What’s Old is New: How Old Math Underpins the Future of A.I. in Security Operations

Most of us engineers know the truth—A.I. is just old math theory wrapped in a pretty package.  The deep learning algorithms used for Neural Networks? Yep, you guessed it, those were developed in 1943!

For those of us in Security Operations, the underpinning mathematical theories of probability will lead us into the future. Probability theory will automate human analysis–making real-time decisions on streaming data.

Probabilistic modeling will fill the gaps that our SecOps teams deal with today:  Too much data and not enough time. We humans have a very difficult time monitoring a live streaming console of security events.  We just can’t thread it all together with our limited knowledge, biases, and the small amount of time we have to interact with each new event.

Making instant decisions as data is streamed real-time is near impossible because there is:

    • too much info and data to process,
    • not enough meaning—we don’t understand what the data is telling us,
    • poor memories—can’t remember things two hours ago let alone, days, week’s or months before.

Enter Probability Theory

Watch my short video to learn how Probability Theory will fundamentally change the future of Security Operations by expanding our ability to analyze more data across our environments than ever before.

Click here to watch now.

Jumping to a New Curve

In the business classic “The Innovator’s Dilemma“, author Clayton Christensen shows how jumping to a new productivity curve is difficult for incumbent leaders but valuable for new innovators.  I think a lot about this concept for cybersecurity. The world has changed dramatically these last 5-10 years and the curve most enterprises are on results in lots of siloed detectors, rudimentary processing, people-centric processes, and high costs to maintain platforms. The solutions for these problems had great promise in the beginning but still can’t provide the level of productivity necessary to keep up with advances by the adversary. Workflow automation helps, but not enough to address the “orders of magnitude” problem that exists. The scale is definitely tipped in favor of the attackers.  So how do we think out of the box to help companies jump to that new productivity curve?

Helping Customers Jump to a New Curve of Productivity

Three years ago, we started on a mission to help security operations teams right the balance between attackers and defenders. We are on the front-lines to change the status quo and to bring in a new way of thinking to defend the enterprise.

At Respond Software, we strive to unlock the true potential of Man + Machine —without bankrupting security teams. We aim to elevate the human analysts/incident responders to do what they do best (be curious, think outside the box, proactively take action) and let the machines do what machines do best (consistently analyze huge amounts of data thoroughly and accurately based on hundreds of dimensions). In short, security teams can use modern processing and computing techniques to help jump to a new curve and better defend their enterprise.

Today, our product, the Respond Analyst, is fulfilling that mission for customers around the globe. In fact, over the last 30 days, our Robotic Decision Automation product actively monitored billions of live events, vetted those into tens of thousands of cases, and escalated (only!) hundreds of incidents to our customers’ incident responders. What’s more, our security operations software customers were able to give the Respond Analyst feedback on what they liked, what they didn’t like and how to improve the results.  They now have an analyst on their team that can plow through the alerts and invoke expert judgement to group and prioritize them into incidents. This eliminates a huge amount of time wasted chasing false positives while freeing analysts to focus on threat hunting, deeper investigations, and proactive security measures.  What a change for those teams!

New $20 Million Investment = More Status Quo Busting

To continue these efforts and to expand to meet increasing demand, we are pleased to announce our $20M Series B round of financing.  The round was led by new investor ClearSky Security, with additional investment from our existing investors, CRV and Foundation Capital.

We are extremely pleased to add ClearSky Security to our team. ClearSky’s depth of cybersecurity knowledge and experience—both personally amongst the partners and from backing successful companies such as Demisto and Cylance—will be extremely helpful as we look to establish our innovative robotic decision automation software in more security operations teams. On top of it, we get Jay Leek, current ClearSky Managing Director and former CISO at Blackstone, to be on our Board.  See our press release (and the accompanying video) for more details and his perspective.

I’d also like to thank the hard work and dedication of the entire group of Responders that got us to where we are today. As I recently told the security operations software team, I’m certainly psyched to get the endorsement and funding from three world-class investors. Even more so, I look forward to using the funds to work with ClearSky to further innovate, provide service to customers, and expand our reach to help more security operations teams take the fight to the adversaries…and save money while they do it.  It’s time for security operations to bust through the status quo and jump to a new curve of productivity, capability and job satisfaction.

It’s time for the next phase of Respond Software.

Watch and Read More:


Video:  Jay Leek shares his reasons for investing in Respond Software (on the way to the airport in an Uber)!

Press Release:  Respond Software Raises $20 Million to Meet Growing Demand for Robotic Decision Automation in Security Operations

 

Fight Fire with Fire:
How Security Automation Can Close the Vulnerability Gap Facing Industrial Operations

“Be stirring as the time; be fire with fire; threaten the threatener and outface the brow of bragging horror.”
William Shakespeare 1592

…or as Metallica once sang in 1982, Fight Fire with Fire!

There is a fire alight in our cyber world.  Threats are pervasive, the tech landscape is constantly changing, and now industrial companies are increasingly vulnerable with the advent of automation within their operations.  Last week a ransomware attack halted operations at Norsk Hydro ASA in both the U.S. and Europe, and just days later two U.S. chemical companies were also affected by a network security incident.

 

As manufacturing processes become increasingly complex and spread out around the world,
more companies will have to navigate the risk of disruption from cyber attacks. 

Bloomberg Cybersecurity

 

Industrial control systems (ICS), in particular, were not designed with cybersecurity in mind. Historically, they weren’t even connected to the internet or the IT network, but this is no longer the case. Automation and connectivity are essential for today’s industrial companies to thrive but this has also made them more vulnerable to attacks.

 

The more automation you introduce into your systems, the more you need to protect them. Along with other industries, you may potentially start to see a much stronger emphasis on cybersecurity.
Bloomberg Cybersecurity

 

Adding to the problem is a shortage of trained security staff to monitor the large volumes of data generated across the network that inevitably makes a plant’s operation even more vulnerable.

Fight the vulnerabilities that ICS automation causes with security automation

To close the vulnerability gap, industrial companies can fight fire with fire by embracing security automation. Extending automation tools beyond the industrial operations and into a plant’s security operations center can reduce the risk of a cyber attack. Security automation arms security teams with information to quickly identify threats so human analysts can act before a potential threat causes undue harm.

At Respond Software, we’re helping companies realize the power of automation with a new category of software called Robotic Decision Automation (RDA) for security operations. By augmenting teams with a ‘virtual analyst’, called the Respond Analyst, security teams can quickly automate frontline security operations (monitoring and triage).  Only the incidents with the highest probability of being malicious and actionable are escalated to human analysts for further investigation and response.

We believe that by combining human expertise with decision automation, industrial organizations can reduce their vulnerability risk profile.  The Respond Analyst can do the heavy lifting to cover the deluge of data generated each day and human analysts can elevate to focus on creative endeavors to remediate and contain threats faster.

It’s no question that industrial companies will continue to be targeted by bad actors. But now with front-line security automation, these organizations can also proactively safeguard operations against threats.

Be fire with fire.
W.S.

Read more:
3 Trends That Make Automation a Must for Securing Industrial Control Systems

2018: The Year We Introduced Robotic Decision Automation to the World

We started Respond Software with a mission to right the attacker-defender balance—long tipped in the favor of the bad guys—by unlocking the potential of people+machines for every cyber security team that is feeling constrained by a lack of skilled resources. In 2018, I believe we’ve made significant progress against this mission.

But we had a problem. What our product does—combining the strength of human intelligence, experience, and judgement with the scale, consistency, and affordability of software to help resource-constrained businesses and their teams make use of expert level capabilities and capacity—is not only a mouthful but is also unique.

So we had to get better at describing this new class of product: a class of product that deploys and adds value quickly; a class of product that works by-and-large “out of the box”, without requiring rules to be written, playbooks to be programmed or big data sets to be “learned”; a class of product that will help redefine the future of security operations.

That new class of product is Robotic Decision Automation, or RDA, for short. And the Respond Analyst, our flagship product, is a great example of this technology in action. Customers across many industries, whose security operations ranged in size from “super SOC” to “a super great person doing security as part of their job”, are using the Respond Analyst to augment their team with round the clock, expert monitoring and triage.

I invite you to see just what these Decision Bots can do for you.

2018: When the Rubber Met the Road

Our approach at Respond Software has been to deliver results with humble persistence. With that said, there are times that you just need to reflect and celebrate key milestones in a young company’s evolution.

2018 was a groundbreaking year for us and our customers. We got our product up and running in a variety of customer environments, and validated that RDA works in the field. The Respond Analyst adds, on average, the equivalent of 14 full-time expert analysts to each of our customer’s security teams, expanding their capabilities and providing them greater security coverage.

With 600 percent growth in our customer base year-over-year, we’re seeing first-hand how well our technology resonates. Some are large, Fortune 500 companies, others are smaller mid-sized organizations, and they come from a wide array of industries, including financial services, healthcare, telecommunications, gaming, retail, and higher education. They all have one thing in common—a need for cost-effective, scalable security monitoring and triage.

It’s incredibly gratifying to know that we can help them and to see our software relieve the frustrations that their security teams had been experiencing

Gaining industry recognition

We’re also honored to have been recognized as a Gartner 2018 Cool Vendor in Security Operations and the recognition we received by industry luminary Ed Amoroso of TAG Cyber. Respond Software was included in both the 2018 and 2019 TagCyber Reports as one of the top 50 vendors to watch. And finally, we’re extremely excited to have had the opportunity to partner with Norwich University to protect the NCAA football championship against cyberattacks.

Going forward, we’ll continue to focus on providing value to our customers. Many of them are tired of the old way of doing things. We’ve shown that Robotic Decision Automation can help businesses move away from the failed approaches to cybersecurity—and get security analysts out from under the avalanche of alerts they’d been asked to monitor in the past.

With Robotic Decision Automation, today’s businesses have a real alternative. The Respond Analyst is more than a mere software tool. It acts as a partner to human cybersecurity teams, enabling them to work more effectively, efficiently, and with greater job satisfaction.

To learn more about how Robotic Decision Automation can build upon and enhance the expertise of your company’s security team, contact us to request a demo today.

Read the momentum Press Release here!

2019 Security Predictions: Real or Bogus? Respond Experts Weigh In

Where is cybersecurity heading and what should security teams focus on in 2019?

We thought it would be helpful to examine the most common cybersecurity predictions for 2019. Business press, trade publications and of course vendors had a lot to say about emerging technology trends, but what predictions or trends will matter most? More importantly, how can security teams and CISOs turn these predictions into advantages for their business?

I sat down with Chris Calvert, industry expert who often says; “if you have a problem with how today’s SOCs work, it’s partially my fault and I’m working to solve that issue!” With over 30 years of experience in information security, Chris has worked for the NSA, the DOD Joint Staff and held leadership positions in both large and small companies, including IBM and Hewlett Packard Enterprise. He has designed, built and managed security operations centers and incident response teams for eight of the global fortune-50.

During our conversation, we discuss questions like:

  • Will we see an increase in crime, espionage and sabotage by rogue nation-states?
  • How will malware sophistication change how we protect our networks?
  • Will utilities become a primary target for ransomware attacks?
  • A new type of fileless malware will emerge, but what is it? (think worms)
  • And finally, will cybersecurity vendors deliver on the true promise of A.I.?

You can listen to his expert thoughts and opinions on the podcast here!

Want to be better prepared for 2019?

The Respond Analyst is trained as an expert cybersecurity analyst that combines human reasoning with machine power to make complex decisions, with 100% consistency. As an automated cybersecurity analyst, the Respond Analyst processes millions of alerts as they stream. Allowing your team to focus on higher priority tasks like threat hunting and or incident response.

Here’s some other useful information:

3 Top Cybersecurity Trends for Channel Partners to Watch

We all know the next big IT shift towards AI and intelligent automation is on the horizon. Over the last few years, vendors and press have focused on the human-to-machine automation transformation. Many vendors promise solutions—but often those solutions are complex and not optimized for the channel.

The good news is that cybersecurity is primed and ready for automation now. But the question for Partners remains: How can VARs, Integrators, and MSSPs find the right solution that provides true human-to-machine technology to simplify life for their customers?

Here are 3 cybersecurity trends driving the industry towards automation and 1 simple recommendation that Channel Partners can leverage to get ahead of the game immediately:

Trend 1: Traditional console monitoring is ineffective

Security teams are spending too much time monitoring alerts that are providing little value for their efforts. Sifting through endless alerts with a high percentage of false positives is ineffective at best. It’s causing us to burn-out analysts and puts us in a continuous cycle of hiring and training new analysts. The analysts interviewed for the Voice of the Analyst (VOA) Survey help to inform us on where analyst time is better spent and what activities we should automate first. Automating workflow to increase analyst efficiency is important, but automating level 1 alert monitoring itself? That’s downright disruptive.

Cyentia Institute: Voice of the Analyst Survey, October 2017

Figure 1: We asked analysts to score their daily activities on a number of dimensions. One key finding is that analysts spend the most time monitoring, but it provides low value in finding malicious and actionable security threats. (Download VOA Survey here)

Trend 2: People shortage

Most security teams don’t complain about a lack of tools. They complain about a lack of people. Whether the budget won’t allow or skilled resources are in too high a demand to find (or retain), we’ve reached a point where supply has been outstripped by demand. What choice do we have? Leverage the power of machines to augment our security teams. This is finally possible with the advent of decision-automation tools that can off-load the task of console monitoring.

Bitdefender: CISOs’ Toughest Dilemma: Prevention Is Faulty, yet Investigation Is a Burden, April 2018

Figure 2. People shortage is a significant trend in our industry, forcing us to re-think how we’ll actively monitor our environments.

Trend 3: Too many tools

“Too many tools” is a regular complaint in organizations. Did you know most large organizations have on average 75+ security tools? Small organizations are not far behind. It’s all we can do to deploy these necessary security tools and maintain them let alone reviewing the endless alerts that these tools generate. What’s even more challenging is that we’ve seen an industry trend toward platform-based tools (e.g. SIEM or SOAR) that require engineering resources with the expertise to build and maintain platform content such as correlation rules and playbooks. Many organizations are overwhelmed by this task. In contrast, tools with expertise built-in, intelligent applications if you will, are what’s needed and they will change the way we think about platforms going forward.

Momentum Cyber February 2017 CYBERscape

Figure 3. Most organizations have dozens of tools to deploy and maintain.

An industry transformation is underway: Automation will disrupt the way cybersecurity is performed

We think 2019 will be the year of automation for cybersecurity. Customers will require automation to address the top 3 trends. They need to scale with the growing number of alerts and the increased complexity of monitoring today’s hybrid environments. Adding more people is not the answer. Finding ways to automate to off-load cumbersome tasks typically performed by humans is the answer.

This presents exciting new revenue opportunities for Channel Partners and also explains why we are experiencing increased momentum with: VARs, Integrators, and even MSSP’s. Respond Software is at the forefront of the industry transformation—applying machines to roles traditionally executed by humans.

One simple recommendation to gain a competitive advantage: the Respond Analyst

The Respond Analyst software is a scalable, plug-and-play “virtual analyst” that perfectly complements any security detection tool sale: Channel partners can increase revenue by providing both the tools and the Respond Analyst to monitor them.

This provides a unique selling opportunity for our Partners. Partnering with Respond Software gives customers—especially the mid-size enterprise ($50M-$1Bil revenue) simple solutions with fast results. Partners can also take advantage of recurring revenue, fast installations, and the potential to increase opportunities to sell more sensors.

To all of our potential partners: Please reach out if you’re interested in learning more about our solution and our partner program by registering at our partner page. Here’s an opportunity to bring new value to your customers and join us on our journey to bring automated security monitoring to the world.

For more information, read the Global Channel Partner Program Press Release

Neither SIEM nor SOAR–Can Security Decisions be Automated? Patrick Gray and Mike Armistead Discuss

We’ve asked the questions before, but we’ll ask it again: how much time does your security team spend staring at monitors? How about investigating false-positives escalated from an MSSP? More importantly, how are small security teams expected to cope with the growing amount of security data?

The world of security operations is changing. Extra processing power combined with faster mathematical computations, means security monitoring and event triage can now be analyzed at machine-scale and speed. With new innovations that leverage decision-automation, security organizations can analyze incidents more efficiently than ever before. Security teams no longer have to tune down or ignore low-signal events. Instead, technologies can now recognize patterns to identify malicious attacks that may have otherwise been overlooked.

So how will these new technologies impact security operations moving forward?

Mike Armistead, Respond Software CEO, recently sat down with Patrick Gray, from Risky Business, to discuss the state of information security today. In the 30-minute podcast, Mike and Patrick shed light on the future of security operations, discussing the limitations of traditional security monitoring/analysis techniques and the power of new technologies, like decision automation to change security forever.

During this podcast you’ll learn to:

  • Identify the biggest mistakes security teams make today and how to avoid it.
  • Manage the onslaught of data.
  • Increase your team’s capacity.
  • Stop wasting time chasing false-positives.

Listen to the full podcast, here!

Learn more about what the Respond Analyst can do for you!

3 Trends That Make Automation a Must for Securing Industrial Control Systems

Every time I flip a light switch or run water for my daily shower, I’m not thinking of the potential security risks within our power plants or water suppliers. I just take it for granted that the computers working behind the scenes keep things running smoothly.

These computers, also known as Industrial Control Systems (ICS), control the physical world of our most critical infrastructure. They monitor and control the processes responsible for machinery used in power generation and distribution, manufacturing, water treatment plants, HVAC, and many other industries.

The reality is that some of these systems were not designed with security in mind. Historically, these systems were not connected to the Internet or an IT network. They existed in an air-gapped environments, disconnected from all other networks.

The disconnected nature of ICS is quickly becoming outdated. Systems are more connected than ever before and can be accessed remotely by operators. Three trends are increasing the vulnerability of our ICS environments.

Trend 1: Connected IT and Operating Technology (OT) environments are growing.

While these blended environments provide increased efficiency and reduced costs for operators, they also increase the potential for security threats. Threats that occur in OT environments generally originate in the IT environment and then traverse the boundary.

This is complicated by the fact that Industrial Control Systems were not built with security event logging in mind, they receive software updates infrequently, and they often exist within flat networks (where all systems exist in the same network).

Bottom line—if one system is infected, it’s easy to spread the infection to multiple systems.

IT has traditionally focused on securing the confidentiality and integrity of data or services while ICS security has focused on maintaining operational availability and ensuring safety. Given the changing nature of the environments, these responsibilities need to evolve.

Trend 2: Attacks are becoming more sophisticated in critical environments.

There have been numerous examples of nation-states disrupting Industrial Control Systems with cyber attacks. One particularly well-documented example (and worth the read from Wired!) is Russia’s repeated disruption of the Ukrainian power grid. Other examples include:

Trend 3: A shortage of trained security analysts.

There is already a limited population of security analysts, but there is an even smaller population who can triage the combination of cyber and operational threats.

IT security analysts cannot monitor an OT network without understanding how the ICS systems function normally and how they can be exploited. Also, ICS systems often communicate on proprietary network protocols not found in IT environments and therefore, require specialized detection technologies to alert an ICS related threat.

Stop these 3 trends from impacting your ICS environment

The increasing potential for threats, combined with the lack of specialized resources to detect these threats, leave us all vulnerable. The serious attacks on power and water supplies around the world demonstrate the urgency of staying ahead of the bad guys.

Help is on the way. Using Artificial Intelligence (AI) and Machine Learning, Respond Software has partnered with SecurityMatters (recently acquired by Forescout) to provide automated monitoring, decision making, and triage of network intrusions within ICS environments.

Respond Analyst provides 24×7 automated monitoring and triage, without requiring you to hire, train, and operate a team of security analysts. SecurityMatters provides in-depth visibility into ICS environments, classifying assets and detecting threats based on deep packet inspection of industrial protocols. By monitoring both your OT and IT environments, Respond Analyst is able to identify threats crossing that boundary, providing an earlier warning, and increased visibility into the earlier stages of the attack.

Security Matters and Respond Software partnership.

Why It’s Time to Go Back To The Basics of SOC Design

The average SOC is no more prepared to solve their cybersecurity issues today, than they were 10 to 20 years ago. Many security applications have been developed to help protect your network, but SOC Design has traditionally remained the same.

Yes, it’s true we have seen advancements like improved management of data with SIEMS and Orchestration of resolutions, but these tools haven’t resolved the fundamental challenges. Data generated from the most basic security alerts and incidents are overwhelming and still plague the most advanced security organizations.

Which begs the question: How are smaller, resource-constrained security organizations expected to keep up when even enterprise-sized organizations can’t?

According to a recent article in Computer Weekly, the issue is that most organizations, even with the tools & the know-how, are still getting the basics all wrong.

“Spending on IT security is at an all-time high. The volume of security offerings to cover every possible facet of security is unparalleled…The reason so many organisations suffer breaches is simply down to a failure in doing the very basics of security. It doesn’t matter how much security technology you buy, you will fail. It is time to get back to basics.”.

The article mentions that security operations teams need to focus these four key areas to really see any impact positively affecting their SOC design:

  1. Security Strategy
  2. Security Policy
  3. User Awareness
  4. User Change

But is it as simple as this?

The answer is a resounding YES!

There is no question that it’s still possible to cover the basics in security strategy and achieve enterprise security results. Our recommendation? Start with the most tedious and time-sucking part of security analyst role — analysis and triage of all collected security data. Let your team focus on higher-priority tasks like cyber threat hunting. It’s where you’ll get the biggest bang for your buck.

Cybersecurity is Complicated, Here’s a Little Help

If you’re like me, continuously listening to webinars & podcasts to broaden your knowledge of the security industry, emerging trends, and new threats – you’re always looking for reliable, thought-provoking sources to learn and educate yourself.

I guess you could call me a “Security Geek”!

I have always found podcasts to be a phenomenal resource to learn about industry trends and products or services that are revolutionizing how teams operate. Not only do you get a chance to listen to subject matter experts and thought-leaders talk about their industry knowledge, but also learn about an application’s benefits and value it brings to solve everyday challenges.

The best part, they are free learning-sessions from industry experts on new trends and applications you and your team can utilize!

Below are the top 4 podcast channels I frequently visit each week to stay updated on the cybersecurity industry, trends and useful advice – including our new Respond Software podcast.

  1. The Risky Business podcast, hosted by award-winning journalist Patrick Gray, features news and in-depth commentary from security industry luminaries. Risky Biz is a phenomenal source to stay updated on the latest cybersecurity news on a weekly basis and trends.
  2. The Unsupervised Learning Podcast series, hosted by cybersecurity professional Daniel Miessler, discusses current cybersecurity news, emerging technologies, and provides opinions and advice on the latest trends in security.
  3. The Defensive Security podcast, hosted by Jerry Bell and Andrew Kalat provides a fun take on recent security news. One of the intriguing aspects of their podcast is they recommend feedback and advice for business on what they can apply to keep their network secure. Their perspective and input on best practices is very fascinating.
  4. The Respond Software podcast series covers a wide range of topics and issues – providing a fantastic way to learn about emerging threats and trends, challenges in security operations and opinions from industry experts. One of the primary focuses of the Respond Software Podcast series focuses on the role of humans and technology in the cybersecurity space. The series also features prominent industry leaders like Raffy Marty, VP of Corporate Strategy at Forcepoint. In a recent podcast, Raffy discusses cybersecurity challenges that exist today, what technologies can help improve existing processes and how cybersecurity has changed over the years.

By listening to these podcasts, I have learned a tremendous amount about the cybersecurity industry, trends, threats and new technology that revolutionizes how teams operate.

If you’re waiting for our next podcast to be released and want to learn more about the cybersecurity industry and discover how Respond Analyst can help your team – register for our upcoming webinar on the new Respond Analyst Web Filter Module on November 7th! You will learn how real-time analysis and triage of web filter data, during network and endpoint analysis, gives security teams an edge in reducing response times and limiting the impact of some of the most stealthy attacks!

Join our growing community! Subscribe to our newsletter, the "First Responder Notebook," delivered straight to your inbox.