Threat Detection Scientist: The Critical New Role in Security Automation

Alexa Rzasa
by Alexa Rzasa
category Perspective

Up until recently, being a “Detection Person” meant being a security analyst who could pull packets apart in meaningful ways.  It meant someone who understood biases in decision making and knew specific ways to correct for them (See Richards Heuer).

Being a detection person also meant:

  • Consuming large and continuous amounts of information
  • Processing it in different ways
  • Getting it right more often than not (which was really hard).

Of course, for those of us who have held this role, we know exactly how much time is needed to pull those packets apart given the size of the problem. And, that necessary time required is precisely why that level of analysis has rapidly become forensic as opposed to diagnostic.

The packet ninja as taught by Steven Northcutt or Johannes Ulrich was a black art deep in the depths of a system log file or tcpdump flag.  To put this into context, the detection person sits between all of your expensive security technologies (IDS, FW, for example) and your incident response team.  The detection person decides if a series of circumstances are truly malicious and actionable and wakes people up to tell them.  In many cases, the solution came from hunches, curiosity, luck and a ton of RSS reading.  Those days are gone.

Hyper-current modus operandi is a daily reality (sounds a little obvious). Instead of black magic, we need more math and science. That means measurement, hypothesis, and testing. Now that event triage and traditional security analysis can be automated, you can focus on detecting novel attack techniques and immediately automating their continued detection.  The person who will make this happen is not a security analyst nor a data scientist, but something in-between — a detection scientist.

Understanding the haystack and finding smaller and smaller needles is a central problem in information security today.   Unfortunately, this analogy includes finding specific pieces of bad hay.  The event funnel is status quo and it isn’t working.  So, the best path forward is applying hard science to detection.
Science that makes sense for detection includes everything from metrics, data visualization, statistics up to and including advanced artificial intelligence.  Clearly, there are a lot of buzz words here, but all still useful when applied appropriately to the detriment of the bad guys. With detection science, the hunt is on!