Cybersecurity Diagnostics: Machine versus Human

Nowadays, machines form an everyday part of our lives. They were invented to ease the daily tasks. Machines and robots can be seen working side-by-side with people in various industries – from factories where machines perform boring repetitive tasks, hospitals where machines assist doctors and nurses in performing diagnostics and precise surgeries, to cybersecurity where machines analyze trillion impulses of data every second.

By taking a closer look at tasks and how machines perform them, it can be observed that they can be extremely accurate and efficient in well-known scenarios. They are capable of handling big data. Machines seldom make any mistakes, and even if a mistake happens, it can be fixed in a way that it does not happen again. On the other hand, humans tend to do mistakes more often. Therefore, the best solution seems to be the usage of a combination of human and machine skillsets.

Let’s take a closer look at how machines assist us, the Cybersecurity Analysts, at our daily tasks. Cybersecurity Analysts have the vital role in the Cybersecurity Operations Centers (SOC). We are a team of experts who able to confront the most challenging issues – just imagine Dr. House’s team in the popular TV series.

The role of a Cybersecurity Analysts is to protect organizations against cyber-attacks by analyzing and optionally acting on the alerts that happen on their networks and on the endpoint devices. The monitoring tools that are used for detection scan numerous potentially malicious events every day, which require further analysis. Most of these events are benign and are detected daily. Though some of the detected events might seem benign at a first glance, putting them into the right context and correlating them with each other might reveal a well-hidden malicious action, which is taking place in the background. This is where the knowledge and intelligence of the Cybersecurity Analysts come into play. The Cybersecurity Analysts have to understand the context behind the alerts and correctly triage them.

At NIL SOC, we understand the importance of a correctly performed triage; that is why we invest intensely in the knowledge and automation (playbooks) of triage processes. Having a broad spectrum of cybersecurity knowledge and knowledge about information technology (IT) systems enables our Cybersecurity Analysts to find the needle in the haystack and block a potential threat. By using automation, we enrich the event data with other information, such as past events and alerts, normal behavior, threat intelligence, and others, so that the Cybersecurity Analysts performing the triage can understand the nature of a specific alert more easily. Then, they can also determine if this is just an act of an administrator doing their usual job, or there might be an unnoticed intruder in the system trying to create some damage.

As can be observed, machines are doing a perfect job at analyzing huge amounts of data, because behind all these analyses mathematical models can be found, and machines understand those very well. But on the other hand, machines cannot compete with humans in intelligence and at doing things which are new to the subject matter. Of course, now you are going to object by saying: “But we have Artificial Intelligence (AI) and Machine Learning (ML) tools.

Indeed, by using these two fancy technology tools, machines can tackle unknown problems, but only to a certain extent. Let me give you an example – the famous chess game between Kasparov and the Deep Blue machine. The machine (Deep Blue) won, but if a different game would have been played, the machine would not know how to play it. That is because the machine learning – as the term already suggests – requires a repetitive learning process of different possible scenarios. On the other hand, if you put a human in the same situation, the human can improvise and still achieve some positive results when playing an unknown game.

That is because of how machine learning works. In order to teach a machine to recognize patterns/objects of a subject matter, it needs to be provided with data about the subject. Based on the data type, there are three different types of learning: supervised, unsupervised, and semi-supervised. Supervised learning means that each data sample (X) has a label (Y); unsupervised learning means that there are only data samples (X), and the algorithm must discover the structure of the data. Semi-supervised learning means that there are a lot of data samples (X) but just a few of them are labeled correctly (Y). Based on this, it can be seen that the knowledge of a machine is based only on one subject, and new data must be provided for the adoption of a new subject. For example, if an ML algorithm is taught to recognize brain cancer from a magnetic resonance (MR) image, it will do it quite well. But, if it is provided with an image of a breast cancer instead, the result would not be as accurate, as the algorithm does not know what breast cancer looks like. This can be translated into a cybersecurity example. A machine can be taught how to detect a well-known threat and the detection would be incredibly good. But on the other hand, if threat actors develop a new way of performing malicious actions, the machine’s answer would be inaccurate.

Contrary to machines, humans are capable of intelligent and creative ways of thinking, which enables us to solve things that have never been encountered before. An experienced Cybersecurity Analyst can develop a kind of an intuition or a hunch when it comes to facing an unknown scenario where a prompt action is required. Just like an experienced doctor, as we all know that not every “Google doctor” is Dr. House.

We can sum up that the crucial task is distinguishing among potentially harmful incidents from trillions of events happening every second. It is similar to that well-known proverb: “Looking for a needle in a haystack”. To perform this task successfully, we need machines to process big data, as well as humans to control the process. We should also ask ourselves if we really want the machines to take care of our networks and act unsupervised, or if we prefer a human having that final touch at keeping our data and infrastructure secure.

At NIL SOC, we believe that we can be the most efficient at catching threat actors by using both machine and human capabilities. We see that without ML and AI, data cannot be analyzed and understood, but on the other hand we cannot decide if the detected actions are malicious, what is going to be the next step of the threat actor, and how to block access of an adversary to your network without human interaction. If you are curious as to how we can manage that, please follow our upcoming blogs and video clips about more detailed topics.

AuthorJakob Premrn, Cybersecurity Analyst & Consultant

SOC Orchestra: The symphony of security tools

Learn wow we leverage automation and orchestration in our SOC to work significantly more efficiently, without reducing the quality of our services.

Watch the lecture