One of the biggest cybersecurity challenges is the “people factor”. Ask any information security professional and they can tell you something that somebody did that created a vulnerability or risk that enabled the attack to occur.
However many mistakes can be avoided through better human-digital behaviors, making cybersecurity training important but not a “cure-all”.
Yet, improving individual awareness is not enough: we need to focus on optimizing operational preparedness to reduce the time to detect and respond to cyber-attacks as they happen. Once an attacker is inside the network, time is everything and the primary objective is to detect and stop the in-progress attack before damage is done.
After the initial compromise, cybersecurity teams need to detect and respond to the attack faster than the attacker is at spying, spreading and stealing information. Unfortunately, time historically has been in the attacker’s favor.
Research from the Mandiant M-Trends 2017 report indicates that attacks persist undetected for an average of 99 days; sufficient time for an attacker to learn and adapt to an organization’s environment.
Attackers are succeeding because modern networks are porous with users, apps and data moving fluidly between locations, creating a massive attack surface and plenty of places to hide. However, many security strategies have not kept pace.
Organizations who are only using tools to find attackers at the perimeter are ignoring the largest part of the attack surface – the internal network. This is a big security problem as finding active cyber-attacks on the internal network involves a volume of traffic that is orders of magnitude higher than the data that traverses the perimeter.
Detecting cyber-attacks on the internal network requires a security analyst to analyze and correlate large volumes of data from all connected devices, apps and traffic to find, what could be, a very small digital footprint of potentially malicious behavior that might indicate a threat. There’s no guarantee that the malicious behavior is attacker-related and security analysts often spend precious time chasing them down.
A human could eventually find an attacker, but this rarely occurs fast enough. Even worse, the advanced level of experience required to manually detect active cyber-attacks directly impacts the ability of companies to hire qualified analysts to address this problem.
There is a clear need to automate cyber-attack detection and response in order to reduce the amount of time attackers have free reign in an organization’s network. Artificial intelligence technologies that combine machine learning, data science and behavioral analytics provide this automation, but human experience is still essential to the process. What we need is to combine artificial with human intelligence.
AI that automates the repetitive tasks at massive scale makes human security analysts better in the same way that financial analysis tools enable bankers to be better. Similarly, AI can benefit from human intelligence by learning from the conclusions humans make based on AI’s automated analysis.
Humans train machines to detect attacker behaviors across the entire spectrum of the attack lifecycle. AI automates the repetitive tedious work of finding those attacker behaviors hiding in the large volume of network traffic that would take a human analyst many days or weeks. AI enables security teams to make well-informed decisions but the intelligence and creativity of human experts are critical to making smarter decisions about how to respond to the information presented by machines.
By combining human and artificial intelligence, organizations dramatically improve their chances to succeed at stopping cyberattacks as they happen and protecting our critical data.