Bad Guys Don't Do Normal Things - Part 2

Bad Guys Don't Do Normal Things - Part 2

Any cybersecurity analyst will tell you that there is a huge need to reduce the amount of false positive alerts they receive every day. In the first part of this blog series we described an Incident Response (IR) team that, instead of focusing on true threats, was all-to-often running down “suspect ping” alerts caused by harmless software updates.

We discussed using ontologies to model alert data in graph form. By putting the original alert data into graph form, and using a description logic reasoner, Dark Light™ is able to apply expert knowledge to make inferences. In the case of the “suspect ping” problem, we use knowledge about related processes to reason if the alerts should be ignored, or classified as truly “suspect”.  Read More »

High-Impact Strategies to Automating SecOps

High-Impact Strategies to Automating SecOps

Cyber Security Automation; Where to Start

The short and quick answer is; you start with the most impactful tasks. These are the tasks that will bring the highest value and return on your investment in the shortest period of time.

When automating your Security Operations Center (SOC), tasks in an effort to deal with high volumes of appliance events and alerts, you'll likely find that analysts will have tightened the criteria on what triggers an alert to be sent to them. This action will provide the analyst with the highest priority alerts.

Read More »

Your Top Cybersecurity Analyst Just Quit.  Now what?

Your Top Cybersecurity Analyst Just Quit.  Now what?

I've had the pleasure of working alongside of some really smart and talented cybersecurity analysts. In this environment where there is a severe shortage of such people, they are frequently getting calls from headhunters who would like to recruit them into a much better paid position. I've seen more than one finally succumb to the "greener grass" on the other side of the fence.

Companies are experiencing this "brain drain" right now, and there is a lot more to come. They're losing knowledge and experience that takes years for a really good analyst to acquire. Sadly, it is the kind of knowledge and experience that can only be learned within the enterprise which they protect. Knowledge in three key areas is required to be one of the best; 1) network security, 2) threat intelligence, and 3) perhaps the most important, contextual knowledge of the enterprise itself.

Read More »

Representing and Applying the Wisdom of Cyber Analysts

Representing and Applying the Wisdom of Cyber Analysts

In the previous blog post I let it be known that the cybersecurity analyst is the fundamental answer to many of the current problems of today. These analysts have been fighting the good fight. They’ve won some battles and lost some battles. They carry their experiences forward to apply to the next round. My point is that their experience and knowledge is incredibly valuable.

Here is a problem for us to consider: the number of cyber-criminals is increasing, and the number of cyber analysts isn’t keeping up, there is a huge shortfall in our protection from criminals and terrorists. How are we to balance this equation? Educational institutions are scrambling to meet the challenge. Government is sponsoring programs such as Cybercorps to help by providing stipends and tuition to potential cybersecurity analysts.  But it is a technical and challenging subject matter, it takes time to learn.

The answer is that we have to apply more cybersecurity wisdom than the bad guys can apply cyber-malice. Given that the growth in the number of security good guys is outpaced by the number of bad guys we have to automate the actions of the good guys. How do you automate wisdom?

Read More »

Subscribe to Email Updates

Subscribe via RSS to the blog

Recent Posts