For those who enjoy a good cup of coffee, many more would surely choose a barista-made brew than take their chances from a vending machine. Automation, so the argument goes, is not a panacea.
This coffee analogy is often brought out in debates about the emergence of security automation and the limits that AI and machine learning must surpass before humans are no longer needed.
At a high level, this seems valid. Machines are labor-saving, and that’s vitally important when cyber skills are scarce and data growth so overwhelming. This is the reasoning behind the combination of playbooks and automation for incident response. Automation prevents expensive and overworked security analysts from endless admin that keeps them from delivering true value. Playbooks enable a ready-made response to recognized threat scenarios, ensuring best practice is applied and resources optimized.
But playbooks can often lead to disappointing results, particularly in the time it takes to design, test and deploy the most robust possible set of defensive moves. And if they become too static, playbooks are also at the behest of a rapidly changing threat landscape and emerging forms of attack. The last thing you want is to act upon irrelevant or out-of-date information. That’s what the coffee analogy teaches us: machines can only do so much by themselves and it is people who are fundamentally better at getting a good job done well.
But look more closely and, like most analogies, there is one fatal flaw. The match-up between human barista and automated machine simply isn’t a fair comparison. Vending machines are only restocked with ingredients when supplies run low, while baristas are constantly grinding new beans and pouring fridge-fresh milk for every serving. The vending machine is at an immediate disadvantage. Things couldn’t be more different in the field of threat intelligence.
Freshness is everything
In threat intelligence (TI), freshness is everything. Fresh data is typically the most valuable, reflecting the nearest-to-present state possible of incoming and arising threats, rather than a historic point in time. By contrast, acting upon stale threat insights is worse than sipping from a stale cup of coffee; it totally undermines the purpose of threat intelligence.
Automation can make all the difference to the freshness of threat data. A TI service that harnesses a multitude of algorithm-driven sensors, crawlers, sinkholes and honeypots can massively expand the discovery and categorization of threat data, and sift through it all to detect anomalous activity.
Acting fast is vital, but it isn’t enough to just throw automation at the entire TI challenge. The perfect blend combines rapid and large-scale initial gathering and analysis by machines that then hand-off to their human team-mates to apply strategic intellect while the data is still fresh.
Covering all the right sources, the right processing, the right information sharing is all very important. Think how cybercriminals think: machines (e.g. botnets) for the heavy lifting and a sprinkling of human intervention to execute as successfully as possible.
When you evaluate potential TI providers, it’s worth taking a look at their humans as well as their technology. Who are the engineers developing the platform customers use, and who are the analysts who add valuable context and insights into the TI customers receive? Both are very important, and at some providers the same people may be involved in both engineering and threat analysis disciplines.
Leveraging automation while simultaneously injecting human expertise – at the right point and to the appropriate level – is the key to providing a superior level of TI accuracy and timing. You want to see teams of experienced people adding value to create the highest quality, freshest TI that you can act upon directly.
Getting that balance right is also essential to being able to derive a good TI service at a competitive cost. If not enough automation is employed, then the cost of having too much human analysis added to your TI will inevitably be priced-in to create an overly expensive service. Not enough human intervention (and too much automation) may result in a cheaper proposition, but arguably a lower standard.
At Blueliv, our analyst, research and reverse-engineering team is known collectively as ‘Labs’. They provide additional tactical and strategic context to threats, discover new data sources and botnets, author unique research and deliver on-demand threat insight and detailed analysis to support individual customers and the cyber community as a whole.
Some are working on patent-pending machine learning technologies and pioneering NLP entity extraction techniques.
Wake Up and Smell the Coffee
The increasing complexity and variety of threats has led to an information avalanche that is placing increased pressure on security teams, who are already poorly resourced.
But you simply can’t have effective TI without humans, at least not yet. Humans don’t just apply structured analytical techniques and use the benefit of their experience – machines are able to do this too. Uniquely, humans can break the mould and think outside the box. When it comes down to it, they are uniquely equipped to communicate outside the workflow and understand and prioritize many layers of context that machines simply wouldn’t identify. Finally, and critically, they can weight up consequences and take appropriate risks in the way that business leaders would not be happy to entrust to a machine.
Great threat intelligence is the product of machine and human in perfect harmony. Over-reliance on playbooks and automation doesn’t deliver maximum benefits, while over-reliance on people will break the investment case through sheer inefficiency.
It’s time to wake up and smell the coffee: TI automation isn’t the end game. It’s just one part of a broader solution approach requiring people, process and technology.