As voters prepare to go to the polls in a couple of weeks, it’s crucially important that they have information needed to make decisions on candidates and propositions. There are a lot of factors that go into casting a ballot. Decisions are made based on personal and often private reasons informed by context and relevance. Recently, making decisions has become more difficult by an accelerated news cycle and the phenomenon of “fake news.” And in the end, the individual needs to process what is real and what is not, and what is important and what is not, often coming down to going with their gut.
When talking with friends about upcoming elections (dangerous, I know), it struck me that the decision-making process individuals use to vote has some interesting analogies with how security analysts make decisions about what actions to take. Let’s look at these five factors and the role they play in helping security operators detect and respond to attacks and proactively mitigate risk.
1. Context. For voters, context is driven by local, state, national and global issues – considering each individually and in relation to one another. In security operations, you can’t make an informed decision without context which comes from aggregating and augmenting internal threat and event data with external threat feeds. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack.
2. Relevance. Context determines relevance. In the case of voting, relevance is personal, based on situational factors and values. For example, a referendum around education may have less relevance to someone without children and will influence how or even if they vote on that issue. In security operations, context allows you to filter out noise and prioritize based on relevance. But what is relevant to one company may not be to another. With the capability to tailor “global” risk scores provided by vendors based on parameters you set, you can focus decision making and resulting actions on what really matters to your organization.
3. Accelerated news cycle. The world changes rapidly and news cycles move fast. But decisions shouldn’t be based only on the latest information. History is also important and allows us to understand how we arrived where we are and what we can learn from the past. Security teams are bombarded every day by data, alerts and events and can benefit from comparing current information with what has been learned in the past. Compounding the challenge, security organizations are made up of siloed teams and technologies that can’t easily share intelligence and understanding. With a platform that allows you to aggregate and add more data and context over time, as well as capture and share past learnings, you can stay focused on what’s important in a highly dynamic environment and accelerate decision making.
4. Fake news. We all struggle to validate that what we’re hearing, reading and watching is based on fact and, therefore, should be factored into our decisions as a voting populace. Security analysts struggle with their own form of fake news – false positives. Most organizations have more data and alerts than they know what to do with. In fact, much of this is ignored because it’s difficult to discern what’s noise and what’s not, so important information can fall through the cracks. When data is uploaded directly to the SIEM it generates more noise in the form of false positives and security operators end up chasing problems that may not exist or do not matter to their organization. However, using context and relevance to prioritize data prior to applying it to the SIEM, allows the SIEM to generate fewer false positives.
5. The human element. There are numerous studies that find that despite all the information available to voters, many go with their gut once in the voting booth because something “doesn’t feel right.” This is what I call the human element. Machines can’t tell you everything. You need to combine those insights with human intelligence, intuition and experience to make sense of what the machine is telling you and make informed decisions. A recent blog by Gartner reaffirms this by stating, “…we are not asking artificial intelligence (AI) to take a decision. We are asking or employing AI and machine learning to discover insights…humans will then decide how to employ these insights.”
Whether you’re voting or making an IT security decision, you need decision support. As a voter it’s up to you to do that legwork. Fortunately for security operations there are tools that can help. To date, the focus has been on reducing the volume and velocity of security alerts and threat data that analysts tackle daily. But this is only one aspect of decision support. You also need capabilities that provide additional context and understanding to determine relevance, so you can focus and make informed decisions about the appropriate actions to take.