Up until recently, being a “Detection Person” meant being a security analyst who could pull packets apart in meaningful ways.  It meant someone who understood biases in decision making and knew specific ways to correct for them (See Richards Heuer).

Being a detection person also meant:

  • Consuming large and continuous amounts of information
  • Processing it in different ways
  • Getting it right more often than not (which was really hard).

Of course, for those of us who have held this role, we know exactly how much time is needed to pull those packets apart given the size of the problem.  And, that necessary time required is precisely why that level of analysis has rapidly become forensic as opposed to diagnostic.

The packet ninja as taught by Steven Northcutt or Johannes Ulrich was a black art deep in the depths of a system log file or tcpdump flag.  To put this into context, the detection person sits between all of your expensive security technologies (IDS, FW, for example) and your incident response team.  The detection person decides if a series of circumstances are truly malicious and actionable and wakes people up to tell them.  In many cases, the solution came from hunches, curiosity, luck and a ton of RSS reading.  Those days are gone.

Hyper-current modus operandi is a daily reality (sounds a little obvious). Instead of black magic, we need more math and science.  That means measurement, hypothesis, and testing.  Now that event triage and traditional security analysis can be automated, you can focus on detecting novel attack techniques and immediately automating their continued detection.  The person who will make this happen is not a security analyst nor a data scientist, but something in-between — a detection scientist.

Understanding the haystack and finding smaller and smaller needles is a central problem in information security today.   Unfortunately, this analogy includes finding specific pieces of bad hay.  The event funnel is status quo and it isn’t working.  So, the best path forward is applying hard science to detection.
Science that makes sense for detection includes everything from metrics, data visualization, statistics up to and including advanced artificial intelligence.  Clearly, there are a lot of buzz words here, but all still useful when applied appropriately to the detriment of the bad guys. With detection science, the hunt is on!

Chris Calvert

Chris has over 30 years of experience in defensive information security; 14 years in the defense and intelligence community and 17 years in commercial industry. He has designed, built and managed global security operations centers and incident response teams for eight of the global fortune-50. As he often says, if you have complaints about today’s security operations model, you can partially blame him. It’s from his first-hand experience in learning the limitations of the man vs. data SecOps model that Chris leads product design and strategy for Respond Software.

View all posts by Chris Calvert