Can Security Analytics Replace Humans?

Do androids dream of electric hackers?

In a recent series on this blog, we reflected on the growing market for Security Analytics technologies. Over the past few months, we have been continuing this discussion with practitioners and leaders in the industry. One question that many have asked is: “Can we remove humans from the decision chain?”

Initially, we rejected the idea of removing humans from security analysis. However, the further we explored this issue, the more viable it became.

The dream of a unified converged security platform that has both analytical and enforcement capabilities has existed for some time. The most recent flirtation with this idea was network access control (NAC) technologies, which were a massive flop.

NAC flopped because it cannot handle the dynamic nature of a modern enterprise. Hackers do not operate on a schedule or according to rules. Many of the big high profile breaches last year demonstrated that you can have good technologies and good people watching those technologies, and still miss attacks.

Is the “self-defending network” a pipedream or a reality? Today, trained security analysts remain a crucial part of security operations and that is unlikely to change in the next few years. However, we could build a technology that could automatically adjust defenses, in real-time, to protect a business.

To accomplish this, the security market must overcome three big hurdles: data normalization, AI, and sharing. Based on our analysis, we believe these are not insurmountable hurdles.

1. Data Normalization

While security information and event management (SIEM) technologies have done an admirable job building flexible data structures that can handle tons of data, normalizing security data remains a daunting task. The problem is not technical, per se, but rather the nature of log data. Different technologies log data in different ways. Normalizing that data into a universal structure that can be used across diverse platforms would be enormously beneficial.

There is hope here. Many SIEM products already do this, to some extent. If the various technology companies could work together, they could define and promote a common log standard. If log data was standardized across all security technologies, it would dramatically improve our analytical capability. Symantec took a run at this a few years ago, but could not keep it going. If the primary NGFW/UTM vendors all got on board, then there might be enough momentum to make this happen.

2. Artificial Intelligence

The next big hurdle is building an intelligent engine that can dynamically adjust to conditions based upon a complex and diverse set of data. For this, we can look to the video game industry and driverless cars.

The intelligence engines inside modem video games are impressive. Games like World of Warcraft or Halo handle a complex set of variables and to make intelligent decisions based on weighted factors.

Furthermore, driverless cars are now a practical reality. These technologies must process mountains of data from a very messy, volatile world with extreme precision. If we can make night elves defend the castle or a pilot a car with no driver, we can build an intelligent Security Analytics platform.

The real problem here is that most of the large security companies focus on moving appliances through the channel, and miss these innovative ideas. Smaller companies lack the resources to invest in these ideas at any scale. And the people with money are still trying to comprehend what it is we do in information security. It will take the deep pockets of a Google or an Elon Musk to build an artificial intelligence engine that can manage the mountains of security data.

Compounding this problem is the financial challenge. Video games have a devoted, paying customer base that drives billions in sales. Security Analytics is, at best, a $400-500M business right now. This makes the money guys lose interest and invest in flashy “next-generation” hucksters.

While some work on this kind of technology is being done in secret at the Defense Department and the large telecommunication providers, until a big name like Google or Microsoft steps forward and takes leadership in this area, it will remain behind closed doors.

3. Global, Collaborative Framework

Security Analytics cannot exist in a vacuum. It depends upon threat intelligence to make it work. Right now, most threat intelligence is walled off behind subscription-based services. There is scant sharing of data across the big intelligence networks. Even sites like VirusTotal, which collates and analyzes virus data, are still rather rudimentary. The Ciscos, Googles, and Symantecs of the world are pretty stingy with their intelligence so they can use it as a competitive advantage.

Security Analytics needs a truly global, collaborative threat intelligence environment to thrive. It needs to be very open and very aggressively policed. In order for Security Analytics to really work, it needs to discover attacks in real-time. When the first attack hits, the network needs to automatically communicate that to everybody.

This may be the most daunting aspect of Security Analytics. Until customers demand this, and steer their purchasing decisions based on this, there is little incentive for these firms to share. It also must become a “must-have” part of security technologies. You cannot have just a few participate in this sharing, because that means all those CheckPoint, Fortinet, Blue Coat, and SonicWall customers will not be contributing threat information. The only way threat intelligence can really work is when there is broad collaboration.

This is perhaps the one area where our government could make a difference, if they were not so dysfunctional. The government is a natural broker for threat intelligence. This type of sharing does happen, but it’s mostly reserved to the big players. Smaller companies lack access, influence, and capability to access this data.

Some people have suggested building open source style community groups that can facilitate this kind of sharing. The sad reality is, people just do not contribute unless it is in their best interest. Two decades of open source experience has shown that you cannot rely on a community of volunteers.


A converged, unified, analytics platform that can intelligently analyze your business and automatically defend it will be a reality…someday. We are probably at least five years out on this and maybe longer. It would be nice to see Blue Coat do something with their amazing Solera product. RSA’s analytics platform holds some potential as well, as they have deeper pockets from EMC. However, it is going to take a big name to not only step into this market, but pressure the other players to get involved as well.

Leave a Reply