2017 marks my 20th year working in the cybersecurity industry. Many people have asked me to summarize the one conclusion I have reached after 2 decades. Here’s what it boils down to: as an industry, we are not done yet, not even close. I don’t think anyone would argue there’s work to be done. It’s a question of what work needs to be done to move the security industry forward significantly?
I see the industry’s attention shifting toward the latest shiny object: Artificial Intelligence. I have observed the run to the latest technology many times. IDS -- no wait -- IPS. SIEM, Security Analytics, User Behavior Analytics. Is Artificial Intelligence a passing fad or something real? I’m quite sure much of it is marketing hype, but this is what I do know: we need to leverage what machines do best and more importantly, let humans do what we do best.
To be fair, we have been leveraging machines to process and prioritize mountains of security data for years. However, applying artificial intelligence to the problem is drastically different. Can we teach a machine to identify what is normal vs. what is malicious in the data? Most machine learning (ML) approaches are based on this premise. While I do believe this is extraordinarily useful, it takes a long time to teach a machine to identify malicious threats worth escalating. The teaching method requires repeated interactions with humans and is limited by what is contained in the dataset at that time. For example, future zero-days and historical techniques are missed until the machine sees it and is taught to identify it as malicious.
The next big question is, can we go one step further? Can a machine reason like a human analyst?
At different points in my career, I faced the challenges of staffing SOC Level-1 analysts. When I first joined ArcSight in 2007, my mission was to develop an offering to help customers build SOCs around the ArcSight SIEM product. At that time, we learned just how dependent a SOC is on the human factor. We needed human analysts to monitor consoles 24/7. Skilled analysts were scarce, as they are today, so we did the only thing we could do – we trained them from scratch. We quickly learned how to recruit and educate Level-1 analysts with the goal of sending them to the frontlines. We helped customers establish their first analyst teams - but it soon became apparent that for customers to be successful, they needed to learn how to develop new analysts and scale this into a repeatable process. Level-1 analysts have an average “shelf-life” of 2-3 years, making analyst turn-over the Achilles’ heel of the SOC.
As it turns out developing a repeatable model to staff analysts was trying to solve the wrong problem – there was just no way to keep up with the avalanche of data coming into the SOC. Signature-based technology is prone to false positives and is too noisy for analysts to effectively monitor. Even with a SIEM, the exponential growth in data piled alerts into the SOC. Analysts were still stuck on the console, combating console blindness and fatigue often resulting in ineffective monitoring or analyst attrition. The SIEM industry was born, for the most part, to solve this exact problem -- reduce the number of alerts a Level-1 analyst must monitor and triage. While the approach was worthy, it ultimately did not solve the problem of too many alerts and not enough skilled analysts.
But, what about the possibility of leveraging technology to automate much of the drudgery work analysts must perform? By going down this path, we free the analysts from console monitoring and elevate their roles so they can do what humans do best, hunt for real attacks and chase the bad guys.
Enter Respond Software. It was clear from my very first conversation with the Respond founders that they were solving the very problem I wrestled with for years by rethinking and transforming the process of SOC monitoring altogether.
However, before joining the team, I needed to know two things:
- Can the Respond Analyst™ replace the Level-1 analyst?
Answer: Yes! Respond Software has built a network intrusion analyst that can reason like a human and, in fact, outperform the human analyst consistently and comprehensively, never gets tired, never gets bored, and works 24x7x365.
- Will the solution “work out of the box?”
Answer: Yes! The primary problem with today’s machine-learning technologies is that they do not work out of the box. They require many months of learning and constant feedback from trained security experts, which many companies overlook when deciding to add or replace software for their SOC. With Respond Analyst™, the learning is “built-in,” and it works seamlessly right out-of-the-box.
What I like most about Respond’s solution is that it is not merely augmenting the Level-1 analyst. Instead, the Respond Analyst™ automates mundane work for the Level-1 analyst, eliminating the need for human analysts to console monitor, freeing them to hunt down and investigate real threats. Respond is not a detection engine alerting for possible compromises needing analysis. Respond is a game-changing decision engine, automating the analyst’s decision of what is likely to be a real incident.
It is an understatement to say I was excited by the opportunity to join Respond’s management team. They are a talented group of industry professionals with years of security expertise, enterprise software development and, more importantly, a proven history of driving company success. What comes next? Teaming with Respond and solving more really big problems in the cybersecurity industry!