Security Operations Software

Automated Threat Detection: How Cybersecurity is like a Puzzle

Mike Reynolds
by Mike Reynolds
category Security Operations Software

When I was a kid, I loved to solve jigsaw puzzles.  As I got older, and maybe a little wiser, naturally I was able to take on more complex and intricate puzzles.  However, in my mind, the holy grail of jigsaw puzzles, the one that both intrigued and intimidated me at the same time was none other than “Spilt Milk!”  The puzzle had hundreds of little white pieces that all looked the same, the only distinguishing characteristic being the actual shape and fit.   I remember strolling down the aisle at my local toy store (in those days we bought stuff in real stores), contemplating if I had the guts to take on that puzzle.  I never did.  I was too intimidated.

Image 1: The mother of all puzzles, Spilt Milk!


Threat Detection: A More Complicated Puzzle

As I reflect on what we are asking our tier 1 and 2 security analysts to do in the Security Operation Center (SOC), I am often reminded of that Spilt Milk puzzle - except the puzzle is even more complicated, with multiple moving parts, pieces that simply do not fit (think false positives) and of course, much higher stakes.  Unless you have a team of expert puzzle solvers with unlimited time, patience and wicked memory recall, asking them to effectively solve the cybersecurity puzzle of detecting threats with a high level of accuracy is nearly an impossible task.  And as I mentioned, in the  cybersecurity world, the stakes are much higher.  If the puzzle isn’t solved in a reasonable timeframe, that can cost an organization millions of dollars in lost or stolen data.1

Machine and Man

Let’s face it, human beings are great at activities such as investigation, collaboration and general creativity, but the reality is, asking us to solve extremely complex puzzles with potentially millions of little pieces, is something that we are not well suited for.  Perhaps the answer to solving these puzzles is a combination of machine and man.  What if we let software do what it is good at – remembering nuanced details, being consistent, while doing it at scale, and let humans do what they are best at like hunting and investigating cyber threats?

The Respond Analyst handles the machine part of solving puzzles, or more accurately detecting real threats that are hidden in millions of bits of seemingly unrelated data.  This data is generated from multiple security sensors that most organizations already have in place including Intrusion Detection and Prevention Systems (IDS, IPS), Endpoint Protection Platforms (EPP) and Web Filters or Proxies.  However, the Respond Analyst does not stop at the security sensor data, rather it completes the threat detection puzzle by leveraging company context and external threat intelligence.  All of this information is integrated together by the Respond Analyst, to provide actionable, enriched and real incidents that human beings are enabled to rectify.  Our customers are seeing the results too – as the Respond Analyst reasons through millions of alerts and then scopes them into a small and manageable number of actionable incidents.

If you are interested in relieving your SOC team of mundane and fruitless tasks like weeding through endless security alerts trying to solve that impossible puzzle, and instead enabling them to focus on activities they are naturally suited for like investigation and threat hunting, it’s time to look at the Respond Analyst.

OK, on to my next puzzle…

Image 2: Need to focus on this one...

Read on:

1Center for Strategic & International Studies (CSIS), “The Impact of Cybercrime,” James Andrew Lewis, February 21, 2018