Machine Learning Can Help a Reactive Incident Response Plan Become a Proactive Incident Response Strategy

By Yongjian Feng posted Wed March 20, 2019 10:53 AM


Machine Learning (ML) has become part of the vernacular in forward-thinking cybersecurity companies, but there is still confusion around how and when it can best be used. In the context of Incident Response (IR), these capabilities can be simplified down to address a single goal; the extraction of information from historical data to benefit future decisions. In the Resilient platform, machine learning can accelerate incident response by dynamically classifying incident fields as an attack is unfolding.


Machine learning involves some statistical concepts that you may already be familiar with. Conditional probability (the probability of an event occurring given that another has already happened), and correlation (the measurement of how one variable reacts to the changes of another variable).


A machine learning model built for incident response looks for correlations in the most likely conditional probabilities (i.e. deciding the severity of an incident based on related information and historical data). The model can also use a complicated decision tree to correlate events and map a predicted path for decisions. A simple example has been provided below:


Important tasks like incident categorization, prioritization, and analyst assignment can be accomplished using machine learning. One use case involves leveraging historical incident data to assign security incidents to the best-equipped analyst based on past experience. Valuable time for resolution and response can therefore be saved by eliminating the time spent sifting through incidents. A proactive security strategy uses machine learning to put the right analysts in front of relevant incidents to quickly respond to attacks.   


In Resilient, setting up a machine learning model to suggest an analyst for incoming incidents can streamline your response strategy. It’s important to note that historical data about incidents in the platform are used to make predictions. To see how this can be done inside the platform please check out the follow-up blog. It provides a tutorial for building a machine learning model to predict the best-matched user and assign them an incoming incident in Resilient.


The early access Machine Learning App for Resilient can be found on the IBM App Exchange.

#Machine Learning