It’s no secret that the volume, sophistication and impact of cyber attacks are continuing to rise and with this detection systems are raising ever increasing volumes of alerts and logs. Cyber analysts play a vital role in the operational security of business critical networks but the increasing cognitive burden placed upon them is not sustainable.
The reason for this is that there are two BIG PROBLEMS with cyber analysts…
BIG PROBLEM #1: They’re only human.
Some might disagree — not that cyber analysts are human (although there are some who are so talented that they stretch the very definition!), but that the very fact they are human is a weakness. And to some degree they’d be right. The human brain is amazing at spotting patterns in what appears to be a disparate and confusing world of chaos. Machine Learning is catching up, but human brains are currently, still, better value for money in spotting things that haven’t been spotted before.
Where the human frailty plays a part is in our ability to continue to make complex decisions over long periods of time.
Logical thinking and decision making is expensive when it comes to power usage in the human body. That’s why Spock never wasted calories on a smile, why we have biscuits in meetings, and why (hopefully), there will be cake waiting for us in-between our talks at the InfoSecurity2017 conference next week — to replenish our brains with energy so that we can continue to concentrate!
But calories alone aren’t enough, and even the fittest minds with copious calories will eventually become exhausted.
Next time you’re standing in-line at airport security, you’ll notice that the people concentrating at the X-Ray machines swap over every 20 minutes or so, changing from the high concentration job of looking for bad things to more manual and menial jobs of asking people if they can take their shoes and belts off…
Legend has it that the reason Steve Jobs always wore his iconic black polo neck and jeans, and why Mark Zuckerberg always wears the same coloured T-shirt or hoody is because it is one less decision to make each day, giving their brains more cognitive capacity to worry about the more important decisions that need to be made.
Closer to home, how many of us have experienced those moments after an incredibly busy day at work making difficult decisions on behalf of the people in your company or your customers? For example, when you get home and your partner asks you:
- shall we go to your mum’s or mine for Christmas?;
- we need to decide where we’re going on holiday; or
- would you like red wine or white?
Boom! Too many difficult decisions for one day! Time for a break!
So if human beings are great at thinking, they just can’t concentrate hard for long periods of time, then when it comes to cyber defence, why don’t we solve the problem like airport security do with short 20 minute shifts and high levels of rotation. We just need to get more cyber analysts, right? And this brings us onto the second BIG PROBLEM with cyber analysts:
BIG PROBLEM #2: There aren’t enough cyber analysts. In the world!
Anyone who’s been involved in cyber analyst recruitment knows how hard it is to find experienced professionals in this area. Cisco have reported that there are 1 million unfilled jobs in cyber security worldwide, and Forbes estimated that there will be a shortfall of 1.5m cyber analysts by 2019.
So if machine learning (ML) can’t do what humans can do, and if there aren’t enough humans to do the jobs that need doing, we need to do more with the cyber analysts we’ve got. Here at Deep Sky Blue, we believe that the way we get more out of our cyber analysts is by getting them to do less:
Less banal decision making…
Less decisions on how to do something…
Less decisions on analysing false positives…
This is the background that led to our Dstl joint-funded project aimed at lightening the cognitive load for cyber analysts, helping them reach their objectives, and why we called the project Sherpa.
The Sherpa project delivered a prototype that automates aspects of the cyber event triage process. We used machine learning techniques to spot patterns of events based upon similarities to other patterns of events in its cyber defence library, automatically prioritise events and recommend courses of action in response.
The User Interface and User Experience (UX) design was influenced by psychological and cognitive load theories and aims to reduce extraneous cognitive load by reducing the number of decisions that need to be made when using the system. Workflows, font design, colour theory, and keyboard control all form part of an interface that is intuitive to use and reduces the many micro-decisions analysts have to take when using more traditional tools… By taking away the decisions a cyber analyst shouldn’t have to make, we aimed to induce the psychological state of flow… a state that allows people to remain focused, in the zone as it were, for hours at a time.
Together, we believe this ML + UX combination can turn mere mortal cyber analysts into superhuman cyber analysts, with the right information to make the right decisions for longer.
As well as creating knowledge and learning for Dstl, the Sherpa project has also been hugely beneficial to us at Deep Sky Blue as a company. It’s been an exciting and different type of project for the team, creating new skills that we’re now able to provide to our customers. We have IP, not just in the prototype product itself, but also in the knowledge that we’ve generated across the company. Again, this has value in the day to day work we deliver, but also there’s a mountain of knowledge and IP here that could have value to the SIEM sector.
I’ll be running through the Sherpa project in my talk at Infosec2017 on Tuesday 6th June at 15:10 and again on Wednesday 7th at 12:55. And of course, pop over to our stand at T10o where we can show you a little more about the Sherpa project, the way that we approach software development and how Deep Sky Blue could help your business.