Security Experts:

The "Imitation Game" - The Need for Human Intelligence in Threat Operations

“What if only a machine could defeat another machine?”

This is the question Alan Turing (played by Benedict Cumberbatch) asks in the movie, The Imitation Game. He and his team were charged with decrypting the codes used by Nazi Germany’s Enigma machine. Turing realized the need to have a machine to attempt all the various combinations and permutations to break the code within a 24 hour period, before the code changed. However, the machine kept failing as it still couldn’t decode fast enough. After months of trying without success, it wasn’t the machine that broke the code…it was human intelligence that resulted in success.

In the end, the machine helped to do things faster, but it took human intelligence to figure out how to solve the puzzle. Realizing that the daily 6:00 a.m. weather report always included the same key letters, they were able to set the machine to find and decrypt the message every morning. This focus, coupled with the machine’s ability to automate the permutations, allowed it to crack the code daily. Humans were behind the creation of the coded messages and, ultimately, humans and human intelligence were behind how the messages were decrypted.

There are a lot of parallels between the challenges in The Imitation Game and the challenges of modern cybersecurity. In both cases, there is a need for intelligence, understanding and speed; humans are behind the threats and ultimately behind the defenses; and defenders need to understand adversaries and use human intelligence to help “crack the code.” But defenders will not be able to do it alone, at least not fast enough. They need machines and automation as well. Likewise, machines cannot operate successfully in a vacuum, they need human intelligence. In the end, delivering the right intelligence to the right tools at the right time requires the right combination of automation and human intelligence.

I talked before about the five steps to create a threat operations program. Automation plays a significant role in many of these steps. For example it’s imperative for aggregating the millions of threat-focused data points that analysts are bombarded with every day, and translating it all into a uniform format. Automation also makes it possible to correlate all that external threat data with internal data so you gain the context to understand the who, what, where, when, why and how of an attack. When context is correctly applied, you can begin to build an intelligence profile that describes your adversaries, their campaign methods, indicators of their actions, and events that occur. But what does this information mean for your particular organization?

Not all threat intelligence is created equal. To take meaningful action, you need to score and prioritize threat intelligence to reduce the noise from this massive volume of contextualized threat data and allow proper focus and decision making. But to more effectively prioritize to ensure relevance, humans must be involved. After all, who understands your environment better than you? Only you know your organization’s infrastructure including hardware, software, systems and storage; where sensitive digital assets are located; how mission-critical systems are protected; and how access is managed. Relying on published, universal risk scores will just generate noise and cause you to waste time and resources chasing ghosts. Humans need control to prioritize threats based on human intelligence on what is right for their environment and organization.

Now that you have the right intelligence, you need to get it to the right tools at the right time. Using automation, you can apply this custom prioritized subset of threat data to your existing case management or SIEM solution to more efficiently and effectively detect malicious activity. You can also keep the policies and rules you create up to date by automatically sending intelligence to your sensor grid (firewalls, IPS/IDS, web and email security, endpoint, etc.) to more quickly respond to attacks and anticipate and prevent attacks in the future.

The strength of combining automation and human expertise doesn’t stop here. As you automatically update data and context and incorporate learnings from your security team, you can recalculate and reevaluate priorities on an ongoing basis to keep up with a changing threat landscape. Humans can get a better understanding of the adversaries and their “machines” and automate tasks to move faster. This continuous threat assessment ensures you stay focused on what is relevant to mitigate your organization’s risk.

The message came through loud and clear in The Imitation Game: machines and humans need to work together. The same is true for security effectiveness and efficiency. Automating a subset of the steps in the intelligence lifecycle helps the process and the people to scale. But humans have to remain in the loop at the right steps and time to effectively strengthen security posture.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.