Australia Post is working with a start-up called Alpha Level to co-develop and production test two machine learning models to help prioritize cybersecurity incidents for SOC interventions.
Late last month, Government Enterprise (GBE) announced a partnership with Alpha Level as a way to “increase both the speed and accuracy of threat identification.”
Although Alpha Level has an existing commercial product called the Alert Management System, Australia Post is not using it and is instead co-developing an entirely new model that could be commercialized in the future.
“We’re not buying products from Alpha Level; it’s really a partnership,” Cartwright said.
“This is probably a misused term, but what we’re doing with Alpha Level, independently of Australia Post, is working with them on some of the issues that most cybersecurity have, and trying to develop new ways to uncover and solve those issues.”
Cartwright said the initial work is focused on two machine learning (ML) models, both of which address aspects of the “overwhelming amount of alerts and events coming into the SOC.”
The goal is to effectively prioritize the incident queue in the security information and event management (SIEM) process “in a way that focuses the analyst’s attention on what needs to be investigated.”
Of the billions of events logged in your SIEM each week, from network traffic to security logs, thousands of events trigger rules and are flagged as potentially malicious.
Most of them are false positives or benign positives. The SOC will eventually investigate the percentage directly – iT News The government has chosen not to reveal exact numbers, meaning there will be a small number of “true positives” who require real intervention.
One of the models being developed at Alpha Level aims to more quickly filter out false positives and benign positives.
“If you can somehow reduce that number, you increase the effectiveness of your team,” Cartwright says. “They can focus on what’s important.”
One of the challenges in this area is that signals associated with more advanced threats can be weak or appear to be legitimate traffic.
Cartwright suggested that ML could be a great way to detect even weak signals in waves of legitimate system usage and traffic and flag them appropriately for attention.
Another model our partners are working on aims to reduce the noise within SIEM, identifying “true positive” threats and putting them at the top of an analyst’s action list.
“What I want to do is help the SOC focus on these things right away, so they don’t have to sift through a backlog of signals to get there.” [the highest priority signals]Because response time is important. The sooner we can respond, the less damage will be done to the environment,” Cartwright said.
The ML model, which the partners have been working on for about five months, is now tagging incidents directly in Australia Post’s SIEM.
Incidents that the model classifies as false positives or benign positives are not filtered.
“We’ve made the decision that we don’t want any of the alerts to go away. We still think they need to be investigated until we have more confidence in the product,” Cartwright said.
“It’s very unlikely that we’ll ever get to the point where AI can say it shouldn’t see this, it’s going to be a lot more. [likely that the] The AI recommends to humans that this is a low priority. ”
knowledge exchange
Mr Cartwright said the partnership between Australia Post and Alpha Level came about when “dominos lined up”.
“Years ago, when I was at a bank, I worked with Dr. Joshua Neal, the founder of Alpha Level. I met him at Los Alamos National Laboratory in the US. He had a PhD in statistical mathematics, and like most people at Los Alamos, he has a brain as big as a planet. It’s a very fascinating place.
“We talked about some of the problems he was solving on behalf of that facility that were obviously getting all sorts of attention, and how he had developed a model to detect and respond to anomalies.
“Then we studied that technology at one of the banks in Australia. We worked with him to understand how it would work in a commercial environment and how it would work in a very restricted environment. We both learned a lot.”
Fast forward a few years, Cartwright said, and he got back in touch with Neal, who had just started at Alpha Level, saying he was “interested in solving cyber problems.”
That led to discussions that resulted in the current partnership.
The partnership has not yet resulted in any money being exchanged, but Australia Post and at least one other Australian and US company are attempting to address the troubling problem of cybersecurity data flooding.
“At this point we’re not actually paying them for this,” Cartwright said.
“But the advantage for Australia Post is that we can tap into their deep expertise. People like Josh are very rare in the world, so having a direct conversation with him and feeding the model and commercializing what we want and what he thinks we want is really important for us.”
“At some stage, they’ll come up with a product based on that. They’re a startup and they want to bring something to market. And at that stage, we’ll decide whether we’ve progressed far enough along this trajectory to justify the investment.”
Mr Cartwright said few Australian SOCs had access to the “thinking power” that this partnership provided.
In addition to producing specific models, Cartwright said another important deliverable under the agreement is “skills transfer.”
He said the move was “not that big of a deal.” [that my analysts are] They’re going to be statisticians…but they get to understand modeling, the pitfalls, and the benefits. Because using ML and AI has its pitfalls. I learned that over the past 15 years in the cyber security field.
“There are big benefits, but you don’t usually get to see them unless a vendor knocks on your door and says, ‘Here’s my product, it has AI, buy it.’ And everyone does.
“So this is actually educating my team as well about what works, what doesn’t work, and what we need to think about.
“That collaboration is gold.”
