AI-based cybersecurity systems. A cognitive approach in SOCs design and improvement of national/corporate cybersecurity infrastructures.

There are many strategic design decisions, when introducing artificial intelligence technologies into a national/corporate cybersecurity system in a solid and efficient way, a simplistic, reductionist or opportunistic approach can reduce the impact on the functionality and efficiency of the use of AI in our cybersecurity systems, procedures and methods.

Figure-Cognitive AI capabilities, applied to National Ciberintelligence Infrastructure.

Deficiencies and problems in current SOCs

The current SOCs are prepared to be able to address a high percentage of the cybersecurity problems derived from hacktivism and cybercrime activities but suffer from the sufficient capacity to be able to offer guarantees in the detection and neutralization of cyber espionage, cyber terrorism and cyberwarfare. The main problems and deficiencies that have the current SOCs have to do with the capacity as we have expressed previously to be able to offer an adequate response at all levels of cyber conflict and with the operational efficiency and coordination and management of the processes they develop. Some of them are:

1-Lack of an advanced doctrinal model that allows to plan a SOC to scale its capabilities from the lowest level and least complex threats (hacktivism) to the most sophisticated (cyberwarfare).

2-Inefficient integration and coordination of SIEM capabilities, incident reporting and cyber-intelligence which reduces the ability to establish complex event correlations for the detection of silent, asymmetric, contagious, mutant threats and concurrent that are usually created in cyberwarfare systems.

3-Cognitive overload in SOC operators and managers derived from the lack of a strategic and operational environment based on " Real-Time Situation Awareness" system design models that paralyze complex decision-making in useful time of action, planning and consequences.

4-Inefficient computer systems derived from the complexity of the administration of different technological environments of different manufacturers.

5- Lack of a criterion studied and reflected on where and how to apply key technologies such as AI such as deciding where to replace human action and where to use AI as a tool for filtering information and providing expert advice to the operator or the SOC manager.

6- Lack of capacity for immediate adaptation (in real time) to the changes that occur daily in the organization that the SOC supports and that change the typology and threat scenarios as well as open new gaps in the system's protective security.

AI Role in a SOCs

Artificial intelligence is key in a Soc and allows to equip it with new capabilities and improve existing ones without increasing resources or expensive infrastructures, some of these capabilities and improvements are the following:

Figure-A LMT view of AI systems contribution to full AI-based cybersecurity operation.

1-Coordinate and execute complex strategies to respond to sophisticated threat scenarios or concurrent attacks over time, using automatic reasoning techniques.

2-Provide the ability of dynamic reconfiguration of perimeter protection devices according to the type known or shared threats through automatic learning.

3-Improve early warning capabilities by detecting anomalies based on the search and recognition of patterns.

4-Improve the operational coordination between systems, people and procedures, equipping them with complex intelligent planning techniques.

5-Ability to detect undetectable threats and attacks by the current SOCs (Silent attacks), attacks oriented to the introduction of information manipulated in corporate systems (deception operations) in all layers of the OSI stack.

6-Improve the granularity, accuracy and proactivity of intelligence analysis on threats by creating automatic sequences of analysis / synthesis of information to support evidence-based reasoning processes.

7-Reduction of the time for the resolution of security incidents by creating a knowledge base composed of pondered rules of action and an intelligent process management system.

8-Substantial improvement of the management and treatment of threats and incidents through advanced multidimensional correlation processes.

9-Early detection of threat and risk agents through the analysis of predictive behavior.

10-Automatic weighting of the reliability of support information for the production of cyber-intelligence (utility, credibility, reliability, timeliness, accuracy) using natural language processing techniques and multi-source multi-content interpolation.

Figure- LMT "The Druid" KPIs applied to AI in Cybersecurity.

What are our services, for the improvement of SOCs, through Cognitive AI?

Is a continuous innovation project, aimed at improving the capabilities of national and corporate security operations centers, through the doctrinal and systemically coherent application of Cognitive AI.

As a technological platform, it is composed of methodological, formative, operations and systemic models that support different configurations design strategies,to build or improve Intelligent SOCs.

From the perspective of the services that allow offering value to the client, these services are oriented to the personalized study of the situation of each SOC and of the organization or organizations that it supports, with the objective of identifying the elements of doctrinal, functional and operational improvement of said SOC, how to do it by applying artificial intelligence extensively and donating to said SOC adaptive behavior capabilities of an intelligent system (understanding of its environment, automatic reasoning, common sense, learning, problem solving, decision making, justification and explanation, establishment of objectives and planning and execution of strategies for its fulfillment, etc). Based on this study, the transformation or improvement projects necessary to provide the soc with intelligent behavior will be designed and executed.

Figures- AI services to transform a SOC in a Smart SOC and a holistic view of an cognitive cyberintelligence system to support a cyberwarfare SOC.

Finally, as a continuous innovation project, the R&D work focuses on the creation of cooperative intelligent agents (AI software / hardware components) that allow embedded?this agents with traditional systems (AI embebed) with an incremental integration structure through a resource engine of AI (AI driven) or in a purist approach (Full AI), provide advanced functionalities to corporate and national security systems.

Last conclusions:

1-The need to have the services of a SOC in any organization regardless of its size and sector of activity is clear.

2-Threats are increasingly sophisticated and attack large and small organizations alike.

3-Most traditional Socs are not prepared to scale their capacity of alert, protection and response to levels of cyberterrorism, cyberspionage or cyberwarfare.

4-AI is the key technology to create adaptive SOCs that can detect and neutralize threats at any level with high precision and make their operations more efficient without increasing human resources or infrastructure.

5- The efficient and extensive application of AI in the evolution or creation of intelligent SOCs requires a thorough study of the SOC and the organizations it supports.

6-Our concept of an AI-based SOC is a doctrinal, methodological, formative and systemic environment that allows studying, creating and improving traditional SOCs, converting them into intelligent SOCs, capable of adapting and scaling functionally depending on the scenario of threats and attacks on that have to face.

7-Our main objective is to create intelligent agents that we call Cognitive AI CyberIngenios that can offer disruptive functionalities for national or corporative cybersecurity systems.

Luis Martin "The Druid"-2024