Owning the game in the security operations center (SOC)


The cat and mouse game we play in the SOC has changed. Just a few short years ago, it was impressive if we were managing a million security events a day. Fast forward a few years and we are now dealing with billions. As a result: investigations are taking longer than ever, false positives are at an all time high, and most importantly; real actual attacks are taking place while we exhaust ourselves trying to prioritize and understand precisely where to focus our efforts. We don’t need to change the game – we need to own it.

Fortunately, new strategies with a foundation in big data, machine learning, and artificial intelligence (AI) are changing the game for us. Leveraging big data to deal with the sheer volumes of security data is not only the best economical choice, it paves the way for leveraging streaming analytics to accelerate incident investigations. It enables threat hunting across massive amounts of data and dramatically improves the ability to perform real-time detection.

AI is making the already highly capable humans in the SOC even more capable. Deep learning can improve the overall ability to detect threats, allowing the humans to focus their efforts and begin to understand the real attacks and dramatically lower the amount of time wasted on false positives. It is time to own this game of cat and mouse. What’s your next move?

Cyber Weapon Proliferation


Government grade cyber weapons with dramatic real world consequences like STUXNET not only exist but have long been feared by experts due to their ability to be acquired and repurposed by others.  For example, a terrorist organization like ISIS, wielding a tool like STUXNET, could aim it at Western power grids or nuclear plants.

While STUXNET did actually leak un-intendedly to the public through a bug in the propagation code and some mis-guided upload tests to services like VirusTotal, it’s risk was mitigated by the fact that the source code did not leak.  Even in this circumstance the leaked weapon posed a real threat, as it was quickly reverse engineered and new concepts taken, but was still very difficult to re-purpose or "weaponize" the tool to attack others.  Fortunately, in the case of STUXNET, it was designed for one very specific purpose and thus it’s usage elsewhere was largely minimized .  Now on the other hand, if the source code of a sophisticated cyber weapon ever leaked out to the public it could allow any group, including a terrorist one, to quickly weaponize and use it at their own will, significantly raising the stakes to alarming levels.

This leaked source code scenario described above would be a security risk to all, and unfortunately as of last week’s Shadow Brokers event leaking NSA hacking toolset, this potential “doomsday” event is now a reality.  For the first time ever, government grade (multi-million dollar) cyber weapon has leaked in source code form to the general public giving dangerous groups control of said weapon...

What has been the fallout since some of the tools have leaked?  What are the serious concerns of the leak?  What shouldn’t we be concerned about related to the specific leak?  Is this the cyber doomsday scenario experts have worried about??

The simple answer is: No.

Let me break down the “Why” for readers including what happened:

Last week a group calling itself The Shadow Brokers offered a leaked cache of files most professionals confirmed to be authentic source code of NSA Cyber Weapons.  Here is a no-nonsense evaluation of the leak and its potential risks:


The good news:

  • The leaked data is approximately 3 years old, which in cyber security terms is ancient, as vulnerabilities are monitored closely, and software updates make older hacking tools less effective.
  • The tools are not destructive in nature and instead are designed to give stealthy access to networks, thus becoming incapable of causing physical damage.
  • The majority of the tools are purportedly still un-available to the public.


The bad news:

  • Despite the age, at least 3 of the released tools are confirmed to still work and hard to fix (old versions of product that are widely used and hard to update and upkeep).
  • The tools give “God” like access to many very popular routers and firewall devices giving them full control of the network.
  • The tools could be turned into a destructive like worm disabling thousands or hundreds-of-thousands of networks.
  • The tools could be used by almost anyone to “hack into” or leak sensitive information like conversations or emails from hundreds or thousands of organizations around the globe (this was the purpose of the tools after all)
  • There are perhaps more tools that will be leaked out and can happen very soon.
  • The tools are very simple to use, requiring very low technical sophistication to operate.


What do you think about Shadow Brokers and Cyber Weapons?  Reach out to us @jasklabs on twitter with your thoughts. 

Article by Greg Martin, Co-Founder and CEO of JASK a Silicon Valley based startup building AI for Cyber Security.    Follow him on Twitter: @gregcmartin

Built on the Backs of Junior Security Analysts

What’s your false positive rate? This was the most often asked question at this year’s Blackhat Conference 2016, especially for anyone with even a scent of Machine Learning algorithms in their product. With the biggest issue facing the SOC being the inability to sift through 1,000’s of alerts per day due to a shortage in employees. It doesn’t take a genius to get to the question of what it’s going to cost me in man hours to sift through a new mouse-traps false positives. How many more Junior Analyst do I need to add to my team to look over my box?

In the last five years I’ve watched more and more SOCs being built on the backs of Junior Security Analyst. 75% of the SOC has become a Security Helpdesk. Attempting to whack-a-mole its way thru security alarms and scraping through the bowels of security logs and event data with inefficient and disparate tools. Many times learning how to use the tools as an incident unfolds. It’s an endless cycle, burning out security analysts, SOC managers, and providing little value to the business.

The Junior Analyst doesn’t come to the SOC with tribal knowledge of the business and enters the security arena with little security experience. The hiring criteria of a Junior Security Analyst largely demonstrating the ability to learn. The Junior Security Analyst’s responsibilities is the most obvious position to apply artificial intelligence and automation to. A machine starts from deployment day with the same amount of knowledge as a new hire. Every day, the machine adds knowledge in the form of network data to its memory, with the benefit being a machine never forgets. Over time, the data builds relationships, creates events, and elevates its value to the SOC. As tribal knowledge, incident response steps, and business workflows are learned, the value of a machine analyst begins to sound exceedingly similar to the career growth of a Junior Analyst, subtract the added cost of health benefits, a yearly bonus, turnover, burnout, and human weaknesses.

Why are we adding humans to our teams to analyze data to discover relationships? It’s time for Artificial Intelligence to step up and fill the Analysts legacy role of event correlation, historical analysis, and ticket creation, bubbling the important events to the top for immediate action.