The potential for cybersecurity threats to cause serious damage to any organization, anywhere, calls for innovative countermeasures. But given how quickly these threats change and evolve, last year’s top-tier threat detection won’t cut it today.
Through machine learning, security systems can learn from data over time to become better at pattern recognition and identify threats more accurately. This can take the form of machine learning in analytics engines that are used to identify threats (so, learning from the system’s own experience) or machine learning from threat hunting by humans who look for and analyze anomalies missed by security software.
Human security analysts will always be needed for their comprehensive and grounded understanding of security contexts and priorities, and to make critical decisions in ambiguous circumstances. Automation can then also be applied to streamline the threat-hunting processes, freeing up human analysts to focus on critical events and removing repetitive, menial tasks from their duties.
We interviewed three security experts to gather their views on this approach:
- Daria Leshchenko, CEO and Partner at SupportYourApp
- Bohdan Tsys, DevOps Engineer at Krusche & Company (K&C)
- Stanley Bezuidenhout, Forensic Specialist at IBF Investigations
Here are their perspectives.
Threat detection and the need for automation
Most cybersecurity incidents involve inadequate protection and aren’t necessarily caused by the failure of technology or security systems. This doesn’t mean that human operators must be removed from the chain of threat detection and elimination, though. In fact, detection technology continues to improve, assisting humans in identifying and validating threats.
A great example of this is managed detection and response (MDR) – a service that combines human expertise and automated systems to find, monitor and eliminate threats.
What is managed detection and response?
According to the experts we interviewed, MDR is one of the best cybersecurity tools available today, as it allows organizations to get ahead of cybersecurity threats that may cause expensive and potentially catastrophic damage.
MDR uses “threat hunting” to quickly identify threats to minimize their impact. It automatically collects and identifies actual or possible cybersecurity incidents in a system, analyzes them, then distinguishes between the least likely, most benign threats and the most legitimate and potentially consequential alerts.
Helping humans understand and respond to threats
In addition to a detailed, actionable list of potential threats, MDR provides context on these threats to help security personnel understand how they should be handled. It can also provide a guided response plan with specific suggestions to remediate real or potential threats. These can include basic suggestions to isolate certain systems or more sophisticated directions on how to eliminate threats, going as far as recovering from a potential cyberbreach.
Should a cyberincident occur, returning the system to its original state is necessary for cybersecurity systems to keep operating properly – and MDR can provide guidance on this part of the process too.
“MDR provides Tier 1 support for the collection and identification of incidents and possible incidents, weeds out all false positives and notifies corporate security departments about issues in their systems. In case any issues are detected, a corporate security representative opens an incident ticket and works on resolving them.” – Daria Leshchenko, SupportYourApp
“The process of MDR is simple. The first step is to list the most common and likely potential problems you could experience. Then, if a problem occurs, the person responsible for the response should consider its severity and system impact – and solve the problem, if possible. If the problem is unsolvable by a response engineer, it should be escalated. Also, the list of problems usually grows over time as rare or less obvious issues not on the original list become apparent.” – Bohdan Tsys, K&C
“In any MDR environment, a mass of data has to flow via the detection modulus through the recognition algorithms toward the analysis engine, leading to the funneling of relevant (target) data. If the MDR design is robust, the relevant data will be mined from the data flow and classified in the following order: attention, alert, analysis and action. In a perfect world, the MDR is predicated upon a self-learning AI model, designed to provide the user with a subset of tools that simplify, accelerate or isolate key data elements.” – Stanley Bezuidenhout, IBF Investigations
Teaching automated systems to navigate the threat landscape
In the field of cybersecurity, once the domain of human operators alone, a combination of technology and human insight is now needed to detect and remediate threats. Using only automated systems leaves organizations vulnerable to threats that have learned to avoid detection, and using only human operators doesn’t provide the level of cybersecurity needed to catch and eliminate threats before they cause damage.
Human operators play a pivotal role in fine-tuning automated systems. They provide new rules and operational procedures that help these systems to navigate the threat landscape. This level of collaboration ensures that automated systems keep pace with the changing threat landscape and can properly analyze incoming data streams for known and possible threats, all of which will be flagged and sent to a human operative.
“A human operator plays the role of a teacher and auditor for automated systems, as well as that of an analyst and psychologist to develop new rules and teach these systems how to analyze incoming data and select the data that can signify a threat.” – Daria Leshchenko, SupportYourApp
“I think that better alert systems and alert-detection times are key to better collaboration between automated systems and human operators.” – Bohdan Tsys, K&C
“For the interaction between humans and automation to be effective, the interaction modules need to be designed to ensure maximum human comfort, familiarity and acceptance. Human operators are prone to fatigue, inattentional blindness, repetitive strain injuries and a variety of other conditions. The design philosophy should start at the end station, with a complete understanding of the procedural, cognitive, ergonomic and process designs the human counterpart has already adopted.” – Stanley Bezuidenhout, IBF Investigations
Modern technology and techniques
Using modern technology and techniques is the only way to manage cybersecurity systems properly and effectively. Combining these tools with the ingenuity of human operators can create robust, resilient and adaptable cybersecurity systems.
How does this approach support cybersecurity efforts?
1. Speed: Cybersecurity programs can be rendered useless if they are not fast enough to act in a decisive and concise way. In some industries, the speed with which their threat-detection programs can detect and remove threats is critical to their operations. To optimize this, human expertise should be combined with specially designed automated systems to flag, isolate and nullify cyberthreats promptly.
2. Volume: Adding automated systems exponentially increases the efficacy of human operators. The human element of a cybersecurity program, if unaided by automated machine-learning systems, can seriously limit the number of events that can be processed simultaneously. Automated systems have the computing power to scan and evaluate large sets of data when evaluating cyberthreats.
3. Self-education: One of the most important aspects of machine learning and automated cybersecurity programs is their ability to self-improve rules for detecting threats. As human operators add elements to these automated programs, they create smarter and more effective threat-detection systems. The systems continue to evaluate the cyberenvironment and, as they detect and deal with threats, they can add criteria to their repertoire of potential threats and notify their human counterparts when these are present.
“There are three key capabilities and characteristics of the modern technologies that can be used to manage potential threats: speed (reaction time for an event), volume (the number of events that can be processed simultaneously) and self-education (the ability to self-improve rules for detecting threats).” – Daria Leshchenko, SupportYourApp
“Automated systems can detect problems better and faster than humans and can provide calculations and statistics.” – Bohdan Tsys, K&C
“By limiting the need for human interaction only to process, movement or failure states, automated systems can enhance their human counterparts. Like providing more eyes, ears or other senses, automated systems can empower human operators to detect anomalies, threats, failures or conditions that would typically demand unnatural cognitive commitment or that would fall outside of their natural abilities.” – Stanley Bezuidenhout, IBF Investigations
Using AI and machine learning to identify malicious activity
As these programs become more sophisticated, they can help to reduce the number of threats that need human intervention to mitigate or eliminate, freeing those resources to attend to higher-priority tasks.
Updating these programs gives human operators a way of increasing the effectiveness of their threat-mitigation systems while reducing the time needed to mitigate those threats. As their library of criteria that trigger a cybersecurity response grows, they become better equipped to deal with well-known cyberincidents without human intervention.
Ultimately, this means better use of human resources in the cybersecurity department and more effective threat detection and mitigation, as organizations are better able to adapt to ongoing changes in the cybersecurity landscape.
“Although AI and machine learning are very helpful, at this point they are used for handling routine identification and analysis events, with further investigation done by a human. At the same time, there is a growing number of rules, created by well-known events, which are proven to be security threats. Those rules would trigger an automated response of mitigating or eliminating actions against identified threats.” – Daria Leshchenko, SupportYourApp
“AI and machine-learning models can access and process huge volumes of information and data – and I mean huge. Aside from detecting a problem or providing calculations or statistics, these models can also suggest possible solutions to engineers.” – Bohdan Tsys, K&C
“Humans need to stay informed and updated on AI and machine-learning technologies. They should aspire to early adoption and understanding how AI and machine learning can enhance their abilities. Being fearful or suspicious of – or resistant to – AI and machine learning will simply result in the human operator being ‘left behind’ and trapped in the technology generation gap that becomes ever more difficult to traverse the longer they wait.” – Stanley Bezuidenhout, IBF Investigations
How we’re bridging the gap
As cyberthreats continue to evolve, so does the need for integration between automated threat-detection systems and human operators. These systems can shoulder the burden of mitigating and removing well-known threats, leaving humans to focus on eliminating more dynamic threats.
Elevated collaboration between operators and automated systems will create a safer and more effective cybersecurity ecosystem, protecting an organization’s assets and programs against ongoing cyberthreats.
However, putting cybersecurity measures in place without an understanding of potential gaps is likely to undermine the strength of your security. Automate only where it makes sense, and keep it simple for ease of management.
Our Cybersecurity Advisory Services provide in-depth insights into your cybersecurity risks, enabling you to develop comprehensive cloud security programs.
WHAT TO DO NEXT
Read more about NTT’s Managed Security Services.