Humans + Machines = Modern SOC

Mitch Webb
by Mitch Webb
category Uncategorized

When it comes to security operations, the duo that’s stronger and more effective in partnership than when they’re apart is humans and automation. Because critical tasks within the cybersecurity operations workflow—namely monitoring—aren’t well suited for people to perform, the pair can achieve outcomes that neither human-only teams nor AI-based systems could ever reach, and they can do so consistently, scalably, and at a low cost.

Business and technology leaders tasked with managing a security operations program are well aware of the challenges they face. If the organization collects enough sensor data across the enterprise to attain adequate coverage—meaning that malicious activity will be detected—that organization faces the task of monitoring a sheer volume of data that’s simply greater than its human security analyst team can handle. Anything less, and wily attackers have a far greater chance they worm their way through the cracks.

Making intelligent use of automation represents the way forward. For lean and nimble teams determined to do a better job, leveraging security operations software will allow humans and machines to augment each others’ capabilities, so that both can focus on—and excel at—what they do best.

The Beauty of Brains

When it comes to cybersecurity analysis, humans are highly proficient at tasks involving curiosity, creativity, and interaction with other humans. They’re masters of investigation, exploration, and asking ‘what if?’ questions. This means they tend to be good at threat hunting, strategizing, planning projects, asking probing questions, and forming conclusions. They also excel when it comes to making business-level decisions.

They’re not great at staring at consoles for hours on end. Consistency isn’t their forte, especially when they’re being asked to evaluate large data sets, over and over again. It’s too easy for them to get tired, stressed, or distracted—and too hard to remember the contextual information against which each alert should be considered.

The Might of Machines

Call it artificial intelligence if you will, but there’s nothing unnatural about the most advanced cybersecurity automation software. It’s able to leverage Bayesian logic and probability theory, along with other modeling approaches, to find the most likely solution to problems involving enormous volumes of data. Thus it can consider near-infinite amounts of network telemetry data, user data, system profile data, and threat intelligence. It can operate without bias--just because it's seen a hundred million instances of the same alert type that weren't malicious, it's not going to assume that this one isn't. And it never forgets.

This makes automated cybersecurity tools perfectly suited to perform certain types of tasks. It can ask very large numbers of highly detailed questions in a short time frame. This makes it good at security monitoring, since it involves asking, over and over again, “Is this event unusual? Is it related to other events that are occurring, or have occurred, elsewhere? Are vulnerable assets involved? Sensitive data? Known malware?”

Security operations software tools can ask and answer many questions of these types in a fraction of a second, enabling it to come to a better understanding of what’s going on within the environment than human analysts, who are confined by the limits of their memories, attention spans, and awareness. Simply put, automation is better able to perform repetitive cognitive tasks quickly and consistently than human brains are.

Top-performing Teams Take Advantage of the Best of Both Worlds

Human brains have unique strengths and capabilities that no current automated system can replicate. And machine learning and automation—including security operations software—is best able to perform types of tasks that humans struggle with. When SecOps programs bring them together, remarkable synergies appear.

Security teams that harness the power of security operations software enable their human analysts to focus on the events—and areas of the security operations workflow—that truly need their talent and expertise. By offloading the tedious monitoring tasks to an automated system, they’re able to give their human analysts the chance to do what they’re best at—increasing their job satisfaction as well as their effectiveness.

They’re able to conduct deeper investigations. When malware is detected on a workstation, for example, rather than merely re-imaging the machine, they’ll be able to take the time they need to ask—and research the answers to—the most important questions. How did that malware get there? Vulnerability exploited? Have the attackers made efforts to move laterally across the network? Are any seemingly unrelated events elsewhere in the environment actually caused by the same threats?

They can act faster. Because human + machine teams can conduct investigations more quickly, they’re able to minimize the time between detection and response. Industry research has long demonstrated that the shorter the dwell time of attackers in an environment, the lower the risks associated with a data breach. When security teams operate with greater speed, the overall cybersecurity risks that their organizations face are dramatically reduced.

Their time can be spent elsewhere—on exploratory analytics, threat hunting, or other projects. Security analysts working at smaller organizations often find themselves wearing many hats. With security operations software wearing the “routine monitoring” cap, the human analysts are able to invest more of their time into higher-value projects, such as deploying new tools and technologies, conducting deeper investigations into incidents that have occurred, and strategizing for the ongoing continuous improvement of the program.

Would you like to achieve similar results in your own security operations program? Check out our customer stories to learn more about how other companies in your industry have leveraged the power of the Respond Analyst to improve efficiency, reduce risks, and accelerate their programs’ progress. Or contact us to schedule a free demonstration today.