6 C
Wednesday, November 22, 2017
Home Tags Human intelligence

Tag: human intelligence

For all the talk about robots taking over jobs, there are still important roles for humans in incident response workflows of the not-too-distant future. Here are three. Countless articles have been written about the massive increase in alert volume from detection systems - and the resulting drain on scarce security personnel.

The good news is that as automation begins to play a stronger role in incident response, the dynamic is shifting.

Companies now need to prepare for a world where 99% of time spent investigating and following up on alerts is given back to them. What is the best use of your newly found time and resources? Let’s consider three possibilities.   Process and MethodologyWhen was the last time you reviewed your security policy? It’s a loaded question, but many companies go years without reviewing and changing policies that too quickly become obsolete, given how fast vectors and methods of attack evolve. Key questions to consider when reviewing security policy include: Are we set up for constant improvement? A security policy can’t be written in stone; it must allow for continuous change for improvement.

Do you have a process that lets your security policy match the fluid nature of threats? Are we reactive or proactive? While many companies struggle to react to the volume of threats and alerts they see daily, security policy should be forward-looking, anticipating what’s coming to prescribe a proper course of action before new threats happen. How can security policy be more business-oriented? The idea of simply locking down everything is as quaint as it is impossible.

The speed of business, the need for real-time collaboration, and the hyper-connected nature of how people work require us to strike a balance between security and risk.
Security has to be a business enabler, not an inhibitor. What are we doing wrong? The ability to recognize weaknesses may seem like calling your own baby ugly, but moving past the emotional defense and becoming an objective observer is the only way forward. What’s Falling Through the Cracks?When a company implements automated solutions, they can do away with much of the manual work of investigating alerts and remediating threats.

But automation will never be able to do 100% of the work. Here’s what security teams need to take on: Double-check your automated processes. Randomly check for anything you may have missed.

For example, if a new threat type isn’t accounted for in your detection or response processes, you’ll need to address it.
If you discover  something , update the process and keep improving. Validate what you find. Look at what your automated systems have identified and remediated, then try and understand why the incident made it through your defenses in the first place.

Fixing an issue automatically is great, but understanding why it happened and correcting the problem is the Holy Grail. Hunt! So far, we’ve only touched in dealing with inbound threats, but why not focus on proactive threat hunting? For more on that topic, read Cyber Hunters, Incident Response & The Changing Nature Of Network Defense. Customize Detection MechanismsWhen companies lack the resources to follow up on alerts, they often tune their detection systems to match their capacity.

But in a largely automated scenario, you now have the luxury to: Recalibrate your detection systems. When you no longer need to filter out low-level alerts or false positives, you can open the floodgates.
If you’re no longer dependent on people to investigate alerts, you can get the full value out of your investment in detection solutions by handing all of your alerts (no matter the volume or score) to your automated system. Rethink prioritization and make sure it’s needed. Prioritization is the conscious decision to ignore things based on a score. Reconsider what you aren’t paying attention to now that should be, given your new capacity and automated capabilities. Look at what you’ve paid for but don’t use. We’ve all bought tools that are either sitting on the shelf or not fully implemented. What do you have that could bolster your security posture if you had the time to set it up? In a security environment leveraging automation, there will always be tasks that are better suited for a human than a machine, and vice versa.

By shifting security teams’ focus on these higher level tasks, we will make much better use of our human intelligence to combat the ever increasing cyber threat. Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4.

Click for information on the briefing schedule and to register.
Nathan has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action.

For 10 years, Nathan has taken on marketing leadership roles in ...
View Full Bio More Insights
Congressmen want to protect commerce, but also give law enforcement powerful tools DEF CON It’s going to be at least a year or so, and probably a lot longer, before the United States Congress gets around to ruling on the second war on encryption, two members of the US House of Representatives told the DEF CON event. Alex Stamos, chief security officer (CSO) of Facebook, hosted a panel with Representatives Eric Swalwell (D-CA) and Will Hurd (R-TX) to examine the current battle between some elements of law enforcement and technology communities over backdooring encryption standards and the news isn’t good. Swalwell, a member of the House Permanent Select Committee on Intelligence and the Committee on Science, Space, and Technology, has co-sponsored a bill to set up a year-long consultation period to examine the issue, with technical experts and law enforcement weighing in.

But with the US currently in election mode it’s unlikely to get started soon. He said that the country has to avoid banning end-to-end unbreakable encryption on which ecommerce depends, but also had to take into account the needs of law enforcement to track suspects and bring them to justice. “As a prosecutor the last three cases I got convictions on then the lynchpin was cellphone data; without that evidence we wouldn’t have had what we needed to prosecute,” he said. “But the San Bernardino case highlighted the challenge, with the FBI using the 1789 All Writs Act.

That they had to rely on legislation from 1789 is a failure of congress to update the law as it is related to technology," Swalwell said, "we’ve done nothing legislatively since encryption was built and we owe it to the technology community to make sure they know their rights.” His opposite number Hurd, who consulted for a cybersecurity firm and served in the CIA before going into politics, agreed. Hurd pointed out that the San Bernardino iPhone turned out to have contained nothing of use to investigators and law enforcement has a duty to concentrate on traditional police work before it calls for encryption to be broken. “Encryption is good for national security and for the economy, we should be spreading encryption not weakening it,” he said. “You don’t have to get into technology by these means, that has already been debunked. You just have to utilise old techniques.” He pointed out that there was an international aspect to the case that is harming America. Non-US companies, particularly in Europe, were using the issue to introduce protectionist policies that are hurting American companies trying to sell their services abroad. Hurd, who worked undercover in the Middle East and South Asia during his time at the CIA, also offered an interesting perspective on using technology to counter the machinations of medieval terror bastards ISIS. While the Daesh-bags have been very smart about using social media to recruit worldwide, these techniques could be a two-edged sword. “In 2005, if you were an American and went into tribal areas of Pakistan offering to fight for Islam you’d get your head cut off,” he said. “Now people can, thanks to social media, but when you think about it that’s also an opportunity to insert human intelligence operatives.” ® Sponsored: 2016 Cyberthreat defense report