Information Security (InfoSec) operations analysts are deluged with data, and that is with not even reviewing a significant portion of an organization's logged data - and certainly not in anything close to real-time. Additionally, too many of the alerts generated by log reviews (e.g., by a SIEM) are false positives - an unnecessary distraction for analysts, and a contribution to the embarrassing number of false negatives. With log volumes growing significantly year over year, a radical change in approach is needed.
Enter AI. Not just machine learning, but AI; specifically, active learning. In this presentation, we will discuss how to augment a critical shortage of trained analyst personnel with active learning, institutionalize their knowledge of benign traffic and attacks, and how to share that knowledge between organizations.