WEBVTT 0:00:03.420000 --> 0:00:06.740000 Hello everyone and welcome to this video. 0:00:06.740000 --> 0:00:10.680000 In this video we're going to be tying off this section of the course by 0:00:10.680000 --> 0:00:16.800000 taking a look at AI and machine learning in SOC operations. 0:00:16.800000 --> 0:00:22.000000 The idea is to give you an overview of your basic understanding, I wouldn't 0:00:22.000000 --> 0:00:28.040000 say basic, but an initial foray into how AI and machine learning are being 0:00:28.040000 --> 0:00:34.540000 used in modern day or contemporaries, security operations centers. 0:00:34.540000 --> 0:00:41.600000 Given the fact that this is a relatively new type of technology and here 0:00:41.600000 --> 0:00:46.340000 I'm referring to artificial intelligence, we have started seeing AI and 0:00:46.340000 --> 0:00:51.740000 machine learning being implemented into various, I would say, SOC tools 0:00:51.740000 --> 0:00:56.860000 and technologies that you would expect like, you know, SEAM, SAWs, of 0:00:56.860000 --> 0:01:01.840000 course, etc. So we're not going to dive too deep into this at this point 0:01:01.840000 --> 0:01:05.680000 in time or in this course, but just wanted to give you, you know, that 0:01:05.680000 --> 0:01:10.580000 high-level understanding or an idea as to how AI and machine learning 0:01:10.580000 --> 0:01:15.040000 are being integrated into, as I said, the modern day SOC. 0:01:15.040000 --> 0:01:21.160000 So in SOCs, I should say modern day security operations centers, AI, artificial 0:01:21.160000 --> 0:01:26.640000 intelligence as it's known, and machine learning abbreviated as ML are 0:01:26.640000 --> 0:01:31.340000 leveraged to enhance threat detection, analysis, and incident response. 0:01:31.340000 --> 0:01:35.780000 These technologies help automate routine tasks, identify sophisticated 0:01:35.780000 --> 0:01:40.600000 threats, and help security teams respond faster and more likely to cyber 0:01:40.600000 --> 0:01:45.780000 attacks. AI, just to clarify if you're new to it, you know, in terms of 0:01:45.780000 --> 0:01:50.840000 what it is and its relation to machine learning, AI involves systems designed 0:01:50.840000 --> 0:01:54.180000 to, you know, mimic human intelligence, and that gives you an idea as 0:01:54.180000 --> 0:01:58.040000 how they, you know, how AI is used, you know, to automate things like 0:01:58.040000 --> 0:02:01.240000 playbooks and triage, etc. 0:02:01.240000 --> 0:02:07.320000 But machine learning, which is a subset of AI enables systems, these SOC 0:02:07.320000 --> 0:02:11.400000 tools and technologies to learn from data, which in this case would be 0:02:11.400000 --> 0:02:15.640000 logs, and improve over time without being explicitly programmed. 0:02:15.640000 --> 0:02:19.140000 And that's sort of the key thing or the key differentiating factors that 0:02:19.140000 --> 0:02:28.860000 AI will really become, you know, a tool or something that will help the 0:02:28.860000 --> 0:02:34.060000 SOC analyst become better or more efficient, whereas the machine learning 0:02:34.060000 --> 0:02:38.560000 aspect comes or operates in the background, you know, think about the 0:02:38.560000 --> 0:02:42.940000 SEAM and the data that it's collecting in the correlation and reaching 0:02:42.940000 --> 0:02:45.000000 all of that good stuff. 0:02:45.000000 --> 0:02:49.800000 ML really is applied in that context or in support of that function. 0:02:49.800000 --> 0:02:54.960000 So to sort of dive a little bit deeper into that, I've sort of addressed 0:02:54.960000 --> 0:02:58.640000 some of the, you know, challenges that are, you know, frequently faced 0:02:58.640000 --> 0:03:03.660000 or you typically find in a SOC and how AI or machine learning is being 0:03:03.660000 --> 0:03:08.360000 applied to, you know, deal with those challenges or to respond to those 0:03:08.360000 --> 0:03:12.000000 challenges. So firstly, we have, you know, higher alert volume. 0:03:12.000000 --> 0:03:15.260000 How is AI and all machine learning applied here? 0:03:15.260000 --> 0:03:19.180000 Well, you know, helps in filtering out false positives and prioritizing 0:03:19.180000 --> 0:03:23.180000 threats. The other challenge is evolving threats, right? 0:03:23.180000 --> 0:03:27.280000 So attackers are constantly evolving in terms of their TTPs or their trade 0:03:27.280000 --> 0:03:29.880000 craft, as well as the malware that they use, etc. 0:03:29.880000 --> 0:03:33.480000 So how does AI or machine learning help in this case? 0:03:33.480000 --> 0:03:37.500000 Well, it helps detect new and unknown attack patterns using a technique 0:03:37.500000 --> 0:03:41.940000 known as behavioral analysis will not dive into what that is at the moment, 0:03:41.940000 --> 0:03:48.300000 but just want to give you, you know, that that application or list it 0:03:48.300000 --> 0:03:52.680000 out as such. So the other challenge is obviously limited human resources. 0:03:52.680000 --> 0:03:59.280000 So given the fact that AI and really AI is, you know, quite a few basic 0:03:59.280000 --> 0:04:04.900000 repetitive tasks, it can be used in the SOC to, you know, help automate 0:04:04.900000 --> 0:04:12.300000 repetitive tasks of, you know, low, low complexity, I should say, therefore, 0:04:12.300000 --> 0:04:14.560000 reducing analyst workload. 0:04:14.560000 --> 0:04:18.120000 And then of course, you have slow incident response times. 0:04:18.120000 --> 0:04:22.320000 AI or machine learning can be applied here to, you know, provide real 0:04:22.320000 --> 0:04:27.880000 time insights and accelerate response actions and then complex data analysis. 0:04:27.880000 --> 0:04:32.240000 So AI, and this is really a case for machine learning, can be used to 0:04:32.240000 --> 0:04:36.160000 correlate massive data sets to uncover hidden attack patterns that would 0:04:36.160000 --> 0:04:40.780000 have been almost impossible to do manually given the, you know, high amount 0:04:40.780000 --> 0:04:43.720000 of data that would need to be correlated. 0:04:43.720000 --> 0:04:46.300000 Also the complex nature of the data. 0:04:46.300000 --> 0:04:52.700000 So how there's something else, you're probably asking yourself that question 0:04:52.700000 --> 0:04:58.420000 given what I just pointed out in the previous slide, but how does AI and 0:04:58.420000 --> 0:05:01.900000 machine learning enhance, you know, these SOC tools. 0:05:01.900000 --> 0:05:08.100000 So on the left column, I've sort of outlined these common or core or essential 0:05:08.100000 --> 0:05:12.880000 SOC tools and technologies and to the right, I've listed out how AI and 0:05:12.880000 --> 0:05:17.420000 all machine learning in conjunction with each other have enhanced these 0:05:17.420000 --> 0:05:23.240000 tools. So in the case of the SEAM AI and machine learning, you know, can 0:05:23.240000 --> 0:05:27.040000 help improve anomaly detection and reduce false positives by analyzing 0:05:27.040000 --> 0:05:29.180000 complex data patterns. 0:05:29.180000 --> 0:05:33.460000 In the case of EDRs, AI and machine learning can be used to detect unknown 0:05:33.460000 --> 0:05:38.680000 malware and suspicious endpoint behavior using again, behavioral analysis. 0:05:38.680000 --> 0:05:44.060000 In the case of SOAR, or SOAR solutions or platforms AI and machine learning 0:05:44.060000 --> 0:05:47.780000 can be used to automate decision making processes and optimizing response 0:05:47.780000 --> 0:05:52.220000 workflows. You know, we already talked about that a little bit about it. 0:05:52.220000 --> 0:05:54.640000 And then we have the NDR, right? 0:05:54.640000 --> 0:05:58.580000 So network detection response, how does AI and machine learning help here? 0:05:58.580000 --> 0:06:00.240000 How does it enhance this? 0:06:00.240000 --> 0:06:04.560000 Well, it helps in identifying anomalous network traffic and lateral movement 0:06:04.560000 --> 0:06:09.240000 across systems. So it aids that process as opposed to doing anything, 0:06:09.240000 --> 0:06:10.620000 you know, out of the box. 0:06:10.620000 --> 0:06:14.380000 And the key thing I want you to understand here or to pick from this particular 0:06:14.380000 --> 0:06:19.840000 slide is that, you know, the inclusion of AI and machine learning in the 0:06:19.840000 --> 0:06:23.660000 SOC is not something that's going to, you know, get rid of SOC analysts. 0:06:23.660000 --> 0:06:28.420000 It really is making analysts better, faster, more efficient, you know, 0:06:28.420000 --> 0:06:32.380000 and just improving the efficacy or the efficiency of SOC analysts. 0:06:32.380000 --> 0:06:36.520000 In the case of U-EBA, which I already explained in a previous video, AI 0:06:36.520000 --> 0:06:41.580000 and machine learning can be used to you know, continuously learn and adapt 0:06:41.580000 --> 0:06:46.640000 to use behaviors, identifying deviations that indicate potential threats. 0:06:46.640000 --> 0:06:51.620000 So that's how AI and machine learning enhances SOC tools. 0:06:51.620000 --> 0:06:56.100000 And over here, I've listed out some real world examples of how AI and 0:06:56.100000 --> 0:07:00.620000 or machine learning has been integrated in these SOC tools. 0:07:00.620000 --> 0:07:05.080000 So over here, I've sort of listed other vendors or tools and the AI ML 0:07:05.080000 --> 0:07:08.360000 capabilities that come with these tools. 0:07:08.360000 --> 0:07:12.960000 So in the case of CrowdStrike Falcon, which is an EDR, they now have, 0:07:12.960000 --> 0:07:16.660000 you know, it's pretty much an AI-driven EDR that has advanced behavioral 0:07:16.660000 --> 0:07:19.540000 detection and threat hunting capabilities. 0:07:19.540000 --> 0:07:24.560000 In the case of Microsoft Sentinel, it uses AI to analyze security data 0:07:24.560000 --> 0:07:27.360000 and identify suspicious activities. 0:07:27.360000 --> 0:07:31.080000 In the case of DarkTrace, it leverages machine learning for autonomous 0:07:31.080000 --> 0:07:35.060000 response and anomaly detection in network environments. 0:07:35.060000 --> 0:07:39.280000 In the case of Splunk, they use machine learning to create advanced correlation 0:07:39.280000 --> 0:07:42.560000 rules and prioritize security alerts. 0:07:42.560000 --> 0:07:48.060000 And in the case of Palo Alto Cortex -X or it uses AI to, you know, pretty 0:07:48.060000 --> 0:07:52.340000 much automate response processes and to recommend actions based on incident 0:07:52.340000 --> 0:07:57.780000 data. So it's already starting to be integrated, whether it's AI or machine 0:07:57.780000 --> 0:08:04.240000 learning. But you can see that AI is sort of being integrated to do the 0:08:04.240000 --> 0:08:09.020000 stuff that I already described really for enhancement of detection, primarily 0:08:09.020000 --> 0:08:11.240000 into automated repetitive tasks. 0:08:11.240000 --> 0:08:16.560000 But where you see machine learning, in certain cases, in the case of DarkTrace, 0:08:16.560000 --> 0:08:19.680000 you know, it leverages machine learning for autonomous response and anomaly 0:08:19.680000 --> 0:08:24.640000 detection. But the case of Splunk, you can start to see that machine learning 0:08:24.640000 --> 0:08:26.820000 makes sense in the context of data. 0:08:26.820000 --> 0:08:30.680000 And that's why you see advanced correlation rules that end up helping 0:08:30.680000 --> 0:08:36.000000 or subsequently end up helping or assisting in the process of prioritizing 0:08:36.000000 --> 0:08:38.000000 security alerts. 0:08:38.000000 --> 0:08:41.800000 So with that being said, that's going to be it for me. 0:08:41.800000 --> 0:08:44.000000 And I'll be seeing you in the next video.