Enterprise implementation of AIOps, short for artificial intelligence for IT operations, is expected to reach 30% by 2023, according to Gartner. As cloud adoption likewise increases, now is a good time to learn more about this advanced monitoring technology and how it can optimize cloud security operations.
AIOps implements large-scale data monitoring and analysis to improve efficiency in alerting and contextual identification of problems in the IT environment, along with behavioral trend analysis and automated remediation in some cases.
AIOps often includes the following features:
- diverse data sets;
- a large-scale big data platform to aggregate data and event information;
- machine learning algorithms and analytics processing;
- APIs and automation capabilities; and
- granular reporting.
How AIOps use cases can optimize cloud security operations
AIOps’ combination of big data and machine learning for automation can affect cloud security operations in myriad ways. Keep in mind that AIOps security use cases for cloud may require specific preconditions, as well as investments in budget, architecture and skills to be successful.
Here, explore six of the most viable AIOps use cases to optimize cloud operations and security, with advice on implementation criteria.
1. Threat intelligence analysis
Threat intelligence provides perspective on attacker sources, indicators of compromise and behavioral trends related to cloud account use, as well as attacks against various cloud services. Threat intelligence feeds can be aggregated and analyzed at scale using machine learning engines in the cloud and processed for predictability models. With a wide variety of IT operational data in use within AIOps, as well as additional threat intelligence from external providers, security operations teams could potentially predict or help circumvent attacks on cloud infrastructure — account hijacking in particular.
This AIOps security use case would require threat intelligence pattern development and data analysis skills, as well as integration with third-party threat intelligence data feeds.
2. Security event management
Log data and other events are produced in enormous quantities. Security teams need to quickly recognize specific indicators, identify event patterns and spot events in the cloud environments where the events occur. Machine learning and AI capabilities of AIOps can augment massive event data processing technology to build more intelligence detection and alerting tactics.
Dedicated staff will be needed to build correlation and analysis rules on top of the data. Building a skilled team capable of automating security event management can be time-consuming and difficult due to the industry’s talent shortage.
3. Endpoint and network behavior modeling
Modeling endpoint communications and behavior patterns could prove useful to detect subtle indicators of compromise or attack, ideally before any significant data access or breach has occurred. Network flow modeling is also a promising AIOps use case for cloud security. There are massive quantities of traffic between systems and cloud provider backplane services that should be developed into normal baselines for monitoring.
Endpoint and network behavior modeling is significantly time-consuming. It also requires input from a diverse range of IT operations skill sets, including endpoint administration, OS subject matter experts, networking engineers and security teams. Building behavioral models with these data sets and algorithms can also be costly, so adequate business drivers may be required.
4. Fraud detection
For financial services firms and insurers, fraud detection requires an enormous number of inputs and data types, as well as many intensive types of processing. Text mining, database searches, social network analysis and anomaly detection are combined with predictive models at scale to detect fraud. Cloud AIOps could help with this enormously. This AIOps security use case could be extended to fraudulent use of cloud services — for example, a Microsoft 365-based phishing attack from a hijacked account.
In addition to technical skills mentioned in other AIOps security use cases, this requires more business logic understanding and could be highly complex to build.
5. Malware detection
Large-scale event processing of data and file attributes could benefit ransomware and malware detection, particularly of variants without known signatures. Leading endpoint detection and response companies use cloud technology, machine learning and AI for exactly this purpose. However, there is also a case to be made for in-house sandbox processing engines using AI in the cloud.
Keep in mind that any custom malware detection will require security practitioners with highly specialized skills.
6. Data classification and monitoring
Based on known content types and patterns, AIOps analysis engines process all data uploaded and created in the environment to classify and tag based on predefined policies and then monitor for access.
Data-specific monitoring requires cybersecurity buy-in from business units. It also depends on operations teams to handle various data formats and types, as well as security and risk teams to tag and track data types or patterns.
AIOps will naturally align with security-specific use cases. However, there are potential obstacles to cloud AIOps success to consider. These include challenges in sourcing cloud-specific security skills, data import and export costs, and alignment with internal business and IT operations use cases.
Currently, most security-related AI or machine learning analytics is separate from any IT operations tools, platforms or vendors. Integrating IT operations and security will take some effort as well.