On the surface, having lots of data becomes less of a problem with AI-driven security, as ML usually requires lots of data to train the model and learn the patterns. On the contrary, not enough data is obviously a problem as the less data, the less accurate and thus the less useful the ML model becomes. However, as time went by, researchers gradually realized that having the right data was far more important. Too much data without the right information is just a waste of computing power for ML as well as a waste of storage space. Earlier UEBA vendors with solutions based on logs from SIEM tools learned this hard lesson: the SIEM might have collected lots of logs, but only a few of them contain the right information related to user behaviors. So, although data-driven security builds a great foundation for AI-driven security, in order to build scalable and accurate AI-driven security, the right data is far more important.

Using AI definitely helps alleviate the pains with Big Data, but it has its own challenges. For example, both UEBA and NTA leverage unsupervised ML for behavior analysis. However, an abnormal behavior observed for a user or from network traffic does not necessarily mean a security incident. These tools can thus generate lots of noise, causing alert fatigue. Furthermore, the smart hacks usually go through several stages of the kill chain before they can be caught. How can you recover the trace of a breach and fix the root cause?

Finally, another big challenge facing AI-driven security collectively is cost: the capital cost of the tools themselves, the cost of the infrastructure of compute and storage used by these tools, and the cost of operating so many different tools in their silos with different screens.

AI and ML technologies can facilitate automated decision-making that blocks firewall ports or performs other attack-killing functions, but only if the right data is being fed to them.

Wave Three: The Rise of Correlation

Correlation provides the means to wade through the data to come up with the right data that enables us to spot zero-day attacks and other sophisticated hacks. The wave of correlation is built upon the two previous waves. However, it is all about getting above the data as well as the tools, and it is about wrapping everything together in a single platform. Correlation means consolidating tools so their results can be examined more easily, and correlating results from disparate tools so multi-phase attacks can be spotted and stopped.

Security analysts from ESG, Gartner, Forrester, IDC and Omdia all agree this change in thinking from siloed tools to a consolidated platform is key to helping us see and respond to critical breaches. Specifically, the platform needs to take an holistic approach and look at correlating detections across network, cloud, endpoints and applications: in short, the entire attack surface.

The key objectives of correlations of detections across tools, feeds and environments are to improve detection accuracy, to detect complex attacks by combining weaker signals from multiple tools to spot attacks that might otherwise be ignored, and to improve operational efficiency and productivity. No longer does comprehensive visibility mean finding the right data—rather, it means correlating data to spot the complex attacks.

For example, suppose an employee gets a phishing email with an embedded link. The employee clicks the link and downloads a malware file. The malware accesses a corporate server at 2 AM. The malware begins sending sensitive data to an external address using DNS tunneling. Each of these activities would show up in a different log, so there’s a need to correlate these actions to reveal the attack.

To implement the third wave, many security vendors are building so-called anywhere (x) detection and response, or XDR platforms. Companies like Palo Alto Networks and Trend Micro are buying and consolidating tools from other vendors, and pure-play XDR vendors like Stellar Cyber have built XDR platforms from the ground up. XDR is a cohesive security operations solution with tight integration of many security applications in a single platform with a single pane of glass. It automatically collects and correlates data from multiple tools, improves detections, and provides automated responses. A platform tying together tools and applications innately drives the cost down, in both tools cost and infrastructure cost, while it improves operational efficiency by eliminating manual correlation.

The third wave of cybersecurity is about collecting the right data, consolidating it in a data lake, and correlating the output of a dozen or more security tools into a single console for rapid detection and response. Data is the engine that runs the system: while AI and ML discover the right data and initiate automated responses, correlation spots the most complex attacks to prevent them from ruining the CISO’s day.