Chief Information Security Officers (CISOs) are responsible for managing information security risk. They do this by deploying appropriate tools, processes and resources to protect networks and digital assets from cyber-attacks. Whilst a lot of attention is rightly directed at identifying the type and nature of the specific cyber threats, serious consideration must also be given to building a capability that will effectively handle the data that is generated by the attacks.
Large businesses receive billions of security events every month. Within this incomprehensible volume of data there will be malicious activity, originating from inside and outside of the business. It’s clearly a big data problem, for which businesses are spending millions of pounds deploying security systems designed to cut through the noise and pinpoint dangerous attacks. But the reality is that there is still a huge dependency on human analysts to perform a manual triage function, to make the task manageable. The analyst is most definitely on the front line, facing relentless flows of data that might contain an attack that could bring a business down. Overloaded security teams are a serious threat.
To compound this issue, it is well understood that security analyst resources are scarce. A report from Frost & Sullivan stated the global cyber security workforce will be short of 1.5 million positions by 2020. How government and industry will find ways to overcome this critical resource shortage is a separate debate, but right now the balance of supply and demand for skilled analysts is severely skewed.
You want a career in cyber security
As such, businesses are paying high salaries to recruit graduates that can demonstrate a theoretical understanding of cyber security. These individuals are parachuted into security operation centres, where they must quickly become familiar with the array of security tools and processes that are in place to protect the business. Imagine the scenario from a graduate’s perspective. It might look something like this…
You’ve just graduated from university, where you studied diligently to be awarded a technology related degree; maybe in computer science or perhaps you studied a more conventional science or engineering subject. You’ve attended hackathons, held your own and are confident you ‘know your stuff’. You did this because you want a career in cyber security. You know employers are willing to pay a premium and you feel ready to defend any business that will hire you; putting the theory you’ve learnt into practice.
Month 1. Welcome to the front line! You complete your induction and meet the other three members of your small security operations team. They are wearily keeping an eye on a bank of screens that show information being correlated across the global estate that you must now help defend. The combined cost of the cyber security systems is mind boggling, and you learn that they are connected to, and see, everything.
Month 2. You are now familiar with the systems that the business is using. Your job is to monitor the thousands of events that are being presented via the various dashboards to determine which ones are dangerous (and should be escalated) and which ones can be put aside. The problem is that there is so much information being presented that it is impossible to keep up. Some senior members of the IT security team and (you think) a contractor from one of the system providers, recently made some changes to the main event correlation system. It’s not obvious how this has changed anything, but you’re sure that the new rules will have improved defences, right?
The introduction of AI
Month 5. The systems are presenting too much information, but the guys have shared their approach to dealing with the overwhelming volume of alerts – it’s not very scientific! One of the team has been doing this for years and says he instinctively knows which alerts are real and which are false positives. He tells you he’s never missed a dangerous attack, but you struggle to understand how he can be certain given his approach? They also tell you they tend to move around every year or so, as businesses are crying out for ‘experienced’ analysts. It could be time to return the calls from that head hunter!
There is little doubt that overloading security teams is a serious threat to businesses, but the cyber security industry is reacting and the recruitment and retention industry is adapting. GCHQ, the government’s communications arm, is broadening its search for competent analysts. No longer is a degree in science or engineering a pre-requisite. Persistence, ability to adapt to challenging situations and other ‘softer’ skills are being assessed as important competencies. For examples, musicians are being assessed due to their ability to interpret patterns and how their brain processes information. There are also initiatives, such as the Nation Cyber Security Centre ‘CyberFirst Girls Competition’, aimed at getting more girls involved in cyber security.
The most obvious change in recent years is the introduction of AI within cyber security products. Unsupervised machine learning is being used to augment human analysts by identifying anomalous behaviour within the data flows. Companies are also using machine learning systems to perform the business-critical triage function, sifting through huge volumes of data in real-time to spot attack characteristics and applying artificial intelligence to judge the risk of attacks. Prioritising the events before presenting them to the analyst.
Security overload is a significant threat that must be addressed by businesses, and the adoption of new technologies, coupled with the willingness to recruit across other disciplines, means it’s an issue that can be addressed.
Stuart Laidlaw, CEO, Cyberlytic
Image Credit: Den Rise / Shutterstock