Automation, machine learning and artificial intelligence continue to play a growing role in detecting and diagnosing network threats based on traffic analysis and data feeds, but such technologies still must be complemented by human decision-making in order to be effective, according to a panel session Tuesday at RiskSec NY 2017.
“Supervised machine learning has a lot of promise, but you still need that paired up with human brains to make [your threat data feed] a truly valuable feed for your organization,” said Levi Gundert, VP of intelligence and strategy at Recorded Future, asserting that human analysis is necessarily to derive proper context from external reports while weeding out noise and false positives.
“I think human intervention is still required,” agreed Charles Kao, global director of information security at fund administration firm Hedgeserv. It’s how do we leverage our analysts to focus on the ones that’s relevant for the organization, rather than… just having them go through the feeds and not knowing which direction [to go]?”
Human intelligence is also required to determine and communicate parameters for measuring the success of automated, operational threat intelligence, Gundert continued. Companies, can for example, track the number of new firewall and web proxy rules added to their firewall solutions. “But then you also maybe need to think about tracking the efficacy of those rules over time. So how many threats do you actually block with those new rules over time?”