Some cybersecurity analysts amaze me. In fact, in broader terms, experts amaze me. When you see an expert in action they frequently make very difficult things seem so simple. Their experience has honed their skills to the point they can understand very confusing scenarios. In particular, cybersecurity experts can intuitively recognize suspicious actions and network conditions that mere mortals can’t.
They are so impressive because they have learned in great detail the ins and outs of their enterprise’s network, the enterprise business, and the people of the enterprise. Somehow, they are able to recognize suspicious and malicious things seemingly instinctually.
Knowledge Representation and Reasoning
This is where Knowledge Representation and Reasoning (KR&R) comes into play. With KR&R we are able to capture the expert’s knowledge and logic in such a way that computers can use it. It makes absolutely no sense whatsoever to just ignore expertise such as these cyber guys have accumulated. Why reinvent what is already so powerful... human knowledge and logic?
Whenever you ask a good cyber analyst “what do you do when you see an alert from one of your security appliances?” -- the answer isn’t “I don’t know”. The answer is usually, and quickly, the chain of tasks that he or she would do to determine if the alert represents a real threat and how severe the threat may be. I have asked these “what did you do when…?” questions many times and I have yet to have analyst hesitate in sharing his or her thoughts with me.
Focusing on the 1%
It has not been until recent times that we have had the ontology languages understandable by both computer and humans to pass the knowledge and experience of an analyst on to a computer. The analyst is now able to focus his/her expertise on cybersecurity, not programming. This enables shifting the mundane tasks of the analyst's work load to automated processing by the computer. With the computer automating analysis and filtering out false positives, the analyst can focus on the 1% of incidents that are of high concern to the enterprise.
The cybersecurity industry does not need new silver bullets; it just needs a better way of firing the bullets we’ve already got. Current experts have the knowledge and experience to solve our cybersecurity problems, but they can’t apply that knowledge and experience fast enough. Combining the power of computers with expert human knowledge and logic is powerful and necessary if we're ever going to meet the ever growing cyber security challenges we all face.
What do YOU think?