Machines are better at speed and scale than humans. But humans have the edge over machines at thinking outside of the box, using their curiosity and creativity to come up with solutions, and reasoning that machines cannot define or replicate. When it comes to security operations, humans and automation are the duo that’s stronger and more effective in partnership than when they’re apart. Using extended detection and response (XDR) can bring these skills to the forefront of the Security Operations Center (SOC), leaving the repeatable, boring tasks to the machines and allowing for these human traits to shine.
Current challenges
Human security analysts are not enjoying their work as much as they could be. In the current paradigm, experienced analysts feel like they are handcuffed to the console. These intelligent, trained professionals are not using their curiosity, creativity and collaboration skills. They're using their “stare at a console and find bad streaming data” skills, which humans just don't have.
Organizations are trying to monitor a volume of data that’s simply greater than their human security analyst teams can handle. Humans are constrained by the limits of their memories, attention spans and awareness, and they bring biases that can complicate investigations. But humans have the edge over machines, as noted above. Both are needed, but right now, human intelligence and insight is being squandered on an impossible task.
Changing the interface point
Consequently, the point at which humans meet data needs to change. Putting “eyes on glass” is not the best place for humans to interact with data, particularly as data grows exponentially. The right interface point will be where enough information, intelligence and processing has been put on that data so that it's meaningful to a human. They need to look at the situation as opposed to an alert or an event.
Right now, humans operate at that alert/event layer. They need to be operating at the security situation layer, because there are a manageable number of security situations that happen, if analysts only knew they were happening.
Humans need to be meeting the data when it is contextualized. For instance, imagine that a malicious act occurs. Multiple different types of sensors are going to observe that malicious act. All of that sensor information needs to be collated, along with the context of the internal systems, the external systems and all of the other things that integrate at that point and make it a security situation.
This collated information enables the analyst to know who, what, when, where, why and how. If the analyst knows who, what, when, where, why and how and is still talking about hexadecimal packet payloads, they’re at the wrong point of abstraction. The who should be this actor, or this type of actor, not this attack technique or this tool. And that's when it becomes a situation: the analyst has someone bad doing something bad. The analyst has discovered them and can now manage them out.
The right automation engine
A vendor-agnostic XDR solution is a necessary component in solving the data overload problem and providing that context – a system that examines all of the data collected, past and present, and assigns a collective meaning to the disparate pieces. Using a vendor-agnostic XDR engine will help automate processes best designed for a machine to handle. As it is designed to work with the tools a company already has in play, this type of system can be up and running in a matter of hours, not days or months.
A vendor-agnostic XDR engine will gather all of the disparate data from your existing sensors and provide the context needed to begin human investigation, thus changing the interface point between humans and data. The XDR engine will provide that situation layer and allow a human to effectively manage the problem, using all the information necessary.
Move your human resources to more complex problems
With this type of XDR, a machine is taking the burden of “eyes on glass” away, allowing humans to do what they do best: use their curiosity, creativity and collaboration skills. They can spend their time elsewhere — on threat hunting, exploratory analytics or other projects. With security operations software doing the mundane, routine monitoring, the human analysts are able to invest more of their time in higher-value projects. This includes activities like deploying new tools and technologies, conducting deeper investigations into incidents that have occurred, and strategizing for the ongoing continuous improvement of the program.
The best of both worlds
Humans are masters of investigation, exploration and asking, “What if?” questions. In terms of cybersecurity analysis, humans are highly proficient at tasks involving curiosity, creativity and interaction with other humans. This means they tend to be good at strategizing, planning projects, threat hunting, asking probing questions and forming conclusions. They also excel when it comes to making business-level decisions.
For their part, machines use Bayesian logic and probability theory, along with other modeling approaches, to find the most likely solution to problems involving enormous volumes of data. Thus, they can consider almost infinite amounts of network telemetry data, user data, system profile data and threat intelligence.
Combining the beauty of human brains and the might of machines creates a pair that’s stronger and more effective together than when they’re apart. Organizations will rest a bit easier knowing that their XDR-empowered machines are strengthening their security posture, too.