Sergey Nivens - Fotolia

Human-machine teaming key to cyber defence, says Intel Security

Intel Security is working with a select group of customers on developing systems to enable human-machine teaming to get the best of both worlds in applying cyber threat intelligence

Intel Security, soon to be spun off as an independent company under the McAfee banner, is working to enable human-machine teaming as a key element of future cyber security defence capabilities.

This approach is aimed at combining human strategic intellect and investigative methods with technical capabilities to deal with security intelligence data at scale, and highlight the issues of greatest importance.

Company infrastructure is changing in ways that are unimaginable today, according to Chris Young, Intel Security general manager and future chief executive of the new company.

“This is why we are charting a course from integrated to automated, to ultimately orchestrated solutions that are about multiple systems. Aiming for multiple automated use case workflows that flex and expand with the infrastructures that we all are evolving to,” he told Intel Security’s Focus 2016 conference in Las Vegas.

As part of this, Young said the company is working to equip customers with better analytics to enable human-machine teaming, which he said is vital in the face of attacks such as the internet of things (IoT) botnet-enabled distributed denial of service (DDoS) attack on DNS services provider Dyn in October 2016.

“The attack on Dyn is a perfect example of the large scale of attacks we are going to increasingly face,” he said. “We need machines to deal with the volume of risks that we’ve got out there so we can actually put our human intelligence on finding the hidden threats we really care about.”

Human-machine teaming is going to become critical in any cyber security operation, and the company sees its strategic goal of enabling security technologies to work together as an important way of helping to drive human-machine teaming.

Taking the best of humans and machines

“We are working towards a world where you can get the best of what both humans and machines have to offer for outcomes that will yield security that is as dynamic, resilient and elastic as the cloud infrastructure everyone has,” said Young.

To find out more about human-machine teaming, Computer Weekly caught up with Brian Dye, Intel corporate vice-president and general manager for corporate products at Intel Security. He said it is a theme the company plans to explore further.

“We feel it is essential to the delivery of the next generation of automation, as well as something that is enabled by more analytics,” said Dye. “The more analytics, the more automation, and the more automation, the more analytics.”

Intel Security is working on achieving an evolution from integration of products, to automation of workflows, and eventually to orchestration, where security products work together to achieve a better state of security than any one product can achieve on its own.

“Human-machine teaming is about creating an expert system that incorporates the knowledge – in this case from an advanced incident responder – and allows us to either find more than an incident responder could, or indeed the same things radically faster,” he said.

Read more about security analytics

The need for this capability is being driven by a combination of the rapid growth in the number of threats facing enterprises and a shortage of people with cyber security skills.

“We need to address this skills shortage with more automation to eliminate manual effort, attracting more people, better education and training; simpler user interfaces to enable more junior IT people to get involved in security; and then at the high end, this human-machine teaming is about enabling the expert to do even more,” said Dye.

On the technology side, he said the human-machine teaming initiative is being driven by a need to do more than what traditional security information event management systems (Siems) can do, because they act on the known.

“A security event comes in. We correlate it, and then we drive actions off of that,” he said. “But they are not very well designed to act on the unknown. We saw a technical need to act on the unknown.

“From a business standpoint, we increased our focus on the user experience as a team, and watched what the security operations centre (SOC) analysts were doing,” said Dye. “We saw how difficult it was for them to do their job, so we starting thinking about how human-machine teaming could help.”

The next step in automation

In the light of the significant investments many organisations are making in their SOCs, he said human-machine teaming will help drive better returns by enabling SOC team members, both seniors and juniors alike, to do more, because it is the next step in automation.

“We foresee human-machine teaming as another capability that a SOC can use,” he said. “We are not saying that Siems are not important. They absolutely are. They take a large chunk of the types of events and log aggregation that needs to be logged. What we want to add is a new type of high-level incident response technology that organisations are looking for as their SOCs mature.”

In addition, human-machine teaming is part of Intel Security’s efforts to focus on higher-level outcomes, which organisations typically struggle to measure in an effort to show real, systematic improvement in their security capability, and map that to their real risks.

“Human-machine teaming is about enabling the expert to do even more”
Brian Dye, Intel

“We as an industry have tended to talk about ‘new threat, new widget’,” he said. “As a result, everything in the industry is geared towards metrics and outcomes at a widget level, which means the CISO has a large span to leap from the widget to what their board of directors care about. With our new focus on outcomes, we are not just delivering technology, we are helping the market learn the metrics they should be tracking.”

Asked how human-machine teaming would work in practice, Dye said a good example would be when a level-one SOC analyst responds to an event and identifies what issues can and cannot be resolved immediately.

“The issues that typically cannot be resolved immediately are the events that are part of a broader attack, but in future, a number of these events could be referred to a human-machine teaming system,” he said. “This would take the events from the Siem, as well as insight from elsewhere in the organisation, to enable the level-two or level-three SOC analyst to carry out an attack-level investigation.”

Making the team more effective

Intel Security is going after this kind of human-machine teaming capability as a joint development effort between key customers and the company’s Foundstone high-end incident response professional services team, which is aimed at finding ways to make the team more effective.

“This is a co-development project that involves very tight engagement with a handful of customer organisations and their SOCs to see what we can find,” said Dye. “If we can find more than they can, or find things faster than they can, we know what we are developing is working. This is not a tool for the CISO. This is a tool for the responder that will bring together data from multiple sources, such as the Siem, and various investigative tools running in the live environment. This will help them understand and address an attack.”

Intel Security expects to start bringing the results of this co-development effort, code-named Copperfield, to market in the first half of 2017.

The company views this human-machine technology as market defining. “There is nothing else like this right now,” said Dye.

He said that as Intel Security carries out more analytics in the form of human-machine teaming, it would enable increased automation in the future. “We will drive more automation to a point of accepting more analytics, which is how I think the industry focus on security operations will evolve,” he said.

“Today we are overwhelmed with data and starved of analysis. We need the pendulum to swing back and provide more analysis in order to consume the data we have. As our analysis capabilities improve, we as an industry can afford to go back and generate more data.”

Read more on Hackers and cybercrime prevention