Machine learning and artificial intelligence seem to be the way forward in cyber security; nearly all new companies and products boast that capability. But one new company, emerging from stealth on Wednesday, is a little different. Most current security systems seek to automate knowledge; this one seeks to automate intelligence — the ‘how’ over and above the ‘what’.
LogicHub announced its arrival with news of an $8.4 million Series A funding round led by Storm Ventures and Nexus Venture Partners. Its purpose is to build a new type of threat detection system based on human security intelligence rather than simply big data analysis. This is based on one primary observation: a top grade human analyst is better at detecting threats than the current generation of threat detection systems.
“We have done what we call cyberhunt challenges with 75 companies,” CEO and co-founder Kumar Saurabh told SecurityWeek. “We provided a volume of data containing a threat, and asked each company if its automated system would find it. In only two out of the 75 challenges did the organization say its systems had more than a 50% chance of doing so. But they also said their in-house expert analyst would find it with 90+% confidence.”
But when he next asked if they could find the threat in two minutes, the response was resounding: it would take more like two hours. “This is what I hear again and again,” he said: “the systems are not clever enough, and the analysts are not fast enough.” His solution is to develop a system that can combine the intelligence of analysts with the speed of machines.
“At the end of the day,” says Saurabh, “experienced cyber analysts are much better at detecting threats and triaging false alarms than the security tools available, but given the magnitude of the challenge, most teams can only inspect a tiny fraction of all security events collected in-depth. To combat this, LogicHub has found a way to capture and automate the knowledge and expertise of the most skilled cyber analysts, which results in much deeper threat detection.”
This is the conundrum that LogicHub has set itself to solve: automating the human expert analyst’s threat hunting process rather than just generating and maintaining more and more rules on recognizing known threat indicators. By capturing expertise into a security intelligence ‘brain’, that expertise can then be used by lower grade analysts in the future. Furthermore, if the expert analyst is tempted away by a higher salary elsewhere, his or her expertise does not entirely leave at the same time.
It requires a different type of architecture, and Saurabh points to Google Search as an example. It is fast, clever, and able to ‘predict’ user requirements. “One of the key things Google did a couple of years ago,” he explained, “was they built a knowledge graph. And that knowledge graph has tens of millions of entities and relationships. They use that knowledge graph to link entities by relationships so that it understands the data it contains.”
In fact, in October 2016, City University of New York professor Jeff Jarvis tweeted, “Google knowledge graph has more than 70 billion facts about people, places, things. + language, image, voice translation.”
“The difference between Knowledge Graph and the security solutions available today is that they don’t understand the data,” said Saurabh. “They do nothing to tell the user how to navigate the data.” It’s like the difference between modern GPS and a road atlas, he continued. “With the atlas, you have the data, but you have to figure out what that data means by yourself.”
In threat analysis, there are very few people who really understand what the data means. “Since that understanding is trapped in their heads, it can only be leveraged in a very limited way. With automation, we can take the expertise that is trapped in their heads and turn it into a system so that what one analyst knows and applies can be shared with ten other people on the security team. Over time you can build a system that is more available as a service, and can be used by hundreds of companies — it becomes a security brain.”
Developing that security brain is what LogicHub is doing. It has an augmentation tool that automates that capture of analyst methods, so that different analytical method from different analysts can be combined into the intelligence automation tool. “A security analyst with our security intelligence automation platform can become equal to ten analysts. You have to use the augmentation tool to get there; but it has that potential.”
This system will be offered as an on-premise solution for those companies not yet comfortable with the cloud and sharing data, and as a cloud service that combines and shares analytical expertise with all cloud customers.
