Moreover, threats continue to escalate at a breakneck rate and make the situation worse due to the complexity of security stacks and the diversity of security tools. This challenge usually calls for continuous involvement of humans (HITL) in the entire process of security incident response that places a heavy burden on human experts, which leads to complex, inefficient and suboptimal incident response processes and security management in general. Consequently, SOC analyst may find it difficult to have a holistic picture of their organizational security posture through individual security tools working separately, and to appropriately configure and integrate the activities of multi-vendor security products and tools. Current cyber defense products and tools work independently, have their own data representations and interpretation mechanisms with no standardization for data exchange between different tools, have inconsistent workflows, and have a non-integrated architecture. This results in complex security stacks with increased overhead in terms of cost and time for SOC establishments. It is not unusual for an organization to have more than two dozen security tools running simultaneously to identify and prevent cyber-attacks. In addition, organizations lack a single security tool that can meet all their security operations needs and end up installing several types of products and tools from different vendors that provide different dimensions of security services and solutions. This is exacerbated by the fact that most medium to large organizations use a multitude of security tools/products to secure their data, network, endpoint devices and other critical infrastructure. Today’s SOC analysts are finding it increasingly difficult to effectively monitor and manage current levels of data volume, velocity, and variety across firewalls, IDS, and SIEM devices. Keywords: Security management security orchestration and automation machine learning SOAR security orchestration security automation deep learning deep reinforcement learning incident response We report on our findings and future research directions in this area.
We conducted a detailed survey by studying work by both security researchers and industry practitioners on SOAR, including its interpretations, from an AI/ML perspective by reviewing works published in academic journals, conferences, websites, blogs, white papers, etc. AI/ML will act as a force multiplier empowering SOC analysts even further. The next big step for cyber threat detection, mitigation, and prevention efforts is to leverage AI/ML in SOAR solutions. Security researchers and industry practitioners have proposed security orchestration, automation, and response (SOAR) solutions designed to integrate and automate the disparate security tasks, processes, and applications in response to security incidents to empower SOC teams. Email: Received: 28 December 2020 Accepted: 28 January 2021Ībstract: Today’s cyber defense capabilities in many organizations consist of a diversity of tools, products, and solutions, which are very challenging for Security Operations Centre (SOC) teams to manage in current advanced and dynamic cyber threat environments. Johnson Kinyua 1 and Lawrence Awuah 2, *ġCollege of Information Sciences and Technology, Pennsylvania State University, State College, PA 16801, USA 2Department of Cybersecurity, University of Maryland Global Campus, Adelphi, MD 20783, USA *Corresponding Author: Lawrence Awuah. AI/ML in Security Orchestration, Automation and Response: Future Research Directions Intelligent Automation & Soft Computing DOI:10.32604/iasc.2021.016240ĪI/ML in Security Orchestration, Automation and Response: Future Research Directions
0 kommentar(er)
