Raffael is currently VP Security Analytics at Sophos and a strategic advisor for Respond Software. Before his current roles, he held positions at Splunk, ArcSight, IBM and was the founder of PixlCloud. He is also the author of Applied Security Visualization, the first book on security visualization.
The Respond Software team wanted to get Raffy’s expert perspective on visual communication in information security, what measures are necessary to advance security analytics, and thoughts on analytical vs. subject matter expertise.
Q: You recently gave a talk at BSides saying that security was still in the 1990’s. What will it take for security analytics to advance beyond that?
A: I was upset with all these security products claiming to use artificial intelligence and machine learning. In reality, very few are using machine learning, let alone AI. To move forward we must get better at encoding domain knowledge in systems. We must try to capture the knowledge of experts and apply that to our data. In many cases, these are simple rules. The hard part is how to find these experts. This is where we need to build open systems that share information. The underlying technologies and algorithms are only secondarily important.
Q: As an expert in security analytics, which do you find more important, “analytical expertise” or “subject matter expertise?”
A: Subject matter expertise. Period. Teach a data scientist about security and you will see what happens. But, teach a security domain expert (good luck finding the really good ones) data science and you’ll be surprised what you can achieve.
Q: As the guy who wrote the first book on security visualization (Applied Security Visualization), what do you think is the worst form of visual communication in information security?
A: Where to start? Security products are quite bad at using visualization to communicate information. Look at security dashboards. They are generally cluttered with charts that have no clear call to action, make use of the wrong visual paradigm to encode data, and recently have been trying to imitate themes from movies to look fancy. But visualization is about making information easily accessible and understandable. We have a long way to go.
Q: What interested you in becoming a strategic advisor to Respond Software?
A: I have known the founding team for a number of years and Chris Calvert for over 18 years. Chris and I met virtually through a collaboration between IBM research (where I was working) and IBM MSSP (where Chris was working). We stayed in touch through frequent exchanges about our hands-on experience and war stories in the SIEM and data analytics space. The Respond Software team is made up of people that have served their time on the front lines. They are security experts paired with the right business acumen. When Chris shared that Respond Software was “automating the Level 1 analyst,” I had no doubt that they could pull that off. Getting involved much deeper, my hunch was correct. What the team is building, has incredible potential. Who wouldn’t bet on a company that can express their ROI in literally replacing (or reassigning) hard to find security experts?