In the age of big data, it is easy to think that only machines can detect a signal amid the noise. While it’s true that big data tools can discover signals that might not be obvious, they can also create their own kind of noise in which the true signal — a true threat — can be lost.
That’s a problem anyone dealing with traditional security monitoring systems over the past few years has come to recognize. Threat detection systems have become extremely good at detecting anything that looks anomalous but, as the number of detected anomalies keeps going up, the number of actual threats is still a small fraction of those. Research indicates that less than 1% of reported anomalies represented actual threats and figuring out which detected threats constitute those dangerous few is exhausting, anxiety-inducing work.
The need for human, contextualized intelligence
What security professionals suffering from alert fatigue need is threat intelligence that has already been vetted and contextualized by human beings. Big data and AI tools provide an abundance of data and they can identify events and activities of concern, but most security professionals within an enterprise have neither the training nor the time to make sense of the raw information. They need threat intelligence that has already been sifted, analyzed and contextualized, a “finished intelligence” that is “actionable” to their organizations.
That’s where human intelligence professionals and threat hunting teams come into play. These professionals detect a different kind of threat than those detected by big data and AI tools. If machine tools excel at detecting individual trees, human intelligence professionals excel at understanding the character of the forest.
They can detect code phrases and double meanings in dark web conversations that machine tools may not detect (until they’ve been trained to do so). They can consider the motives of threat actors and the connections that bind them. They can examine the actions of these actors, even actions that are ostensibly benign, and occasionally detect a plan in those activities long before a machine can detect an exploit resulting from those actions.
Augmenting intelligence for a more focused response
I’m not suggesting that human intelligence professionals and threat hunting teams replace the monitoring and detection systems. Instead, they can augment and enhance the raw intelligence captured by these powerful machine tools. Human intelligence teams can bring insight to the interpretation of raw intelligence that no machine can. They can connect clues with the glue of experience and contextual understanding, which no machine yet does.
The challenge of acting on augmented intelligence
There’s one problem with gaining access to this kind of augmented intelligence: few organizations are in a position to use it effectively. The defensive infrastructure of most organizations is still cluttered with old walls erected to stop older threats, and the work of tuning those defenses remains a serious challenge.
Security personnel within an organization need deeper insight into the hardware, software and services informing the organization’s infrastructure. Finished intelligence is going to provide much more focused information about which organizations are at risk, at which points of vulnerability, and for what reason. A new threat may take advantage of a vulnerability in firmware on a certain class of IoT device, for example, but a security team can only act upon that information if they know that they have those devices in their IoT estate and at what release level their firmware is.
What enterprise security professionals need is a way to operationalize this finished threat intelligence. They need tools that can provide deep insight into the hardware, software and processes informing the operational ecosystem of the enterprise, including its endpoints, networks, clouds, IoT devices, supply chains and more. Moreover, they need tools that can enable them to make changes to any element in that ecosystem in a streamlined and orchestrated manner.
Better threat intelligence creates an opportunity for an enterprise to mount a proactive cyber defense, but without an ability to operationalize that threat intelligence, the enterprise may not be able to launch the defense effectively in advance of the impending attack. With tools to operationalize this threat information, an organization can respond quickly and effectively to protect its people, data and processes — even its brand and reputation — from any emerging cyber threat.
An intelligence-driven approach to cyber threats requires movement on two fronts simultaneously.
We need to continue to gather and analyze threat data aggressively. Finished intelligence that has been vetted and contextualized by human intelligence experts and threat hunting teams can be passed on to the security professionals within an organization. The latter can then proactively implement the appropriate precautions to protect the enterprise against the real threats in the environment.