Balancing Human and Machine Input in Information Security

Last updated at Thu, 11 Jan 2018 14:53:12 GMT

Humans have feared the takeover of machines since the early days of the personal computer. But if anything, machines (namely, security tools) have made us more powerful, more effective, and more connected. While they eliminate many manual, human tasks, this can actually be a good thing.

An article published by Deloitte explains it this way, “Machines will take on more repetitive and laborious tasks, but seem no closer to eliminating the need for human labor than at any time in the last 150 years.”

Security is one industry that stands to gain a lot by leveraging machines for automation. With more endpoints and threat vectors to contend with than ever before, even the largest and most well-equipped security teams can fall behind without the help of automated technology. In fact, our industry can benefit a great deal by bringing in security automation to take on certain tasks, while leaving the strategic work to your people.

In this post, we’ll take a look at what tasks are better suited for machines, which are better left to humans, and where they intersect to work better together.

Tasks Better Suited for Machines

Security talent is in high demand today, so there’s no reason to fear robots taking over your job anytime soon. In fact, some sources report that technology may actually cause more job growth and the evolution of new job categories. That’s because machines aren’t designed to take over entire jobs, but rather tasks. This opens up opportunities for humans to specialize in more intricate and strategic functions once freed up from routine, manual tasks.

There are three factors that, in our view, indicate a task is better left to the machines. The tasks must be:

• Routine (they need to be done on a very regular basis)
• Tedious (involving a very specific set of actions that need to get done)
• Time-intensive (they leave little to no room for higher-value and more strategic work)

Security tasks that are prime for machine automation include:

• IP lookups
• Log retrievals
• Domain queries
• Detonating malware files
• Alert escalations
• User provisioning and deprovisioning
• And many more

We explain several of these in more depth in this post.

Companies who have their security teams focused on these tasks day-in and day-out risk losing talent, but can you really blame them for leaving? These tasks don’t do much in the way of keeping your hard-earned security talent happy and engaged on the job.

As we explained above, automation can take on many, if not all, of these tasks, giving your team time to focus on more interesting and engaging work that leverages their unique skillsets. That can mean happier employees and less turnover, which can help protect your business from the wrath of today’s security talent gap.

Tasks Better Suited for People

Not all tasks are better left to the machines, and as a security pro, that should come as a big relief. Machines are good at following a set of instructions and don’t tire from repetitive work or come down with a case of alert fatigue. But they’re not so great at thinking critically, making decisions, or being strategic. This is where your team comes in. While technology can handle tasks like alert investigations for you, human input is often still required when it comes to the analysis portion.

Let’s say you start to receive a string of random account compromise alerts. Your security tools will be able to tell you that passwords are getting reset, which users it’s happening to, and at what interval, but getting down to the “why” may require critical thinking and deeper forensics. Is this a brute-force attack, or did the user truly forget their password?

Armed with data from your security tools, you can look for more complex clues in the logs, talk to users directly, and consider other factors that may not be apparent in the log data. This applies to just about any complex security issue where you need to look beyond the data to make an informed decision.

Machines also cannot develop high-level strategies, implement lessons learned from an incident, or conduct employee training. These are all prime examples of when your team’s expertise is key.

Machines + Humans: Better, Together

Especially when it comes to security, you can’t have one without the other. For organizations dealing with hundreds or thousands of alerts per day, it’s not realistic to think you can just hire more people or ignore some alerts in order to get by.

You need machines to take on the tedious and routine tasks so that your team can focus deeper investigations and analysis. Ultimately, for security to work, humans need machines, and machines need humans.

One good example of why machines and humans need to work together comes in the form of supervised machine learning. You’ve probably heard lots of talk about machine learning, and in some ways the hype has eclipsed the reality of this technology.

To make it both more powerful and more accurate, supervised machine learning is when humans teach machines good patterns. Once the machines understand what the humans want, they can more clearly interpret data, produce analysis, and generally assist with tasks. This works especially well for threat intelligence, data correlation, and incident response.

That said, in order for any type of machine learning, including supervised, to work well, security tools must be tightly integrated so that computers can collect useful data for your team to then use when responding to threats.

Ready to bring in the machines and level-up your entire security team? Get our guide on Security Automation Best Practices, which includes a checklist on determining if a process is best for a human or a machine.