Vulnerabilities / Threats

8/3/2017
10:30 AM
John Bruce
John Bruce
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Cybersecurity Needs a Human in the Loop

It's no longer comparable to Kasparov versus Deep Blue. When security teams use AI, it's like Kasparov consulting with Deep Blue before deciding on his next move.

A typical cybersecurity analyst is never short of work, a lot of which can be futile. According to a 2015 Ponemon Institute study, by the end of the year the average security operations center has spent around 20,000 hours just on chasing alerts that prove to be false alarms. Traditional security systems generate a lot of noise that needs to be waded through, which creates even more work. At the same time, a vast pool of security information is published across multiple media in natural languages that can't be quickly processed and leveraged by these systems.

Cognitive security, or artificial intelligence, can "understand" natural language, and is a logical and necessary next step to take advantage of this increasingly massive corpus of intelligence that exists. These solutions, which have recently come into the market from a number of vendors including IBM Resilient, can be effective in all functions of cybersecurity, but perhaps none more so than in the response phase. Here the key metric is how quickly your team can mitigate the threat and get back to normal operations. Pairing humans and cognitive security solutions will help make sense of all this data with speed and precision, accomplishing response in a fraction of the time.  

But using cognitive solutions is not about man vs. machine. To borrow from an earlier era of artificial intelligence, it's not as much Kasparov vs. Deep Blue as it is Kasparov consulting with Deep Blue before deciding on his next move against an unknown opponent. Defense works best when people and machine work together.

There are three fundamental reasons why this is true, especially when responding to a cyber incident:

  1. Level playing field: Cyber attacks and their breaches aren't executed by technology; they're the work of human beings. Therefore, it's good business sense to level the playing field by having real humans on the other side of this. It's even been referred to as "hand-to-hand combat." This symbiosis between cognitive technology and human being is crucial and will ensure your organization is best equipped to respond.
  2. Information curation: While cognitive solutions can process information in nanoseconds and make key suggestions, not all information is relevant. Systems need to accept input from the analyst to set the broader context of an incident. They also need to be able to describe and document their findings and remediation steps and rank the information, Spotify-style, to separate what was relevant from any red herrings. This all helps to inform the next suggested response.
  3. Risk of false positives: The cost of a cyber attack is well researched, but the cost of a false positive is more elusive. Consider a penetration test: an automated incident response system may see what looks like an attack on the database and shut it down. This kind of decision is a high-stakes scenario that needs a human in the loop.

AI-Assisted Incident Response & the Skills Shortage
Another key benefit: atificial intelligence will help address the talent management issue of "infosec burnout." One analyst who documented how long it takes to fill open senior-level security positions theorizes that people bail early in their security careers after getting a taste of what the job is all about. Stress in this job is real but can be reduced if analysts work at a more strategic level by curating, not just reacting, and by consulting with a cognitive system that can share what others have done. 

In the face of an increasingly hostile environment, keeping humans in the loop and backing them up with a data-rich cognitive system is what will give businesses their best shot.

Related Content:

 

John Bruce is a seasoned executive with a successful track record of building companies that deliver innovative customer solutions, particularly in security products and services. Previously chairman and CEO of Quickcomm, an Inc. 500 international company headquartered in New ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Hadar Blutrich
50%
50%
Hadar Blutrich,
User Rank: Apprentice
8/6/2017 | 8:31:55 AM
Despite Bob and Alice, we still need humans :)
Great article, I completely agree that human presence and management is a must despite advances in the AI field.

Perhaps in a few years, this will change (considering Bob and Alice new language), but so far, we are still needed in the chain :)
ChannelSOC
50%
50%
ChannelSOC,
User Rank: Apprentice
8/5/2017 | 8:13:58 AM
Systems to most of the work
Great article!  I like how you are pointing out that humans still need to be in the fold.  Automation, Artificial Intelligence (AI), scripting, algorithms, big data or whatever the latest buzz word is on systems doing the work, there still needs to someone (humans) digging a bit deeper, responding to certain events, speaking to executives, writing reports, etc.  We all know that computers can be hacked or tricked and it is really up to trained professionals to provide that additional expertise and knowledge.  At www.ChannelSOC.com our business model is based on the human eye with the systems and the rules behind them doing most of the work.  We are not giving up totally on the human expertise, we still have a long way to go before we are completely replaced! @CSOCTeam
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0243
PUBLISHED: 2018-07-19
Check_MK through 1.2.5i2p1 allows local users to read arbitrary files via a symlink attack to a file in /var/lib/check_mk_agent/job.
CVE-2014-2302
PUBLISHED: 2018-07-19
The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.
CVE-2018-7602
PUBLISHED: 2018-07-19
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Rem...
CVE-2018-14332
PUBLISHED: 2018-07-19
An issue was discovered in Clementine Music Player 1.3.1. Clementine.exe is vulnerable to a user mode write access violation due to a NULL pointer dereference in the Init call in the MoodbarPipeline::NewPadCallback function in moodbar/moodbarpipeline.cpp. The vulnerability is triggered when the user...
CVE-2018-1529
PUBLISHED: 2018-07-19
IBM Rational DOORS Next Generation 5.0 through 5.0.2, 6.0 through 6.0.5 and IBM Rational Requirements Composer 5.0 through 5.0.2 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potential...