Human Success via Tools

Better detection mechanisms through algorithms (code) & machine learning (pattern recognition) are valuable tools to the human responders. Playbook Automation can reduce the routine and certain tasks an analyst must perform so she can focus on what is important.

Lessons from Law Enforcement

Because of the superior ability of the human mind to interpret diverse data, a human detective investigates crimes. The detective leans on high tech crime scene unit data and databases of valuable information. He understands the power of technology and uses it masterfully to reveal the truth of a crime. But one critical & core lesson of law enforcement has not been yet embraced by cyber-detectives: the detective does and owns the investigation. No grieving parent would want to hear “we have our best algorithms and AI looking for your child’s murder.” People trust people. People are skilled in doing amazing things. Computers can do things quickly but do not innovate or learn in a way that flesh and blood does. Investigations must be led by investigators that are enabled by technology not delegate to technology.

Steps to Success

As the craft of cybersecurity incident response matures, there are some key transformations that will occur. Each craftsman should endeavor to see them happen quickly.

Power to the People

The first and most critical step in maturing the craft is wresting power from vendors and putting it in the hands of the customers (incident responders.) Organizations must demand outcomes that can be proven by metrics. Playbook automation exists because the quality of information from any single tool is insufficient to make a pragmatic decision. Vendors need to solve concrete business problems not just monetize their intellectual property (via algorithms.) These important metrics can be gathered in house and by investing in independent tech journalist. Invest in projects and vendors that are building technology to collect and publish this information. Invest in technology journals that have integrity and will report on these vendor metrics. Product testing with journalistic integrity is extremely rare today. Invest time, money, information and resources in creating and maintaining healthy news outlets.

End of Triage

As mentioned earlier, the number of alarms pouring into security operation centers are untenable. This has put teams in a constant state of triage. It is time we build process and architectures that enable every alarm to be investigated. As I mentioned in “Failure Reports” (, understanding the current state of failure and rolling it up to management is the first step toward systemic victory. Craftsman must purpose to find approaches that allow for full, auditable investigations on every alarm and event generated. This is a significant psychological pivot that requires security leaders to step up and forge a difficult path ahead.

We’re not Hackers

Craftsmen need to communicate effectively. There is a hacker counter-culture that is sexy and exciting. This culture has led the craft to make most of our conferences focused on attacks/offense. Capture the Flag (CTF) is at every national and regional conference. Lock picking is common place. While there is value in understanding adversary tactics it is limited. Law Enforcement conferences don’t spend the bulk of the time teaching how to break into banks or take hostages. It focuses on how to respond to these events. Conferences and training need to become likewise focused on defense. It’s time for us to grow up.

Wrap Up

For the last 15 years, we have allowed machines and their vendors to make our decisions and protect our data and networks. The heroes of incident response have been and will always be the cunning people that know how to use their gear (tools.) Cybercriminals have repeatedly gathered massive wins, with virtually no investment in gear, but a surplus of human ingenuity. Machines are powerful tools, but people are greater than machines.

Share This