SAN FRANCISCO – You might be forgiven for thinking that RSA president Amit Yoran was sending mixed signals in his keynote speech this week at the company’s annual security conference.
On the one hand he touted the potential of analytics and artificial intelligence as having “incredible promise for transforming how we view security.” On the other hand he warned there is no actual magic that will save us.”
How does one square this from a company that makes a lot of money selling analytic solutions – in fact Yoran announced a new behaviour analytics module for RSA’s Security Analytics platform?
“We’re not going be able to deploy a technology without humans that will stop any threat,” Rob Sadowski, RSA’s director of market insight acknowledged in an interview. But, he said many customers want his company’s products to help their analyst or infosec teams at least separate the chaff from the wheat.
“Most mature organizations recognize there is no magic capability, but on the other hand there’s a lot of potential to help the incident responders who are doing a lot of that work today to make their work easier.”
Industry analysts – and vendors – say analytic solutions that sort through reams of network and behaviour data are vital to keep up with the changing tactics of attackers. But even Sadowski admits software can’t completely be automated.
Still, there’s the impression that only large firms with security teams can afford analytic solutions. Not necessarily, he said.
A solution that can “find me the stuff I need to put my brain on,” rather than “searching for the needle in a haystack” will be valuable to small IT staff, he said. “We’re never going to have a time when there will be an completely autonomous AI system. But if we can help focus the smart creatives , the smart humans who are actually going to interpret that data and act on it and if we can make them more effective that’s a huge, huge win.”
The network behavior module for Security Analytics gather data from a variety of sources — log information from infrastructure, information from endpoints, information from identity management systems, deep packet visibility and internal and external threat intelligence – which organizations can use to spot anomolous activity. Staff can then check to see if it’s a threat or merely a user that has changed jobs.
While the initial release only covers network behaviour other capabilities – possibly user behaviour – will be added in the future.
Pricing wasn’t announced.
Sadowski also talked in the interview about the importance of threat intelligence sharing, which he said helps provide some insight into the types of attacks an organization is facing and may provide some valuable indicators of compromises infosec staff can use to detect threat faster.
But, he warned, the intelligence has to be up to date, because attackers change their patterns and tools often. “A lot of time the most valuable type of intelligence is just information on the actors tools, techniques and procedures – how they go about compromising an organization. Do they go after this type of user, this type of infrastructure…so when you potentially see an attack from them you can go to the places that are indicative of that particular group,” he said.
Intelligence also has to be relevant to your business, he said. While there are a lot of threat intelligence services CISOs can subscribe to a bank you don’t need intelligence on the kind of attacks against energy companies,
“But threat intelligence is always going to have to be augmented by a really good understanding of what’s going on in your network so you can apply it.”