AI (artificial intelligence) holds the promise of addressing what are outstanding issues in the Federal Cyber Security Research and Development Strategic Plan[1] published be the National Science and Technology Council (NSTC) published in 2016. There were several recommendations in the plan for the executive branch’s strategy of “Deter, Protect, Detect, Adapt” that cannot successfully be met without implementing an AI-based solution.

According to the NSTC plan, among the Executive branch’s near-term R&D Objectives is to “Discover and apply automated tools to map…logical relationships between processes and behaviors.” This is in support of their linchpin recommendation which is “enable robust situational awareness.” The reasons for this emphasis on situational awareness and understanding of logical relationships shouldn’t surprise anyone. They are:

  • increasing complexities of hybrid cloud/on-premise deployments,
  • an increased use of mobile devices,
  • a ballooning number of IT integrations with service and supply chain partners and;
  • an increasing number of siloed departmental applications.

For these reasons, the size of the attack surface has increased dramatically. The amount of data that needs to be collected, processed and reviewed has created an entire industry of products that are supposed to help cyber analysts. While tools are absolutely essential for analysis, the tools themselves have revealed a blind spot in analysis. Tools create a bias for staying within what the data tells the analyst and not the relationships between services or processes and behaviors.

Today, even with a big data solution, finding and understanding these hidden relationships is a manual pain staking process of searching through a wide variety of related data types. When I say “relationships”, one example would be visualizing the path of a malicious email attachment across the company, determining who the people were that received it, seeing which opened it, knowing which of those systems were vulnerable to the exploit, understanding the changes that occurred to system services after it was opened, and finding all the new inappropriate relationships created which now also need to be discovered, etc., etc. By the way, there are always surprises along the way. Unimagined relationships are almost always revealed.

This sort of analysis takes time—usually weeks, and has little to do with fancy graphics, dashboards and risk thresholding. It requires pivoting through large quantities of data gathered from multiple tools and then, most importantly, using deductive and inductive reasoning performed by humans to determine the connections between them. This is what getting to true situational awareness entails. So how do we “enable robust situational awareness?” Robust means, “ strongandeffectiveinallormostsituationsandconditions.”

Augmenting Situational Awareness with AI The current manual processes for relationship discovery that takes weeks or months doesn’t fit the definition of strong and effective. Machine reasoning, a version of AI, offers a great deal of promise in this area. Machine reasoning, using a large classification ontology and a graph database, can read and understand multiple types of data from big data systems and automate the discovery and visualization of hidden relationships in minutes. This moves the analyst’s data horizon beyond what the data tells them to what it means. The analyst can focus on what these relationships mean and their risk implications for the organization and not on having to connect all the dots. This more closely meets the NSTC’s definition of Situational Awareness

For more on the topic of situational awareness and AI, please download [http://info.geminidata.com/SituationalAwarenessWP] our white paper.

[1]
https://www.nitrd.gov/cybersecurity/publications/2016_Federal_Cybersecurity_Research_and_Development_Strategic_Plan.pdf