Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Nathan Burke
Nathan Burke

In A World With Automation, Where Does Human Intelligence Fit In?

For all the talk about robots taking over jobs, there are still important roles for humans in incident response workflows of the not-too-distant future. Here are three.

Countless articles have been written about the massive increase in alert volume from detection systems - and the resulting drain on scarce security personnel. The good news is that as automation begins to play a stronger role in incident response, the dynamic is shifting. Companies now need to prepare for a world where 99% of time spent investigating and following up on alerts is given back to them. What is the best use of your newly found time and resources? Let’s consider three possibilities.  

Process and Methodology
When was the last time you reviewed your security policy? It’s a loaded question, but many companies go years without reviewing and changing policies that too quickly become obsolete, given how fast vectors and methods of attack evolve. Key questions to consider when reviewing security policy include:

  • Are we set up for constant improvement? A security policy can’t be written in stone; it must allow for continuous change for improvement. Do you have a process that lets your security policy match the fluid nature of threats?
  • Are we reactive or proactive? While many companies struggle to react to the volume of threats and alerts they see daily, security policy should be forward-looking, anticipating what’s coming to prescribe a proper course of action before new threats happen.
  • How can security policy be more business-oriented? The idea of simply locking down everything is as quaint as it is impossible. The speed of business, the need for real-time collaboration, and the hyper-connected nature of how people work require us to strike a balance between security and risk. Security has to be a business enabler, not an inhibitor.
  • What are we doing wrong? The ability to recognize weaknesses may seem like calling your own baby ugly, but moving past the emotional defense and becoming an objective observer is the only way forward.

What’s Falling Through the Cracks?
When a company implements automated solutions, they can do away with much of the manual work of investigating alerts and remediating threats. But automation will never be able to do 100% of the work. Here’s what security teams need to take on:

  • Double-check your automated processes. Randomly check for anything you may have missed. For example, if a new threat type isn’t accounted for in your detection or response processes, you’ll need to address it. If you discover  something , update the process and keep improving.
  • Validate what you find. Look at what your automated systems have identified and remediated, then try and understand why the incident made it through your defenses in the first place. Fixing an issue automatically is great, but understanding why it happened and correcting the problem is the Holy Grail.
  • Hunt! So far, we’ve only touched in dealing with inbound threats, but why not focus on proactive threat hunting? For more on that topic, read Cyber Hunters, Incident Response & The Changing Nature Of Network Defense.

Customize Detection Mechanisms
When companies lack the resources to follow up on alerts, they often tune their detection systems to match their capacity. But in a largely automated scenario, you now have the luxury to:

  • Recalibrate your detection systems. When you no longer need to filter out low-level alerts or false positives, you can open the floodgates. If you’re no longer dependent on people to investigate alerts, you can get the full value out of your investment in detection solutions by handing all of your alerts (no matter the volume or score) to your automated system.
  • Rethink prioritization and make sure it’s needed. Prioritization is the conscious decision to ignore things based on a score. Reconsider what you aren’t paying attention to now that should be, given your new capacity and automated capabilities.
  • Look at what you’ve paid for but don’t use. We’ve all bought tools that are either sitting on the shelf or not fully implemented. What do you have that could bolster your security posture if you had the time to set it up?

In a security environment leveraging automation, there will always be tasks that are better suited for a human than a machine, and vice versa. By shifting security teams’ focus on these higher level tasks, we will make much better use of our human intelligence to combat the ever increasing cyber threat.

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Nathan has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action. For 10 years, Nathan has taken on marketing leadership roles in ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.