Context, Context, Context
It’s become cliche to say that AI is overhyped in cybersecurity, but that doesn’t mean we should accept the status quo. In a previous post, I explored the silo problem that’s giving security managers gray hairs. We need relief but if AI won’t take away our troubles any time soon, what should our industry be doing differently?
The opposite of silos is context.
Context means powering up security analytics with more “Five Ws” information: Who, What, When, Where, Why. It may seem an obvious approach to take but this data boost is in fact missing from nearly all automated threat and vulnerability detection analysis today.
For example, consider an alert rule from Splunk’s AWS app: “CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions”. Trying to use this rule in any real-world AWS environment would lead to a flood of alerts as virtual servers are brought up and down regularly. The most likely outcome would be that this noisy, “weak signal” alert would be downgraded by the security engineer to Low severity and pile up as silenced alarms in some corner of a dashboard that nobody opens.
But what if you soup up this same alert with the power of context?
With context from your user directory you could alert when a member of the customer support team starts shutting down virtual servers.
With context from your account asset inventory you could ignore alerts for a group of sandbox servers being deleted but ring all the alarm bells when the same thing happens to servers in the security account.
With context from your server asset inventory you can tag servers associated with security monitoring or production service as “always on” and alert if those specific servers are taken down.
The list of opportunities for high fidelity alerting goes on and on. By combining contextual data with activity events you’re only limited by your creativity. This context-driven approach can give a big boost to security teams and when the vendors start training their models on datasets with context, AI might finally deliver on its promise to cybersecurity.
