Automating Analysis Without Automating the Analyst

Presented at BSidesDC 2019, Oct. 26, 2019, 11:30 a.m. (50 minutes)

Despite applying more automation than ever before to detection and response operations, organizations continue to be challenged by relatively unsophisticated attacks. Reliable detection requires time-consuming analysis and a level of data aggregation and correlation that is at best an art, and at worst cost-prohibitive. Meanwhile, attackers remain agile and inventive, continually (and rapidly) changing their infrastructure and approach with minimal costs and maximum benefit.   While there are some things computers do far better than humans – rote, repetitive tasks and complex calculations – we will always be masters of analysis given our ability for complex thought, decision-making, and visual learning. With the introduction of security automation and orchestration to the defensive tool set, blue teams can now automate some of their investigative playbooks and save precious cycles. Unfortunately, this capability often drives automation for its own sake and expands already monolithic tool sets, rather than actually empowering our humans. Simply doing analysis faster is only a small part of the solution.   How can we reframe this problem to alter the calculus of attack and defense?  Automation for the sake of doing so is a common trap that can actually degrade our capabilities and waste defensive cycles. However, automation with the intent of providing context and guided workflow can be a game changer for defenders. With proper planning and an incremental, modular approach to automation in areas such as rapid research, contextualization, and decision support, we can measurably improve our defenses and start leveling the playing field.

Presenters:

• Brandon Denker - Cyber Threat Intelligence Analyst at NBC Universal
  Brandon Denker is a Cyber Threat Intelligence Analyst at NBCUniversal. He is responsible for identifying and testing of tools and data sources for the ingestion, processing, analyzing and dissemination of Threat Intelligence data to NBCUniversal. In his 12 year career he has worked with several government agencies and divisions, such as Department of Defense and Department of Energy to provide Intelligence and analysis services. Prior to NBCUniversal he helped manage a specialized Threat Hunting service for Raytheon Cyber, specializing in architecture and development of Security Orchestration Automated Response solutions.
• Mark Orlando - Founder at Bionic
  Mark started his security career in 2001 as a Security Analyst, and since then has been both fighting for blue team resources and trying to automate them out of a job. He has built, assessed, and managed security teams at the Pentagon, the White House, the Department of Energy, global Managed Security Service Providers, and numerous financial sector and Fortune 500 clients. Short on patience and attention, Mark is constantly working on new projects to improve defensive security through automation and other short cut-y things so defenders can be more agile and creative. In 2012, Mark designed and launched a Managed Detection and Response (MDR) service offering and helped to invent an automated cyber threat hunting technology, both of which were later acquired. He enjoys teaching and learning from others but spends far more time doing the latter.

Links:

• https://bsidesdc2019.busyconf.com/schedule#activity_5d194fb02b527d8a5d0000db

Similar Presentations:

• RomHack 2018 / An adversarial approach to improve detection capabilities
• BSidesSF 2019 / Security Automation Simplified
• Black Hat USA 2016 / Design Approaches for Security Automation