When security analysts are freed from the technical shackles of traditional data science, they can harness their expertise and creativity to rapidly ask questions of big data, test theories, explore and validate their ideas.
We all like to think that government agencies have the edge when it comes to delivering the latest and most innovative cybersecurity management and threat detection. However, a recent White House report of cyber risks across 96 federal agencies revealed a slew of legacy IT systems that fall short in delivering critical results, and a significant shortage of trained cybersecurity personnel.
Just as in corporate environments, the security operations center of a government agency is a barrage of alerts that turn SOC professionals into traffic coordinators rather than intuitive and investigative defenders of an enterprise. And the complex process of building lengthy queries to dig into the swamp of security data leads to many inefficiencies in protecting data and identifying risks. When time is of the essence, it's critical to have the ability to stop security threats before they become a real problem.
Instead of staring at static and outdated security dashboards or waiting on the too few technical experts to run their queries, what if security analysts -- including novices and non-technical users -- could ask questions of their data and get answers, no matter where the data resides. They could find out:
- Which hosts are vulnerable this week versus last week?
- Which users have successfully logged in during non-business hours today?
- Which vulnerable hosts have failed updates this week?
- Which users successfully logged into infected systems today?
- Which users successfully logged in more than 5 times within a 15 minute timespan this week?
A transformative interface that allows security analysts to quickly expand, pivot or correlate related intelligence using plain-English questions is critical for agencies countering an evolving threat landscape.
Addressing cybersecurity challenges
Successful cybersecurity operations consist of effective tools, efficient processes and highly skilled people. In today’s threat landscape, achieving these goals remains elusive to most chief information security officers, partly due to an increasing shortage in talented staff. In 2017, the National Initiative for Cybersecurity Education reported that 285,000 cybersecurity roles went unfilled in the U.S. alone. The specialized skillset required to respond, investigate and remediate cyber threats has become highly valued -- and all sectors struggle to keep pace with demand.
To address this widening gap, security organizations within government agencies have turned to various training and certification programs and rely on rigid structures and alert frameworks. Rather than hire experienced cybersecurity staff, non-traditional workers are trained, certified and now protect the enterprise -- by following static procedures and watching prebuilt security metrics.
But as the threat landscape evolves, these newly minted analysts are not prepared to harness their intuition and truly succeed in the timely manner that’s needed.
Turning novices into ninjas
To change this familiar pattern, we recommend a whole new approach for creating a threat detection skillset that is more creative, proactive and comprehensive. By implementing the following three strategies, security teams can become the ninja warriors, threat detectors and the problem solvers their agencies are counting on them to be.
1. Unleash curiosity and creativity. Security teams aspire to be heroes by protecting the security of their organization, yet they struggle with complex search query languages. Natural language processing (NLP) has made it easy for analysts of all levels to ask questions of their data in plain English. By embracing a culture of data curiosity and continuous learning, security teams can be inspired. One question of the data sparks another one, and before long, analysts can explore the data, map findings into context and uncover valuable results.
2. Augment human intelligence. Security teams should adopt technologies that will augment human intelligence and create a dynamic environment of automated queries running at intervals, asking probing questions of the data. This automated capability can replace static dashboards and quickly surface anomalies. Security teams should also experiment with new detection approaches, using data-driven metrics that are based on past threat activity. Another creative approach is to hunt for "cold cases," investigating new variations of tactics used by past threats in order to uncover related activity.
Only by thinking like attackers, can security teams start to focus on new, creative ways to improve cybersecurity measures and operations within the agency. The flexibility to experiment, test and validate is crucial, as most ideas are costly to operationalize.
3. Know what the data can do. Before security teams can ask questions of their data, they first need a good understanding of what data they have, how it’s organized and what questions that data can and cannot answer. A data assessment exercise helps security teams get their data in peak performance.
Applying AI for intelligence augmentation
Intelligence augmentation allows analysts to harness their expertise and creativity to rapidly ask questions of big data, test theories, explore and validate their ideas -- free from the technical shackles of traditional data science. IA methods empower analysts to use artificial intelligence, or more specifically NLP search interfaces, as a tool for exploration of data sets and domains that might be unapproachable otherwise. Envision an immersive interface where security teams can ask very specific, creative questions like, “Show me systems with failed logins from China followed by network traffic to China within the next 5 minutes.” The interface seamlessly translates the question to multiple big data queries, generates multiple interactive visualizations in seconds and inspires the analyst to explore further.
Many analysts have great ideas, but few can quickly act on them. To succeed and grow, this must change. IA empowers teams to experiment, explore, anticipate and think beyond the status quo.
In government, decentralized security operations centers and the lack of standardized IT capabilities makes it challenging to adopt new technologies. Effective cybersecurity requires organizations to identify, prioritize and manage cyber risks across the enterprise. With the rise of cybercrime -- predicted to hit global damages of $6 trillion annually by 2021 -- bold steps must be taken to improve security and protect data. Advancements in IA offer one of those bold moves, which starts by simply asking questions of the data.