Vulnerabilities / Threats
8/3/2017
10:30 AM
John Bruce
John Bruce
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Why Cybersecurity Needs a Human in the Loop

It's no longer comparable to Kasparov versus Deep Blue. When security teams use AI, it's like Kasparov consulting with Deep Blue before deciding on his next move.

A typical cybersecurity analyst is never short of work, a lot of which can be futile. According to a 2015 Ponemon Institute study, by the end of the year the average security operations center has spent around 20,000 hours just on chasing alerts that prove to be false alarms. Traditional security systems generate a lot of noise that needs to be waded through, which creates even more work. At the same time, a vast pool of security information is published across multiple media in natural languages that can't be quickly processed and leveraged by these systems.

Cognitive security, or artificial intelligence, can "understand" natural language, and is a logical and necessary next step to take advantage of this increasingly massive corpus of intelligence that exists. These solutions, which have recently come into the market from a number of vendors including IBM Resilient, can be effective in all functions of cybersecurity, but perhaps none more so than in the response phase. Here the key metric is how quickly your team can mitigate the threat and get back to normal operations. Pairing humans and cognitive security solutions will help make sense of all this data with speed and precision, accomplishing response in a fraction of the time.  

But using cognitive solutions is not about man vs. machine. To borrow from an earlier era of artificial intelligence, it's not as much Kasparov vs. Deep Blue as it is Kasparov consulting with Deep Blue before deciding on his next move against an unknown opponent. Defense works best when people and machine work together.

There are three fundamental reasons why this is true, especially when responding to a cyber incident:

  1. Level playing field: Cyber attacks and their breaches aren't executed by technology; they're the work of human beings. Therefore, it's good business sense to level the playing field by having real humans on the other side of this. It's even been referred to as "hand-to-hand combat." This symbiosis between cognitive technology and human being is crucial and will ensure your organization is best equipped to respond.
  2. Information curation: While cognitive solutions can process information in nanoseconds and make key suggestions, not all information is relevant. Systems need to accept input from the analyst to set the broader context of an incident. They also need to be able to describe and document their findings and remediation steps and rank the information, Spotify-style, to separate what was relevant from any red herrings. This all helps to inform the next suggested response.
  3. Risk of false positives: The cost of a cyber attack is well researched, but the cost of a false positive is more elusive. Consider a penetration test: an automated incident response system may see what looks like an attack on the database and shut it down. This kind of decision is a high-stakes scenario that needs a human in the loop.

AI-Assisted Incident Response & the Skills Shortage
Another key benefit: atificial intelligence will help address the talent management issue of "infosec burnout." One analyst who documented how long it takes to fill open senior-level security positions theorizes that people bail early in their security careers after getting a taste of what the job is all about. Stress in this job is real but can be reduced if analysts work at a more strategic level by curating, not just reacting, and by consulting with a cognitive system that can share what others have done. 

In the face of an increasingly hostile environment, keeping humans in the loop and backing them up with a data-rich cognitive system is what will give businesses their best shot.

Related Content:

 

John Bruce is a seasoned executive with a successful track record of building companies that deliver innovative customer solutions, particularly in security products and services. Previously chairman and CEO of Quickcomm, an Inc. 500 international company headquartered in New ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Hadar Blutrich
50%
50%
Hadar Blutrich,
User Rank: Apprentice
8/6/2017 | 8:31:55 AM
Despite Bob and Alice, we still need humans :)
Great article, I completely agree that human presence and management is a must despite advances in the AI field.

Perhaps in a few years, this will change (considering Bob and Alice new language), but so far, we are still needed in the chain :)
ChannelSOC
50%
50%
ChannelSOC,
User Rank: Apprentice
8/5/2017 | 8:13:58 AM
Systems to most of the work
Great article!  I like how you are pointing out that humans still need to be in the fold.  Automation, Artificial Intelligence (AI), scripting, algorithms, big data or whatever the latest buzz word is on systems doing the work, there still needs to someone (humans) digging a bit deeper, responding to certain events, speaking to executives, writing reports, etc.  We all know that computers can be hacked or tricked and it is really up to trained professionals to provide that additional expertise and knowledge.  At www.ChannelSOC.com our business model is based on the human eye with the systems and the rules behind them doing most of the work.  We are not giving up totally on the human expertise, we still have a long way to go before we are completely replaced! @CSOCTeam
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Darn - typed UNICORN instead of UNICODE.  
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.