What’s your false positive rate? This was the most often asked question at this year’s Blackhat Conference 2016, especially for anyone with even a scent of Machine Learning algorithms in their product. With the biggest issue facing the SOC being the inability to sift through 1,000’s of alerts per day due to a shortage in employees. It doesn’t take a genius to get to the question of what it’s going to cost me in man hours to sift through a new mouse-traps false positives. How many more Junior Analyst do I need to add to my team to look over my box?
In the last five years I’ve watched more and more SOCs being built on the backs of Junior Security Analyst. 75% of the SOC has become a Security Helpdesk. Attempting to whack-a-mole its way thru security alarms and scraping through the bowels of security logs and event data with inefficient and disparate tools. Many times learning how to use the tools as an incident unfolds. It’s an endless cycle, burning out security analysts, SOC managers, and providing little value to the business.
The Junior Analyst doesn’t come to the SOC with tribal knowledge of the business and enters the security arena with little security experience. The hiring criteria of a Junior Security Analyst largely demonstrating the ability to learn. The Junior Security Analyst’s responsibilities is the most obvious position to apply artificial intelligence and automation to. A machine starts from deployment day with the same amount of knowledge as a new hire. Every day, the machine adds knowledge in the form of network data to its memory, with the benefit being a machine never forgets. Over time, the data builds relationships, creates events, and elevates its value to the SOC. As tribal knowledge, incident response steps, and business workflows are learned, the value of a machine analyst begins to sound exceedingly similar to the career growth of a Junior Analyst, subtract the added cost of health benefits, a yearly bonus, turnover, burnout, and human weaknesses.
Why are we adding humans to our teams to analyze data to discover relationships? It’s time for Artificial Intelligence to step up and fill the Analysts legacy role of event correlation, historical analysis, and ticket creation, bubbling the important events to the top for immediate action.