Six times the human IT security analysts added value
No cyber defense can do without artificial intelligence anymore. But human observers still offer an important plus:
1. Artificial intelligence and human intelligence complement each other: AI optimized with machine learning (ML) and threat intelligence can analyze large amounts of information quickly and without error. An IT security expert builds on this and interprets data traffic patterns. At the same time, it manages the defense using proven procedures. Due to his knowledge of the company and IT, he is also an important AI trainer. Here, it speeds up the definition of normal, and therefore lawful, data transmissions – including by tagging IT security-critical systems. It also takes into account information that is not visible in the network traffic: if, for example, devices are available but not centrally managed, or if the company sets up a new headquarters, which explains the queries with so far unusual IP addresses point. Or when it implements new technologies, applications, and thus systems.
2. Evaluate the information in the context of: Artificial Intelligence is a statistical approach. Because recognizing, defending against, and preventing dangers require connections that go beyond individual data, people and their ability to judge play an important role. Specific knowledge about the company helps, for example, when an IT service provider commissioned by the company suddenly operates in a subnet for which there is no order at all. Even if the pattern of data traffic seems imperceptible at first, exceeding the competencies may indicate a compromised IT service provider and should be investigated.
3. Anticipate the next moves of the hacker: Complex Advanced Persistent Threats (APTs) are still man-made. Often, spam bots are not behind phishing attacks on important people in a company, but social engineering specialists who get online via a targeted email attachment. The AI then recognizes that the attacker is manipulating the network. The hacker’s individual tactic is not reflected in the statistical indicators. To predict the attacker’s next steps, an experienced security analyst can put himself in the hacker’s shoes and predict his next moves.
4. Assess the overall motivation of the perpetrator: Cyberdefence must take into account the criminal’s motives. Not every attacker wants to steal data, encrypt it and receive a ransom. Hackers have different motives: seizing resources to mine bitcoins, perhaps politically or personally motivated sabotage, or simply wanting to destroy. Therefore, the defense needs not only to secure data or close information leaks. A lasting response requires an understanding of human psychology.
5. Adequate and priority security over automatic defenses: An IT security analyst sets risk priorities individually for the company. The choice of defense depends on the context: is it recoverable data that may no longer be of any value to the company, or a frequently cited crown jewel? AI cannot answer the emerging defense questions appropriate to the situation, given the importance of data or processes to business success.
In addition, the analyst keeps an eye on common industry attacks. If hackers currently attack e-vendor X with malware, it cannot be ruled out that they will try competition from Y and Z later. An AI that only watches its own network sees such a risk only if supported by up-to-date threat intelligence.
6. Be defensive and avoid collateral damage: Artificial intelligence has great power to recognize dangers and can automatically start defending. However, any defense has side effects and can negatively impact IT or business processes. Defense can be no less complex and consistent than APT. Security analysts are therefore in demand here because they can consider and consider the consequences of actions. Human expertise helps to avoid unjustified collateral damage, such as blocking access to IoT-controlled buildings or information systems in nursing.
When analyzing the attack, the security analyst then plays an important advisory role. By using whole network mirroring, he can get an idea of what happened and how future attacks can be prevented.