How the Respond Analyst is different — Chapter 2

How the Respond Analyst is different — Chapter 2

Transcript

Ed Amoroso

Mike Armistead

It’s not often that I say wow when I hear an idea, but when you told me about Respond and what you guys are doing; I think I did say wow, I think it’s a really good idea — the virtual analyst.

Tell the folks a little bit about your idea and how it solves what I what I think is a pretty big problem in running a SOC and a team to do security. Tell us about it!

Yeah, at the start too, I think we all kind of did a wow too. Not so much that we thought we got something, but what could we do that would make a difference in security operations.

It’s an area that is struggling. There’s such an imbalance between the attackers and the defenders right now. It’s really stacked against these resource-constrained defenders that are trying to get their work done and be successful… not being hacked.

We looked at what were the areas we could do this, it kept coming back to a single bottleneck – people cannot process the mountains of data that are coming at these teams and organizations. Yet, they have to process this to be successful in security.

I think 10 years ago, we might not have been successful on the technology side of what we are doing, the processing power wasn’t there, the mathematical frameworks have not been applied or not enough research in the area. As we tried to build an expert system, a system that emulates the judgement of what people do in security operations; we weren’t positive it was going to work either. It was a combination of these other factors coming together that made the difference. We were able to create something and apply it.

You talk about building innovations, we have some great design partners that helped lead us into what they were doing in their organization, and we got a product out of it. That product is the virtual analyst you talked about, virtually; we have our software that emulates the decision making that goes into what is important and what requires response.