CyberWire Daily - State of security automation. [CSO Perspectives]
Episode Date: November 4, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, turns over hosting duties to William MacMillan, the Chief Product Officer at Andesite, to discuss the Cybersecurity First Principle of a...utomation: current state and what happens now with AI as it applies to SOC Operations. For a complete reading list and even more information, check out Rick’s more detailed essay on the topic. Check out Rick's 3-part election mini-series: Part 1: Election Propaganda Part 1: How Does Election Propaganda Work? In this episode, Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses personal defensive measures that every citizen can take—regardless of political philosophy—to resist the influence of propaganda. This foundational episode is essential for understanding how to navigate the complex landscape of election messaging. Part 2: Election Propaganda: Part 2: Modern propaganda efforts. In preparation for the US 2024 Presidential Election, Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses recent international propaganda efforts in the form of nation state interference and influence operations as well as domestic campaigns designed to split the target country into opposing camps. Guests include Nina Jankowicz, Co-Founder and CEO of the The American Sunlight Project and Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber. Part 3: Election Propaganda: Part 3: Efforts to reduce the impact of future elections. Thinking past the US 2024 Presidential Election, In part three of the series, Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses reducing the impact of propaganda in the future elections with Perry Carpenter, Chief Human Risk Management Strategist at KnowBe4 and host of the 8th Layer Insights Podcast, Nina Jankowicz, Co-Founder and CEO of the The American Sunlight Project, and Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber. References: Bob Violino, 2022. 7 top challenges of security tool integration [Analysis]. CSO Online. Bruce Japsen, 2024. UnitedHealth Group Cyberattack Costs To Hit $2.3 Billion This Year [News]. Forbes. Clay Chun, 2019. JOHN BOYD AND THE “OODA” LOOP (GREAT STRATEGISTS) [Explainer]. War Room - U.S. Army War College. Michael Cobb, 2023. The history, evolution and current state of SIEM [Explainer]. TechTarget. Rick Howard, 2022. History of Infosec: a primer. [Podcast and essay]. The CyberWire - CSO Perspectives. Rick Howard, 2020. Security operations centers: a first principle idea. [Podcast and Essay]. The CyberWire. Rick Howard, 2020. SOAR – a first principle idea. [Podcast and Essay]. The CyberWire - CSO Perspectives. Rick Howard, 2021. XDR: from the Rick the Toolman Series. [Podcast and Essay]. The CyberWire - CSO Perspectives. Robert Lemos, 2024. SOAR Is Dead, Long Live SOAR [Analysis]. Dark Reading. Timbuk 3, 1986. The Future’s So Bright, I Gotta Wear Shades [Song]. Genius. Timbuk3VEVO, 2009. Timbuk 3 - The Future’s So Bright [Music Video]. YouTube. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody.
Welcome back to Season 15 of the CSO Perspectives podcast.
This is Episode 7, where we turn the microphone over to some of our regulars
who visit us here at the N2K Cyber Wire hash table.
You all know that I have a stable of friends and colleagues who graciously come on the show to provide us some clarity about the issues we are trying to understand.
At least that's the official reason we have them on the show.
In truth, though, I bring them on to hip check me back into reality when I go on some of my more crazier rants.
We've been doing it that way for almost four years now.
And it occurred to me that these regular visitors to the hash table were some of the smartest and well-respected thought leaders in the business.
And in a podcast called CSO Perspectives, wouldn't it be interesting and thought-provoking to turn the mic over to them for an entire show to see what's on their mind? We might call the show Other CSO Perspectives.
So that's what we did. Over the break, the interns have been helping these hash table contributors
get their thoughts together for an entire episode for this podcast. So hold on to your butts.
Hold on to your butts. This should be fun.
My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A.
And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with
on a daily basis.
I met William McMillan on the eve of him leaving the federal workforce as the Central Intelligence
Agency's, the CIA's, CISO back in 2022. He's a former Air Force Special Operations helicopter
pilot, and today he's the chief product officer of a company called Andesite that specializes
in effective decision-making, especially in SOC environments. In this episode, he evaluates the
current state of SOC automation tools and has some ideas about how AI can increase the
efficiency of the SOC OODA loop, not by replacing SOC analysts, but by enhancing them. Here's William.
In a 2020 episode of the CSO Perspectives podcast, Rick cited German historian Friedrich
Clem's research that the idea of operation centers goes back as far as 5000 BC. I think that's
incredible. For as long as humans have needed to coordinate complex actions and make decisions as
teams, we've needed operation centers. You should give the episode a listen. We'll link to it in the
show notes. In that episode, Rick gives a fascinating tour de horizon, from NASA's mission control managing the Apollo 13 crisis to intelligence community ops centers briefing presidents during the Cold War.
Ops centers have been crucial to handling our most critical challenges.
Then by the late 1980s and early 90s, this need for coordinated analysis and action extended into cyberspace.
This need for coordinated analysis and action extended into cyberspace.
As cybersecurity operations grew more complex,
organizations in both the government and commercial spaces started standing up Computer Emergency Response Teams, or CERTs.
So if we fast forward to the early 2000s,
cybersecurity operations centers, SOCs for short,
had become standard practice for enterprises of
any size defending against an unprecedented explosion of cyber threats. Today, SOCs are
as diverse as the organizations they protect. We've got large enterprise SOCs like those in
financial institutions and government agencies that typically have specialized teams in-house handling everything
from threat intelligence to incident response. We have smaller operations, so say like a solo
analyst or a skeleton crew juggling every aspect of security with the help of outsourced expertise
through managed security service providers. In between, we find these hybrid SOCs that combine in-house talent with
outsourced expertise. But whatever the size or whether their analysts work from the same room
or are spread across the globe in a follow-the-sun model, all SOCs share the same mission,
protecting their organizations from cyber threats that could cause material impact.
from cyber threats that could cause material impact. Anybody working in cybersecurity can tell you the challenges facing SOX today couldn't be higher. We're talking about cyber attacks
projected to cause $10.5 trillion in damages by next year. I mean, just look at the recent
UnitedHealthcare Group ransomware attack earlier this year. The financial impact
from that one attack alone is north of $2 billion and climbing. The industry's response historically
has been to pour money into more sophisticated tools, procure more threat intelligence streams,
build platforms that automate security work. But here's where I find the irony. All these well-intentioned solutions
have actually made life in the SOC more difficult. Analysts are now drowning in an
everywhere data environment, struggling to interpret and prioritize never-ending indicators
as close as possible to the speed of threat. Forget finding needles in haystacks. Nowadays,
we're asking analysts to find specific
needles among stacks of needles, but these stacks are spread across countless disconnected data
islands. Some organizations are now running more than a hundred different security tools,
which forces analysts to bounce between screens and portals, each with its own query language,
trying to piece together a cohesive investigative
narrative. Meanwhile, SOC leaders face mounting pressure to deliver on metrics like mean time
to resolution and to prove return on investment or ROI for their growing security budgets.
But I think these metrics often miss the real threat landscape their teams are facing.
But I think these metrics often miss the real threat landscape their teams are facing.
So why have these solutions failed to tame the cyber chaos?
In my opinion, our industry has a blind spot.
We've focused so much on software and hardware that are the real engine of modern-day security operations.
Let me give you an example.
It's 5 p.m. on a Friday, because when else would it happen, right?
And a threat intelligence report, let's say from a government agency like CISA,
or maybe a vendor, or even an internal intel team,
lands in an analyst's inbox. The CISO, of course, needs to brief the board on Monday morning.
Well, that analyst is now looking at canceled weekend plans and more time away from family.
Just another brick in the wall of cyber burnout, the human toll of all the cyber chaos that we've unfortunately
internalized as an industry over the past 20 years. Even with the shiniest technology and
all the data feeds in the world, SOCs are overworked, understaffed, unable to retain
their best and brightest. As a former Air Force officer, I like to use something called the OODA loop to describe SOC workflows.
It stands for Observe, Orient, Decide, and Act.
It's a decision-making model developed by Colonel John Boyd in the 1950s.
I'm by no means the first to apply this term to cybersecurity,
but I think the OODA loop is crucial for understanding how we can use technology and automation to help our analysts instead of overwhelming them. The thing I'm really interested in is how the industry has
attempted to use automation in the past to improve the efficiency of the SOC OODA loop.
If we understand that, then to get this right in the future, I think we can use emerging
technologies like AI, not to add additional toil to human analysts, but to meet them where they already are.
We can amplify their capabilities and not only make their jobs more effective, but actually enjoyable again.
Before we dive deeper into the future, let's take a quick journey through the evolution of security operations automation.
I think it's a story that unfolds in three major chapters over the past two decades.
The SIEM, SOAR, and XDR.
Picture the early days of security operations.
Analysts were basically digital detectives with barely any tools, just their wits and determination.
They'd actually review system logs by hand,
something that sounds almost unthinkable today.
When something suspicious popped up, they'd be reactive,
conducting painstaking manual investigations to track down and stop intrusions.
Then came the first game-changer in the early 2000s,
the Security Information and Event
Management System, or SIEM.
Think of it as the first real command center for security teams, a central hub that could
pull in and aggregate data from all sorts of security tools.
Great idea, right?
Well, yes and no.
As more data poured in, analysts found themselves spending less time investigating threats and
more time managing false positives, and trying to find the signal in the noise.
Not to mention, all that data storage started costing organizations a fortune.
I'm pretty sure if you put 100 CISOs in a room nowadays, you'd get approximately 100 complaints about the costs associated with their seams.
By the mid-2000s, we saw the rise of SOAR,
Security Orchestration Automation and Response. SOAR tried to capture human-style reasoning in
playbooks to automate repetitive tasks. When implemented well, it really did free up analysts
for more strategic thinking, but these playbooks turned out to be brittle. They needed constant attention from
highly skilled personnel to keep up with rapidly evolving threats and changing enterprise
environments. Both the enterprise environment and attacker techniques are rapidly moving targets,
which makes it pretty tough for playbooks that only use simple reasoning rules and what I call
if-this-then-that automation to keep up.
These limitations were so significant that by 2024, people have started talking about the death of SOAR and the need for something better.
That brings us to XDR, Extended Detection and Response, which I see as the bridge to our post-sore future.
Instead of just pooling more data like seams do, XDR connects directly into security tools in real-time via APIs,
looking for threat patterns across endpoints and networks that might be missed when viewing data sources in isolation.
cross-endpoints in networks that might be missed when viewing data sources in isolation.
It's a more sustainable approach that helps organizations break free from the burden of ever-growing SIEM storage costs. On the surface, this seems like a faster, more sustainable approach
that at the very least gets CISOs out from under the burden of growing SIEM storage costs.
Along this journey, we also saw the rise of
threat intelligence platforms. These platforms promised to make analysts smarter and faster by
connecting security tools to contextual data and threat intel feeds. The idea was solid.
Automatically enrich security alerts with additional context to help analysts make
better decisions more quickly. But in practice, it often created
yet another data deluge. Instead of making analysts' lives easier, many found themselves
drowning in a sea of alerts and intelligence feeds, struggling to separate the truly important
signals from the noise. You know what's fascinating about all these previous attempts at SOC automation?
They all shared a fundamental flaw.
They tried to structure something that's inherently unstructured.
SEAMS tried to centralize all your logs, but couldn't handle the scale of big data.
They eventually split off into data aggregation and case management tools.
SOAR platforms attempted to automate analysis and reasoning processes that really needed human judgment.
It's like trying to create a rigid playbook for a game where the rules keep changing.
But now, we're on the cusp of something truly revolutionary with the introduction of artificial intelligence into the SOC.
For the first time in human history, we have systems that can reason over unstructured data and draw semantic meaning
without explicit programming. What all that means is that these systems can make connections between
words and concepts in ways that feel almost human. It's a dramatic shift from traditional
technology that required everything to be neatly structured and categorized.
that required everything to be neatly structured and categorized.
Let me paint a picture of what this might look like.
Imagine an AI system that notices an emerging threat and proactively suggests updates to your detection rules,
even maybe drafting changes and simply asking your analyst
to click to approve and deploy.
Or picture a junior analyst getting stuck during an investigation,
and the AI steps in to suggest strategies that experienced threat hunters typically use in
similar situations. Think about a high-priority alert or a report coming in, and an AI-powered
system investigating it at machine speed, serving up a comprehensive assessment with suggested
actions ready for your review.
Or to return to our poor analyst facing down another missed anniversary dinner due to a
late-breaking threat report on a Friday. Instead of leading to yet another canceled plan, an AI
SOC platform could help analyze that report in seconds or minutes and help the analyst decide
if action could maybe wait until Monday.
This isn't science fiction. The building blocks are already here. Recent advances in generative AI and reinforcement learning have fundamentally changed how humans can interact with data.
In the SOC context, we can now wrap technology around our analysts to radically accelerate
their decision-making process.
Remember that OODA loop I mentioned earlier?
Observe, orient, decide, and act?
With AI-powered automation, this decision-making process is about to get mind-bogglingly fast and chock-full of context.
The key difference from previous automation attempts is that with AI, we're not just
trying to replace human reasoning,
we're amplifying it. Instead of if-this-then-that automation, we're moving toward true human-AI
collaboration and expert reasoning systems. This is the golden era of SOC automation we've
been waiting for, where technology can finally help analysts achieve better outcomes faster,
regardless of their
experience level. The potential for security operations is tremendous, but there is also a
risk of going too far, of seeking to use AI to make decisions or to replace humans.
The solution, I think, is a happy medium, a bionic coexistence that combines the capabilities of humans and
technology. The successful marriage between humans and machines has to involve each side
playing to its strengths. This is where we need to have a thoughtful conversation as a community
about automation and AI in security operations. It's not about replacing humans, it's about empowering them.
Think of it like incorporating an autopilot into an aircraft's cockpit. We don't want end-to-end
automation that takes humans out of the cockpit. In the SOC, we need to build better cockpits that
give analysts the controls and context they need to make better decisions, not end-to-end automation.
As we ride this wave of AI innovation,
we need to be thoughtful about how we implement it in the diverse SOC environments I discussed
earlier. No black box AI making decisions we can't understand. No automated remediation that
exceeds an organization's risk tolerance. These platforms need to adapt to the specific needs and
constraints of different industries and organizations. The goal need to adapt to the specific needs and constraints of different
industries and organizations. The goal shouldn't be to automate everything. The goal should be to
automate the right things in the right way, always keeping the human analyst in the decision-making
loop. Overall, I think there are four parameters that will be required for an AI-powered automation
platform to be truly transformative and also broadly accepted by security teams.
Number one, human-AI collaboration has to be at the center of the workflow.
Any automation or AI we introduce should excel.
And that's our show.
Well, you know, part of it.
There's actually a whole lot more, and it's all pretty great, if I say so myself.
So here's the deal.
We need your help so we can keep producing the insights that make you smarter
and keep you a step ahead in the rapidly changing world of cybersecurity.
If you want the full show, head on over to thecyberwire.com slash pro
and sign up for an account.
That's thecyberwire, all one word,
dot com slash pro. For less than a dollar a day, you can help us keep the lights and the mics on
and the insights flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts,
my favorite, exclusive content, newsletters, and personal level-up resources like practice tests.
With N2K Pro, you get to help me and our team put food on the table for our families,
and you also get to be smarter and more informed than any of your friends.
I'd say that's a win-win.
So head on over to thecyberwire.com slash pro and sign up today for less than a dollar a day.
Now, if that's more than you can muster,
that's totally fine. Shoot an email to PRO at IntuK.com and we'll figure something out.
I'd love to see you over here at IntuK PRO. One last thing, here at IntuK, we have a wonderful
team of talented people doing insanely great things to make me and the show sound good.
And I think it's only appropriate you know who they are.
I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman, Executive Director of Sound and Vision.
I'm Jennifer Iben, Executive Producer.
I'm Brandon Karf, Executive Editor. I'm Brandon Karf, executive editor.
I'm Simone Petrella, the president of N2K.
I'm Peter Kilby, the CEO and publisher at N2K.
And I'm Rick Howard. Thanks for your support, everybody.
Thanks for listening. Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.