In the last post in this particular series, McAfee technologies looked at the process by which data and information are collected from the operating environment and is then finally processed and distributed in a consumable manner as data and information. The processing and collection actions are typically automated. However, the very last phase, analysis, has been almost exactly the domain of human analysts until quite recently. To know more about McAfee, you can visit McAfee.com/Activate.
And it is that human intervention at the very last mile for intelligence that presents the challenge when the environment which you are operating is throwing off 1,200, or even 100,000 warning bells a single day from a chatty Network IPS.
It would be quite easy to say that the way forward is to actually apply artificial intelligence (AI) to this phase of analysis and automate our way out of the final chokepoint. But the reality is that artificial intelligence, for the foreseeable future is still going to be quite insufficient for that particular task.
In data science, there is an absolutely direct correlation between the true positive rate and the false positive rate, resulting in a model that is less than 100% accurate. While the execution of deep learning and machine learning is critical in the SOC, it is quite essential to understand the relationship between the curves of Receiver Operating Characteristics (ROC) in the SOC. Assuming that models of machine learning and classifiers will work 100% accurate of the time is setting your SOC up to fail. Instead, a much better approach is to use multiple different technologies to filter out the complete noise. Then you can easily identify signals to gather insights that enable you to make a proper decision.
What is required here is a reinforcing loop of information and education between machines and humans, human-machine teaming to borrow from the CTO, Steve Grobman. The goal is to augment that particular person, instead of entirely replacing them.
It is quite important to say that there are some of the things that human analysts can do on their own to get to actionable insights without the help of any machine. At McAfee technologies, our security analysts focus on the following:-
- Prevalence – How much pertinent is this data and information to the enterprise? Is it local intelligence of threat? Or used in quite a specialized way? Is it global threat intelligence?
or industry-level threat intelligence?
- Age – Understanding brand new signals, whether they are scripts, process, or files in the environment.
- Diversity – By leveraging prevalence, McAfee technologies apply diversity from sources like Global Threat Intelligence of McAfee (GTI), which allows for much more context across the globe.
Additionally, these traits are essential to the processes of SOC:-
- Completeness – Do you have a sufficient collection of noise to capture evidence and context to deliver effective detection?
- Timeliness – Are you acting quickly on the signals?
- Accuracy – Do you understand the relationship between false positives, true positives, true negatives, and false negatives?
- Confidence – Are you aggregating models and data to understand the confidence level and importance of the multiple different decisions?
You will always want a lot of signals to investigate which can be created using methodologies of data science because these are often the only clues that allow you to start the investigate and triage process.
So this is where machine learning and automation can help to bridge the labor gap of humans. As you start down that particular path, what you realize is you are going to require tools that are quite easier to manage. The focus becomes on enabling your staff to do a lot more. Learning mechanisms for both humans and machines become a vital part of the equation. The particular idea is to put the human in the middle of the self-reinforcing the capabilities of data science like machine learning, deep learning, and Artificial Intelligence.
Robert Williams is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cybersecurity, malware, social engineering, Games, internet and new media. He writes for McAfee products at www.mcafee.com/activate .