Interesting Article - Open Community Model
→ "And if those of us in security can't understand how something works, and how to apply it to what we do, why on earth would we trust it? Interesting, I would beg to differ, do we really know how a TV works, Refrigerator or even the concepts of an alternator. Let's look at it from what companies are using every day, "Cloud Computing". It was adopted just like the "Smart Phone", people use the "Smart Phone" and the "Cloud Services" but they don't understand its underpinnings. So even from a security perspective, people often use what they feel comfortable with and don't take the time to explore better alternatives. For example, Juniper or Cisco are companies that provided major security products in the security field, their solutions work but did individuals understand that Juniper created its security platforms from FreeBSD (opensource) and Cisco developed its platform from Linux (opensource). Often, we use things because of overall social acceptance and not because it is the best. If that were the case, then why didn't the US move towards IPv6 when it initially came out, if we are looking at things from a security perspective IPv6 provides IPSEC AES256 ESP/AH VPN capability, tunnelling, 17 quintillion addresses, no man in the middle attacks and improved efficiency. IPv6 uses uses a hexadecimal numbering scheme where computers can interpret the key string much more effectively than IPv4, this protocol is 10 times more secure and are currently being made more secure than IPv4.
→ We don't need to be told why to use a hammer. We need to be told how.
Again, I would disagree, I think we need both, to determine the direction and use of a product one must clearly understand its use and outcome. The "how" will come with training (you had mentioned this in your commentary), the "why" and "for what" will follow when we have a clear understanding of the applications intentions so we can narrow down the focus for improved performance and security (understand the entire stack so there is no confusion as to the proposed outcome, if the outcome does not result from your expectations, then you can make adjustments so that the outcome is inline with your intended expectations).
→ The analyst knows how to write rules to prevent a specific tactic or technique from being used again, but he cannot detect the patterns to proactively hunt threats because one does not have the models to dynamically assess data as it arrives...Start with simple data counts, look at frequency and standard deviations
Interesting assumption, I think in this section, the concept of SIEM, Security Analytics tools and various Security frameworks effectively address this area of concern. From McAfee Nitro, Cisco Sourcefire, IBM Qradar, Splunk and others provide this capability where you stated security analysts are not able to derive patterns in an attacker/actor's behavior (this is just not true, it is not the just the attack, but amount of data that results from the event or prior to, a company called Gigamon is addressing this area). In addition, from a historical perspective, large amounts of data are correlated where relationships can and are being developed, pinpointing attack vectors, and analytics using a decentralized model to create a picture for individuals is being derived to create an attack profile. In addition, companies like Extrahop, Virtual Instruments , Dynatrace, AppDynamics and Extremenetworks (Netsight Atlas) are able to pin-point infrastructure weaknesses in the application environment and infrastructure arena. To help identify a possible and/or impending threat, we need to be able to amass this information in a way where we take "Big Data", ML, SIEM and baselining techniques to determine where anomalies arise (companies like DomainTools, InfoBlox and BlueVector gives users the ability to create analytics using IP, traffic patterns and rouge DNS sites to create patterns from sites that had been identified as being nefarious, we can block countries from a single mouse click, not sure why more organizations are not employing this technology but again, it does not seem to be socially accepted, to the point made earlier).
→ Analysts helping other analysts — for the good of the community, for the good of enterprises — is common. It is very easy to detect a pattern here. All doors lead to open source.
Where I do agree with sharing information to make organizations better, it is not just open-source, it is more about people than anything, it is an "Open-Community" model (Palo Alto Networks, Symantec, IBM, Cisco, Juniper - https://www.weforum.org/agenda/archive/cyber-security/). Where thoughts are brought to the forefront and people incorporate their ideas into one framework, the problem is that we are flawed in our thinking (greed, envy keep us back), when one organization feels they are eating less than someone else on the board, then they don't want to play anymore. It really comes down to human nature and the basic ideals of life. You have to ask yourself, why is it that China, Russia, Iran, Iraq, Africa, Pakistan all have a problem with America (other than the bad deals, mass incarceration and murders)? It is about resources and the quality of life. And you have to ask yourself, why do hackers do what they do (respect, money, prestige, political statement, and control). Once we address these problems and start being honest with one another, the world, at that point we can reduce the emphasis on money/power and redirect that value on human life (Gold), then we could start taking the blinders off to reveal the beauty that each one of us brings.