand the future of next-gen SIEMs, it's essential to look back at their evolution. The first generation, emerging in the late 1990s and early 2000s, was focused on reactive security measures and threat research, primarily handling log collection, storage, and basic analysis. These early SIEMs were used for compliance and log management, lacking real-time monitoring and correlation capabilities. Security teams relied heavily on manual threat research by monitoring various sources for emerging threats.

In the mid-2010s, the second-generation SIEM introduced improvements in correlation and alerting capabilities, enhancing threat detection and incident response. These SIEMs started incorporating basic security analytics and rules-based correlation, improving the efficiency of log analysis. However, real-time detection capabilities were still limited, requiring time to process indexed data before raising alerts.

In the late 2010s and early 2015, the third generation integrated more advanced analytics, focusing on real-time threat detection and integrating user and entity behavior analytics (UEBA). This shift towards proactive threat detection enabled organizations to identify and respond to threats quickly. However, this increased focus on real-time threat detection and UEBA came with significant costs in terms of log data ingestion and storage.

From mid-2015 to the present, the fourth generation introduced cloud-native SIEM solutions, offering scalability, flexibility, and ease of deployment for both cloud and on-premises logs. These SIEMs addressed the challenges of scalability, cost, and the need for additional automation. While some AI capabilities were integrated, such as machine learning algorithms for threat detection and behavior analytics, these were often limited. Instead, fourth-generation SIEMs relied heavily on automation features and improved case management capabilities to enhance their effectiveness.

Additionally, fourth-gen SIEMs seamlessly integrate with development tools and workflows, providing security teams with continuous visibility into the security posture of their applications. The advanced automation and orchestration capabilities streamline security operations, reducing the burden on development teams. Centralized logging and monitoring features allow for effective aggregation and analysis of log data, aiding in identifying and responding to security threats. Moreover, proactive threat-hunting capabilities enable security teams to detect and mitigate potential threats preemptively, ensuring a robust security posture throughout the software development lifecycle.

Embracing the future: top five capabilities of fifth-generation SIEM Solutions

As the digital landscape continues to evolve, so must our cybersecurity approach. Enter the fifth generation of SIEM solutions, where AI takes center stage. These cutting-edge systems are poised to revolutionize SOCs, offering predictive insights, automated responses, and seamless integration with DevSecOps. Let's delve into the top five future capabilities that define these next-gen SIEM solutions.

1. AI-driven predictive analytics for risk reduction

Imagine a world where your security system can anticipate threats before they occur. That's the promise of AI-driven predictive analytics in fifth-generation SIEM solutions. By leveraging advanced machine learning algorithms, these systems can analyze vast amounts of data in real time, identifying patterns and anomalies that may indicate a looming risk prior to deploying code. This proactive approach enables SOC personnel to stay one step ahead of potential cyber-attacks, ensuring a more secure digital environment.

2. Automated threat detection and response

Time is of the essence when responding to cyber threats. Fifth-generation SIEM solutions harness the power of AI to automate the detection and response to sophisticated threats. This means that security teams can rely on their SIEM system instead of manually sifting through alerts to identify and mitigate potential risks quickly, significantly reducing the likelihood of a successful attack.

3. Cross-platform collaboration

Gone are the days of isolated security tools. The future of next-gen SIEM lies in its ability to break down silos and enable cross-platform collaboration. Fifth-generation SIEM solutions facilitate a more comprehensive and unified security approach by integrating with various security tools and platforms. This ensures that all aspects of an organization's digital infrastructure are monitored and protected, enhancing overall security posture.

4. DevSecOps integration

Integrating security into the software development lifecycle is crucial in today's DevSecOps world. Fifth-generation SIEM solutions are designed to seamlessly integrate with DevSecOps processes, ensuring continuous security monitoring and hardening of software solutions. This collaboration between development, security, and operations teams fosters a more secure and efficient development process, ultimately leading to more reliable and secure software products.

5. Self-learning and adaptive security

As cyber threats continue to evolve, so too must our security systems. 5th generation SIEM solutions are equipped with self-learning capabilities, allowing them to adapt to the ever-changing security landscape. By continuously updating their threat intelligence and refining detection and response mechanisms, these systems ensure that organizations are always prepared to face the latest cyber challenges.

In conclusion, the fifth generation of SIEM solutions represents a significant leap forward in cybersecurity technology. With AI at the helm, these systems offer predictive analytics, automated responses, seamless DevSecOps integration, cross-platform collaboration, and adaptive security. As we move into this new era of cybersecurity, it's clear that fifth-generation SIEM solutions will play a pivotal role in safeguarding our digital future.

Learn more about how Sumo Logic Cloud SIEM can be your best defense against cyber threats in the age of AI.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Christopher Beier

Principal Product Marketing Manager

Christopher has spent the past 25 years dedicated to work in cybersecurity. He's a US Navy veteran who did IT work in submarines.

From his home in Forest Grove, OR, he enjoys flying stunt kites, college football (Go Ducks!), and watching his kids' swim meets.

More posts by Christopher Beier.

これを読んだ人も楽しんでいます