Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/3/2017
10:30 AM
John Bruce
John Bruce
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Cybersecurity Needs a Human in the Loop

It's no longer comparable to Kasparov versus Deep Blue. When security teams use AI, it's like Kasparov consulting with Deep Blue before deciding on his next move.

A typical cybersecurity analyst is never short of work, a lot of which can be futile. According to a 2015 Ponemon Institute study, by the end of the year the average security operations center has spent around 20,000 hours just on chasing alerts that prove to be false alarms. Traditional security systems generate a lot of noise that needs to be waded through, which creates even more work. At the same time, a vast pool of security information is published across multiple media in natural languages that can't be quickly processed and leveraged by these systems.

Cognitive security, or artificial intelligence, can "understand" natural language, and is a logical and necessary next step to take advantage of this increasingly massive corpus of intelligence that exists. These solutions, which have recently come into the market from a number of vendors including IBM Resilient, can be effective in all functions of cybersecurity, but perhaps none more so than in the response phase. Here the key metric is how quickly your team can mitigate the threat and get back to normal operations. Pairing humans and cognitive security solutions will help make sense of all this data with speed and precision, accomplishing response in a fraction of the time.  

But using cognitive solutions is not about man vs. machine. To borrow from an earlier era of artificial intelligence, it's not as much Kasparov vs. Deep Blue as it is Kasparov consulting with Deep Blue before deciding on his next move against an unknown opponent. Defense works best when people and machine work together.

There are three fundamental reasons why this is true, especially when responding to a cyber incident:

  1. Level playing field: Cyber attacks and their breaches aren't executed by technology; they're the work of human beings. Therefore, it's good business sense to level the playing field by having real humans on the other side of this. It's even been referred to as "hand-to-hand combat." This symbiosis between cognitive technology and human being is crucial and will ensure your organization is best equipped to respond.
  2. Information curation: While cognitive solutions can process information in nanoseconds and make key suggestions, not all information is relevant. Systems need to accept input from the analyst to set the broader context of an incident. They also need to be able to describe and document their findings and remediation steps and rank the information, Spotify-style, to separate what was relevant from any red herrings. This all helps to inform the next suggested response.
  3. Risk of false positives: The cost of a cyber attack is well researched, but the cost of a false positive is more elusive. Consider a penetration test: an automated incident response system may see what looks like an attack on the database and shut it down. This kind of decision is a high-stakes scenario that needs a human in the loop.

AI-Assisted Incident Response & the Skills Shortage
Another key benefit: atificial intelligence will help address the talent management issue of "infosec burnout." One analyst who documented how long it takes to fill open senior-level security positions theorizes that people bail early in their security careers after getting a taste of what the job is all about. Stress in this job is real but can be reduced if analysts work at a more strategic level by curating, not just reacting, and by consulting with a cognitive system that can share what others have done. 

In the face of an increasingly hostile environment, keeping humans in the loop and backing them up with a data-rich cognitive system is what will give businesses their best shot.

Related Content:

 

John Bruce is a seasoned executive with a successful track record of building companies that deliver innovative customer solutions, particularly in security products and services. Previously chairman and CEO of Quickcomm, an Inc. 500 international company headquartered in New ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Hadar Blutrich
50%
50%
Hadar Blutrich,
User Rank: Apprentice
8/6/2017 | 8:31:55 AM
Despite Bob and Alice, we still need humans :)
Great article, I completely agree that human presence and management is a must despite advances in the AI field.

Perhaps in a few years, this will change (considering Bob and Alice new language), but so far, we are still needed in the chain :)
ChannelSOC
50%
50%
ChannelSOC,
User Rank: Apprentice
8/5/2017 | 8:13:58 AM
Systems to most of the work
Great article!  I like how you are pointing out that humans still need to be in the fold.  Automation, Artificial Intelligence (AI), scripting, algorithms, big data or whatever the latest buzz word is on systems doing the work, there still needs to someone (humans) digging a bit deeper, responding to certain events, speaking to executives, writing reports, etc.  We all know that computers can be hacked or tricked and it is really up to trained professionals to provide that additional expertise and knowledge.  At www.ChannelSOC.com our business model is based on the human eye with the systems and the rules behind them doing most of the work.  We are not giving up totally on the human expertise, we still have a long way to go before we are completely replaced! @CSOCTeam
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.