Cybersecurity Analysis Is Tricky

Most mid to large companies have dozens of security point solutions and all of these are generating tens of thousands of “events” every day. And every day, a team of security analysts are tasked with sorting through all of this data clutter in an effort to find something harmful amid the junk.

Not only is this a daunting process, it also seems strangely nineties’ish. Is this really what we want our security analysts to be doing all day long? I mean, how about that for a job description? And we wonder why we can’t hire enough of these people.

Ponemon says that in a typical week, the average company receives 17,000 malware alerts. And, the same average company employs between three and five full time security analysts. This means that each analyst is reviewing between 3,000 and 5,000 alerts each week or 600 to 1,000 per day. I won’t do the rest of the math for you, but I refuse to believe that anyone can successfully detect real threats from false-positives in 30 to 48 seconds, hour after hour, day after day, week ….

In addition to the obvious, there are at least three problems with this job.

One is boredom. That condition presages complacency and complacency leads to crappy performance and attrition or worse. Worse would be the employee remains in the job forever. Have you been to the DMV lately? How would you like those guys sitting up to be your last line of defense?

The second problem is bandwidth. Instead of decreasing over time, the event volume increases as the amount of noise resulting from brute force and targeted attacks soars. So instead of doing a 30 second review, soon our average security analyst will be doing 5 second reviews. Even now at 30 seconds, I can guarantee that key steps are ignored and investigations are rushed. Solution? Go get more budget to hire more security analysts.

Sorry. Wrong answer. Thanks for playing.

The third is the big one: Cognitive bias. And, the bad guys know this well. This is why they constantly shift data patterns to avoid the anchor observations of the analysts. Anchor observations are the foundation element in decision making by doctors, juries, stock traders and anyone who is driven by deductive reasoning. It works this way: First, draft a hypothesis based on some sets of observations. Then look for evidence supporting that hypothesis. Every one of us does this all day long.

A companion of cognitive bias is availability. This is our decided tendency to overestimate the likelihood of an event recurring that was the most recent or was characterized by the most interesting or unusual data points. This is also known as Bernoulli’s bunching theory; the likelihood of an event recurring diminishes as time lapses from the point of the most recent occurrence. What is available in or memory influences our heuristics as we apply reasoning to data analysis.

We also tend to overestimate the importance of directional runs, streaks, or clusters in observed data samples. This is why my father-in-law, an otherwise bright, educated and retired TWA pilot insists on playing red and black on the roulette table now that the house routinely publishes the past landing results on a big board above the table. He believes that the likelihood of the ball landing on red increases the more it lands on black. This is of course exactly what the house wants him to believe.

This affliction is known as clustering illusion and security operations teams are frequently convinced that patterns exists when they in fact do not which leads to an increase in false positives. Just like my father-in-law.

All of this cognitive overload results in extreme fatigue and a sort of in-attentional blindness that causes many security analysts to miss what otherwise might be obvious critical signals for malicious events that are riding through in plain sight.

This is also why it is so difficult for unsupervised machine learning to successfully mimic the human heuristics involved with determining real threats from false positives. It is like replicating human decision making on digital meth.

So, what to do?

Instead of trying to make the jobs more interesting or changing the focus to specific threat categories or other organizational tactics some companies have tried, we really need to move away from the security operations process that relies on humans and move toward an automated form of analytics that relies on machine-adaptive pattern recognition, or AI. Let’s replace human heuristics with pattern recognition engines that are driven by algorithms that can pivot in the face of pattern deceit, have no built-in bias and can process not just one event every 30 seconds but hundreds of thousands. After all, that is what the enemy will soon be doing and our human security analysts will be completely over-run if they aren’t already.

I knew you would ask and the answer is yes. We use a set of advanced algorithms to replicate the human heuristics in our SOC. We use a combination of behavioral analysis, machine learning and dynamic threat intelligence to detect both known and unknown threats and it works so well that we employ a very small security analytics team to investigate only true threats. It successfully reduces all white noise completely and eliminates the need for extensive in-depth monitoring and analysis. The magic is not in the technology but in the algorithms underlying the pattern recognition software.

These algorithms are based on our human experience but unlike say the work that is being done at MIT’s CSAIL labs or with companies that have licensed that technology, we don’t run a dedicated machine learning engine or think of what we do as artificial intelligence.

It is more like taking the “mind of Mary” and building her thought processes into pattern recognition technology. More of these platforms are emerging all the time and I imagine that by this time next year or in 2019, we will begin to see the end of the traditional SOC.

How successful have we been with this approach? None of our clients have ever been breached.