FloCon 2020

Artificial Intelligence (AI) will be the main driver of the Fourth Industrial Revolution, concluded the 2019 World Economic Forum in Davos, Switzerland. The authors of this talk believe that AI and machine learning (ML) will also revolutionize enterprise risk and security management. We successfully built AI/ML pilots across many sub-domains of this important field, from cyber attack analysis and enterprise risk management to fraud and financial crimes analysis. Using cyber attack analysis as an example, we set out to improve the effectiveness of our cyber intrusion prevention system (IPS). Besides blocking and ignoring actions, a typical IPS system also sends out numerous alerts that require the attention of a cyber analyst for triaging. We built a data ingestion and wrangling pipeline, selected the optimal machine learning model based on a performance leader-board, and customized an attack recommendation engine. This allowed our cyber analysts to quickly analyze alerts and immediately focus on relevant attack signature patterns and high priority events. In our study, using data from a two-month period, we were able to improve the attack blocking rate of the IPS system by 7.2%, thereby markedly improved the effectiveness of our existing security tool. Additionally, our ML initiative also helped our cyber analysts by providing behavior analytics on adversaries, and provided enterprise-specific threat intelligence on both known and new threat actors. We hope to share with the broader cyber-ML community the methods and results of our effort, along with some attacker tactics, techniques, and procedures (TTP) discussions. More importantly, we hope to share the many lessons learned along the way. The two most important are “Quality over Quantity”, and “Data before Algo”.