The world hardly lacks for security "experts" who are assigned the responsibility of constructing impenetrable firewalls on behalf of their companies. Nor does it lack an endless series of breaches that can cost business and consumers dearly. According to the latest Threats Report from McAfee Labs, security teams today face 244 new cyber threats every minute. Not enough of them are successfully fended off. So what’s missing in the fight to protect corporate networks and consumer data?
For one thing, the concept of the autonomous threat hunter isn’t that old. Its role has been the topic of increasing public discussion for just the last six to 12 months, says Barbara Kay, McAfee’s senior director of product marketing. Only in the last several years have companies begun designating dedicated threat-hunting teams, free from day-to-day concerns and able to take the long view of cyber threats.
McAfee’s recent survey on the topic attempted to identify whether “threat hunting” had evolved beyond a buzzword and was being taken seriously by organizations. Those who saw it as part of their jobs were asked how they approached the problem, and what tools they deployed.
The answers revealed a sharp difference in effectiveness between the work of veteran threat hunters and those just undertaking the task. According to the McAfee survey, successful cybersecurity teams devote 50 percent more time to actual threat hunting. And they make extensive use of automation in order to facilitate it.
Part of the solution lies in creation of a formal information Security Operations Center (SOC), a place where all of an organization’s security processes and technologies can be monitored and defended. Kay says companies are investing aggressively in SOCs, although their implementation models differ. Some build the initiative in-house, while others prefer to outsource it to security services. Either way, they come to rely on dedicated security personnel, some with operational responsibilities and others devoted to strategy and system design.
A high-performing threat-hunting program will depend heavily on the collection and rigorous analysis of large amounts of data. Only by equipping themselves with adequate information can companies trigger the necessary alerts and head off potential breaches. Less-effective efforts fall back on automated alerts, reacting to threats only after the fact.
The massive amount of data available to businesses today requires the use of automation to make sense of it all. McAfee’s report finds that the best cybersecurity programs are three times more likely to automate threat investigations. More than two-thirds of respondents said better automation and threat-hunting procedures were needed to reach the top level of performers.
Automation alone isn’t the answer. Kay says the teaming of humans with machines is essential. In fact, 71 percent of advanced SOCs deploy such teams to close cybersecurity investigations within a week or less, according to McAfee.
It’s heartening to hear that people still have a place in the world of technology, especially when it comes to cybersecurity. Conceptually, a system that relies entirely on machines and artificial intelligence is highly desirable. After all, today’s computers can beat the world’s greatest human masters of chess and Go. For cybersecurity, however, an all-machine approach “is just not likely to happen, and we don’t believe it’s the right answer,” says Kay.
Computers can perform tasks that rely on brute force and the amassing of huge amounts of data, such as threat detection. In other words, they can make sense of chaos. But humans are still better in discerning patterns and relationships, and interpreting potential threats based on years of real-world experience. Kay sees the ideal threat-hunting operation today as a collaboration between human and machine.
When it comes to the application of technology to cybersecurity, she prefers the term “machine learning” over “artificial intelligence.” In many respects, the latter is still in its infancy, although it promises to play an important future role in predicting threats.
McAfee is encouraging continued input from security experts through the creation of OpenDXL.com, an open-source portal for developer collaboration and security intelligence. “We wanted to provide a place for people to get educated, have discussions, and find applications that may already exist,” says Kay.
That said, people continue to pose the weakest link in efforts to fight cyber theft. One major concern is the lack of skilled individuals who can work with automated systems to create effective security organizations. Another is a shortfall in user awareness and consumer education. Too many breaches are still the result of people failing to observe the most basic security guidelines, such as the rigorous use of strong passwords and avoidance of introducing untrusted individuals and apps into corporate systems.
“There are ways that we as vendors can help to facilitate right action, but we will always have some problems driven by people,” says Kay. “As an industry and I.T. community, we have to be thinking about how to integrate security throughout our decisions and services, to help people to do the right thing…. We have to improve the guard rails that help you stay on the path.”