THE HUMAN FACTOR

IN THE SOC
Smart analysts armed with the right context
are key in the hunt for threats

www.cyborgsecurity.com
Copyright © 2020 Cyborg Security, Inc. All Rights Reserved
 Intro

FOR DECADES NOW THE SECURITY INDUSTRY HAS CHASED AFTER THE
PERFECT MACHINE TO RUN THE SECURITY OPERATIONS CENTER (SOC).
THE CRUSHING VOLUME OF THREAT ACTIVITY AND CHALLENGES OF
STAFFING UP QUALIFIED ANALYST TEAMS HAS LED MANY TO HOPE THEY
COULD AUTOMATE THEIR WAY OUT OF THE SITUATION.

The problem with this is two-fold. First of all, today’s SOC automation—backed with Artificial
Intelligence (AI) or not—don’t often work as effectively on modern threats as the marketers
promise. More fundamentally though, the issue is that too much automated SOC technology has
been conceived as a method to replace and remove the analyst rather than augment and improve
how they actually do the daily work of protecting their organizations. This is a troubling design
flaw that completely discounts the crucial role that people play in the sustainability of today’s SOC.

The sooner organizations can come to grips with the fact that without smart humans there is no
SOC, the faster they can start picking services and technology that helps them to get the most out
of their SOC investments.

2
 The Human Factor in the SOC

WHY HUMANS MATTER IN THE SOC

Even in the age of AI and machine learning, humans are the most crucial element to running an effective SOC.

This is because the endless battle between cyber attackers and defenders is an inherently human endeavor. When one
thinks about the automation of both attacks and of cyber defense, it’s easy to forget that at the end of the day there needs
to be people sitting at the controls on either side of the divide to make the ‘machinery’ work.

Even when threat actors automate their attacks, the systems they design and tactics they use are ultimately devised
through human legwork and ingenuity. These criminals are constantly tinkering with their tools and automated methods to
get around common defenses. They also customize and target attacks against specific kinds of companies or systems.

On the flip side, defenders use AI, machine learning, and automation to get faster at detecting attacks, but it’s all based on
data gleaned from previously observed behavior—and often it is imperfectly observed at that. As a result, the automation is
constantly breaking down in the face of targeted attacks and new methods concocted by the criminals. Which means that
even with automation the human defender still has to be the backstop for deciding whether a tool is working right.

THE ROLE OF ANALYSTS IN HIGHLY AUTOMATED SOCS

A SOC needs experienced practitioners to pick the right tools for their
TOOL environment, choosing automation that works for them and not the other
SELECTION
way around.

TUNING Constantly changing threat landscape means people have to train the
AUTOMATION machine learning and tune the tech.

SOCs still need the human ‘sniff test’ to validate security automation and
VALIDATION
OF FINDINGS
tooling results. Because the ugly truth is it never works quite the way it is
supposed to.

Cybercriminals make a living beating automated detection tools.

THREAT
HUNTING
Experienced analysts are needed to hunt for the most advanced hidden
threats.

DECISION MAKING SOCs and incident response teams need well-placed analysts making
AND RESPONSE decisions on when, where, and how to take action on detected threats
and incidents. No machine beats a person’s ability to triangulate threat
information, risk assessment, and knowledge of the business to make
momentous choices.

The unfortunate truth about even the most advanced security AI is that it still can’t keep up with the constant shifts in the
Tactics, Techniques, and Procedures (TTPs) of cybercriminals today. AI and machine learning models need sound data to
‘learn’ behavior, track it, and report on it. If the data changes on too many dimensions or too frequently, the model doesn’t
work right. Trying to feed the most accurate and up-to-date data into the models has been a struggle for vendors and
practitioners alike for years.

3
 The Human Factor in the SOC

It’s no wonder, then, that many experienced security managers and

executives sometimes consider a lot of automated detection technology
to be more trouble than it’s worth.

“’Monitor everything, and big data/machine learning systems will sort it all The low satisfaction rating of
out’ seems to be a great way to sell a lot of product,” explained Chris Crowley the wildly hyped AI and machine
and John Pescatore in a recent report on the SANS Institute 2019 SOC Survey. learning tools is an indication
They explained that survey results indicate that the sales pitch has failed to
live up to its promise.
that automation can augment
staff skills, not replace staff.
Even in well-automated SOCs, analysts still need to sift through findings to
decide whether something is a true positive or false positive before letting an Chris Crowley and John Pescatore
automated system take action or taking action themselves. And they still need
to be available to hunt for the even more dangerous false negatives—those
attacks that the system didn’t alert on because the AI or machine learning
models were not able to detect the latest attack variation or zero day.

WHAT HUMANS IN THE SOC REALLY NEED

TO STREAMLINE THEIR WORK
Now, this isn’t to say that automation has no role in the running of the SOC. Certain kinds of automation can be extremely
beneficial for security analysts. Automation is ideal for data collection during investigations, which is typically the number
one time sink for an analyst today. When an analyst gets an alert that they need to run down, automation can be invaluable
to collect information from all the right sources and present it in a unified manner—which can sometimes take as much as
20 minutes to do for every initial investigation that needs to be made.

However, once analysts start getting into triage and response, the case for across-the-board automation gets a lot
trickier. There are simply too many variables to account for to accurately automate response without building in human
intervention and decision-making breakpoints into the process.

Instead of the industry hitting its head against the wall trying to over automate processes that need human hands involved,
it should stop to ask analysts what they need to improve their daily practices.

Most experienced analysts would tell you that the ultimate combination of operational tools for them would be those that
blend limited automation with maximized information.

Instead of disintermediating the analyst’s expertise completely from the process, tools should be seeking ways to most
quickly provide analysts with context about incidents when they’re bringing their brainpower to bear on an investigation.
This capability is particularly important for the growing field of threat hunting, which requires experienced analysts to look
for subtle clues of an attack that doesn’t trip automated alarms.

Ultimately, what analysts need to move the needle on SOC effectiveness isn’t
automation, but instead, improved threat content. They need threat content
that’s been validated by smart people, that’s been curated based on current
attack activity, and that’s been tailored to their industry. They also need it
easily ingestible into the tools and dashboards that they already use every day.

4
 The Human Factor in the SOC

HOW CYBORG HELPS BOOST THE SOC’S HUMAN FACTOR

Developed by some most respected pioneers in threat hunting methodology, Cyborg Security’s Contextualized Operations
Readiness Engine (C.O.R.E.) threat hunting platform was created with the understanding that you can’t automate away the
manual work of hunting for threats, but you can make it faster and less frustrating.

Offered via a subscription-based model, C.O.R.E

provides SOC analysts with the added contextual
information about threats that they simply can’t get from
automated threat feeds or open source detections. This
includes missing threat details about current attacks,
TTPs, and mapping against common frameworks like
MITRE ATT&CK and Cyber Kill Chain. The groundwork is
laid by world-class researchers and threat-hunters and
provided in easy-to-ingest formats.

Cyborg C.O.R.E. was developed with the realities of the modern SOC in mind. This is a platform built to boost the human
factor, not replace it.

To learn more, about Cyborg and the C.O.R.E. platform, please contact us.

ABOUT CYBORG SECURITY

The best threat hunting minds. The best threat hunting ammo. The only real threat hunting platform.
Cyborg Security is a pioneer in cybernetic threat hunting, delivering advanced, actionable threat hunting content via a
first-of-its kind single platform. Cyborg’s unique platform leverages the best and largest pool of threat hunting human
assets and resources, applies techniques and proprietary patent pending technology, and delivers continuously updated
content, context, scripts, and playbooks to be leveraged by internal teams. Cyborg provides the platform to proactively
threat hunt, without outsourcing or the need to hire direct, scarce skill sets.

CONTACT US
801 International Parkway, Suite 500 info@cyborgsecurity.com
Lake Mary, FL 32746 www.cyborgsecurity.com

Copyright © 2020 Cyborg Security, Inc. All Rights Reserved