In the mad rush to apply new technologies to tough security problems, the forgotten element is often the security staff that holds everything together. We have to chuckle when we see big data security players claiming, “no human intervention required!” Really?
We’ve talked before about the Active Cyber Defense Architecture – a four-step process of sensing, sense making, decision making and action. Its linchpin is the security staff that must wade through the white noise generated by the IT ecosystem to find and fix threats. They are the decision-makers and action takers. Any attack that gets beyond the real-time defenses requires human intervention to find and manage.
Blindly automating a response to a threat is not a trivial decision. It can result in actions like cancelling a quarterly investor call or kicking a VP off the network. Moreover, the “false positive” phenomenon overshadows any security remediation and puts tremendous pressure on the upstream stages of sense making and decision making.
Yes, as the “sense making” capabilities get better and more reliable, the downstream human decision making and action will become more confident and effective. But the goal isn’t to replace a savvy security practitioner, it’s to make that very scarce resource more productive.
The key isn’t exotic machine learning algorithms (although they can help). Let’s simply use intelligent distillation and summarization techniques to start the analyst at a place that today takes them hours or days to get to. Lift them out of the morass of files, logs, etc. that they must slog through to start the process of threat detection and incident investigation.
Talented security personnel are scarce and expensive. Let’s make sure the ones we have are being helped with technology, not buried by it.