Analytics, AI, and Automation: From Black and White to Lighter Shades of Gray in Cybersecurity

By Ashok Banerjee · February 15, 2024

When I speak to customers and CISOs about what’s happening in cybersecurity today, a line I find myself coming back to repeatedly is that we are moving from a world of black and white to one that exists on a spectrum of gray. Increasingly, we are moving to lighter and lighter shades of gray. What I mean is that nuance is extremely important. Threats are much more stealthy. You may have something that looks very much like a benign process, but it is malicious in small deviations.

This needs a world where investigations are a lot more accelerated and we investigate more – a lot more. Not only that, we are performing more forensics and remediation. To counter today’s cyber threats you need investigation at scale, bulk forensics, bulk remediation. But how? How do you address today’s nuanced cybersecurity world when SOC teams are overwhelmed, analysts are burning out, one minute you step away to get a coffee and when you come back you are already ransomed? You need AI. But I would say you need AI that will make an impact. AI and its subset, machine learning, have been present in cybersecurity for a while now. Just about everyone uses AI in detection. At Trellix, we have machine learning detection models that go back a decade or more. What is different now, and what is coming that will truly change the way you’re able to protect your organization?

Three As: Analytics, AI, and automation

At Trellix, we’re thinking about this convergence of AI and cybersecurity with a simple shorthand. There are three “As” that matter now: analytics, AI, and automation. They are interconnected, and together their power is transformative for security operations.

First, let’s address analytics. Security operations teams struggle to get meaningful analytics from a flood of data. This is one reason, for example, organizations turn to our AI-powered XDR platform, for AI can certainly guide analysis to accelerate detection and response.

Right now we are seeing a lot of attention on using GenAI to assist these efforts. The way it’s being used is almost analogous to Google. You ask it something and it can summarize what’s going on and provide some surrounding information. This is very helpful. But we should ask more of AI than just additional verbiage.

Where AI will make a difference for you is in deeper contextualization that goes beyond simple summarization. Powered by AI, this deep contextualization will help you find not just the needle in the haystack, but THE needle in a stack of other needles.

Where this becomes incredibly powerful is when AI and analytics meet our other “A,” automation.

AI and automation

AI becomes truly powerful when it enables automation. As we demonstrated at AWS re:Invent, we are adding capabilities to our AI-powered EDR so that it is running the steps of a full workflow for you.

Now, AI can guide automation across queries to find the needles masquerading as other needles, or determine if they are simple pieces of hay. You can use AI to recommend steps for forensics or remediation. And AI-guided workflows can proactively mitigate your risk. This is what we mean by the journey from reactive to adaptive security operations.

To take one example, our policy manager, Trellix ePO, provides policy management at massive scale. With AI-guided policy management, you will be able to self-correct. Just as with self-driving cars, computer vision watches the lanes and alerts you to any deviation, we are at a point where AI-guided ePO can self-correct and suggest that you enable certain actions proactively.

For instance, you may see that one of your users, John, was attacked three times in the last 10 minutes with phishing and targeted attacks. Knowing that, I’m going to proactively be more aggressive on his device. Where there is the slightest suspicion on his device I’m going to say this is malicious, I’m killing the suspicious process. Whereas maybe with another user, Amber, her device hasn’t been attacked. So we allow Amber to continue to work on things, whereas on John’s machine we quarantine or IO sandbox or start versioning changes if we suspect ransomware. If we are sufficiently sure, then we will kill the suspicious process.

In the real world, in an organization where you have tens of thousands – maybe hundreds of thousands – of devices, you need AI to run the steps of this workflow for you.

Autonomous security

Autonomous security, which functions with complete efficacy through network interruptions, disconnects, and intermittent connections to the cloud is important, since attackers sometimes mess with connectivity as a measure to lower efficacy. Ransomware is a top threat, as we know. With many vendors, their traditional endpoint protection is now in the cloud. Attack the router and you disconnect the cloud protection. Post compromise, in six to seven minutes the drives are encrypted. But with Trellix, we function in air-gapped environments, we function in DoD environments, we function in submarines. And whether it’s on-prem, hybrid or cloud, connected, disconnected, or intermittently connected, we bring homogenous security with heterogeneous deployment. We don’t force customers to be in the cloud or not. Go where you need to go, we’re with you. You can do whatever you want, we will track the security intent and we will enforce it through a familiar ePO construct.

AI-guided automation becomes game-changing in the real-life situations of today’s SOC, where AI enables you to block out more so that your team can do more with what gets through. We are very low noise, so there is a very strong signal in what we are saying. This ultimately is what matters with AI: the human side. You may have only a few resources, a small team, but with AI on your side, you are able to focus on the signal instead of the noise. And you are able to save time when time is of the essence.

To learn more, join us at the Trellix AI and Adaptive Security Operations Virtual Summit.