In this series, Cybersecurity expert Ravi Das has explained why the mean time to detect (MTTD) and respond (MTTR) are key performance indicators in protecting an organization from Cyber threats, as well as traditional tools used to minimize those factors. Here, the author proposes a novel solution based on cutting-edge Generative AI tools.
In this article, we detail a proposed solution for reducing the MTTD and MTTR metrics to just a few minutes. As stated earlier in this series, the solution we propose is still in the theoretical stages. It has not been experimented yet in a test environment.
The First Component: The Digital Person
The next evolution from Natural Language Processing and Large Language Models (referred to in the remainder of this article as “NLP”, and “LLM”, respectively), powers what is known as the “Digital Person.” The Digital Person can be technically defined as follows:
Digital people are human-like characters created by combining two primary technologies—computer-generated images and artificial intelligence—to craft a fully autonomous personality. Unlike a chatbot, you can interact with this visible person in lifelike and real conversations.1
Other names for a Digital Person include Digital Persona, Digital Personality, and Digital Human. The research behind, and development of, the Digital Person have a rich history, as described in this article.
The Human Characteristics of The Digital Person
Using Generative AI, the Digital Person now has some sophisticated features that can, to varying degrees, emulate a human being, including hand and body gestures, facial expressions, linguistics and conversation (in some foreign languages), race and ethnicity, eye and skin color.
The primary goal here is to have the Digital Person look appropriate to the industry or market application that it is serving. For example, if the Digital Person were being used in a healthcare setting, it would look much more professional than say, a Digital Person being used in a call center.
It should be noted that some predecessors to The Digital Person would not be suitable components for our proposed solution, primarily due to their lack of sophistication when compared to the Digital Person. These include the Chatbot and Virtual Personal Assistant.
How The Digital Person Fits into The Proposed Solution
Even though the IT Security team will be alerted of a legitimate warning or alert through a specialized platform, with the help of the Digital Person, they will get that notification quicker, and also, the IT Security team can tell the Digital Person as to what needs to be done, in order to trigger the chain actions that needs to take place in order to contain the security breach in a timely manner.
For this proposed solution, thoughtful consideration is being given to procuring the Digital Personality Platform from Soul Machines. Illustrated below is the first component of the proposed solution, which is once again, the Digital Person.
The primary purpose of the Web SDK is to allow for remote connection to the Digital Person, if conditions warrant it. More details about this can be found here.
The Second Component: Security Information and Event Management (SIEM)
The next component in the proposed solution is Security Information and Event Management, or SIEM, which can be defined as follows:
IT is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system.2
The SIEM can be thought of as a “one stop shop” for the IT Security team in which all the legitimate warnings and alerts are presented. In other words, there is a single pane or window from which all of this can be seen. The SIEM offers the IT Security team a number of distinct advantages, including:
- Filtering: It has been quoted that a typical business can receive up to 10,000 alerts and warnings per day. For a human being, this would be an almost impossible task to accomplish. Even if it could be done, it would take weeks or even months. Because of that, the IT Security will fall extremely behind in keeping up with the Cyber Threat Landscape. But the good news is that the SIEM platform can filter all of this in just a matter of minutes, because the engine that drives it is powered by Generative AI.
- Aggregation: Businesses today have many network security devices that have been deployed and procured from different vendors. As a result of this, the log files that are output will be different from one another. Once again, it would be almost impossible task for a human being to do all of this. But the SIEM can aggregate all of these log files very quickly, filter through the false positives, and present to the IT Security team only those warnings and alerts that are legitimate. Some examples of the many types of network security devices including firewalls/unified threat management systems (UTMs); Intrusion Detection Systems; Web filters; endpoint security; wireless access points; routers; switches; and application servers.
- Compliance: As it was reviewed earlier in this article, the some of today’s dominant data privacy laws include those of the GDPR, the CCPA, and even HIPAA. One of the key things that the regulators look for is whether the IT Security team is proactive in keeping up with the threat messages that they are receiving. Using a SIEM can help reach this compliance objective.
- Complexity: Given all the interconnectivity between the network security devices and the digital assets that they help to protect, the overall IT Infrastructure can become quite complex at first glance. But the SIEM helps to reduce this degree of complexity by centralizing the view into this in just one location.
- Threat Intelligence: Because the SIEM is also powered by Generative AI, the information and data that are collected from the log files can be stored and archived. From here, they can then be used as a source of intelligence to help predict what future Threat Variants could look like on the horizon. It can also correlate all of this between the differing log files, and the information and data can be easily retrieved to aid in a Digital Forensics Investigation to determine the root cause of a security breach.
In the proposed solution, the SIEM acts as the second major component. It is interconnected with the Digital Person, and there is a two-way flow between them. This is illustrated in the diagram below:
At this point, it is the API that bridges the gap between the Digital Person and the SIEM. So, for example, given this two-way flow of communication between them, if an alert or warning is triggered into the SIEM, it can quickly notify the Digital Person and verbally tell the IT Security team so that they can take notice of. Conversely, if the IT Security team sees the warning or alert originating from the SIEM, they can verbally notify the Digital Person to initiate the chain of events needed to mitigate the potential Threat Variant.
A good SIEM Platform to be used here is one that is available from LogRythm.
The Third Component: The Holistic Solution
The third major aspect of the proposed solution is what we term a “Holistic Cyber Solution.” This is the platform that will contain the mechanisms to not only detect incoming threat variants, but to also contain them as quickly possible. The platform that could potentially be used in this regard comes from a leading Cyber Vendor known as Darktrace. There are two aspects of this that at this point in theory make use of:
- The Network Detection Response (NDR): The basic premise behind this module of the platform is that it can help to detect and thwart off any kind or type of threat variant as it penetrates your network even before it reaches the desired target of the Cyberattacker. For example, if their aim is to reach a Database Server, this module should be able to detect the malicious payload in its track before any severe damage happens, such as the exfiltration of the PII Datasets. It is powered by Generative AI, which will work well with the proposed SIEM.
- The CLOUD, Although there are many sophisticated features to it. It serves the same basic premise as the previous module, and that is protect the digital assets that are stored in a Cloud based Deployment. For example, if the Database Server were to be stored into the Cloud, this module would serve that very purpose.
Illustrated below is how the proposed solution looks thus far:
As is seen above, all the components of the proposed solution are interlinked with another. At this point, if the Holistic Cybersecurity Platform will detect all the inbound threat variants that are targeted towards the IT and Network Infrastructure of the business, it will then formulate a series of alerts and warnings. From there, it will be sent to the SIEM to filter out the false positives. Once a real warning or alert has been picked up, the SIEM will notify the IT Security team. From this point onwards they can then tell the Digital Person to launch corrective action immediately, via the Holistic Cybersecurity Platform. This is demonstrated in the flow of direction at the top of the diagram.
The Fourth Component: The Privileged Access Management Server (PAM)
The fourth and final component of the proposed solution is the Privileged Access Management Server (PAM). PAM can be defined as follows:
Privileged Access Management (PAM) is an information security (infosec) mechanism that safeguards identities with exclusive access or capabilities beyond regular users. Like all other infosec solutions, PAM security works through a combination of people, processes and technology.3
These are the super user login credentials that typically members of the IT Security team are afforded. For example, these kinds and types of rights, permissions, and privileges are routinely assigned to Database Administrators, Network Administrators, and even managers, depending upon their roles and titles. Because of the high value of these credentials, these have also become a prized target for the Cyberattacker. The primary reason for this is that when they get access to it, they can get to the digital assets that reside in the IT and Network Infrastructure very quickly.
Normally, people who need these kinds of credentials are assigned what is known as a “PAM Account” from which they can be accessed. A business with a good security policy should contain provisions that dictate the disablement or complete eradication of these kinds of accounts when they are no longer needed, given its elevated level of avenue.
In the real world, however, this does not usually happen, making it that much easier for the Cyberattacker to gain access. Therefore, we will use this as an example of a security breach happening in our proposed solution.
Before reading further, you may want to learn more about PAM accounts , especially the different types of PAM accounts, including those for non-humans; the Cyber risks; and best practices of PAM accounts.
Next, we’ll examine a PAM Management session, which can be defined as follows:
This is a login session where a user with elevated access rights (a “privileged user”) is actively accessing and managing critical systems within an organization, allowing them to perform administrative tasks with high-level permissions, while being closely monitored and recorded for security purposes. (Google)
One of the best examples of this is the Database Administrator. They will typically log into the Database Server to conduct routine audits of the system, keep the databases optimized, apply the latest software patches and updates, including firmware, etc. An example of this is illustrated below:
(Source: CyberArk)
If the best practices are not followed, these kinds of sessions can quite easily be hijacked by the Cyberattacker in ways that could take a long time to detect. This last part of the proposed solution is illustrated below:
In this case, once a security breach has occurred to the PAM Server, the Holistic Cybersecurity Solution will take immediate notice of it. From there, the appropriate alert or warning will be sent to the SIEM, and the IT Security team will take notice of it. Once this happens, they can then notify the Digital Person that the security breach has occurred and take immediate action to contain it. In theory, this should cut down both the MTTD and the MTTR metrics down to just a matter of minutes.
It should also be noted that the PAM Server can also be used as a “Honeypot” in order to further validate or prove the weaknesses of this proposed solution. A “Honeypot” can be technically defined as follows:
A honeypot is a decoy system or bait designed to trick a hacker into infiltrating a system so that security professionals can observe and study their behavior.
In other words, it is a way to lure the Cyberattacker into believing that they are attacking a legitimate target, but in reality, they are not, thus helping to keep the digital assets in the IT and Network Infrastructure at safer levels. As it can also be seen in the above definition, a “Honeypot” can also be a great mechanism in which to collect intelligence about the tactics of the Cyberattacker. Thus, if the proposed solution proves to be a valid one, this kind of information and data can be fed into it to predict what future threat variants could look like.
It is important to note that for this part of the proposed solution, it is anticipated that the CyberArk PAM Server will be used. This architecture can be viewed here: CyberArk Privilege Cloud Presentation
Up Next: Wrapping it up
The next article in this series, the author will wrap everything up by noting limitations in the proposed solution, as well as offering his conclusions and final thoughts.
Sources/References:
- What does it mean to be a digital person—and why would multifamily operators and residents care? – Fast Company
- What is SIEM? How does it work? | Fortinet
- What is Privileged Access Management (PAM)?
Ravi Das is an Intermediate Technical Writer for a large IT Services Provider based in South Dakota. He also has his own freelance business through Technical Writing Consulting, Inc.
He holds the Certified In Cybersecurity certificate from the ISC(2).
