Vectra AI and threat mitigation, part 2

Against a compulsive culture of "do more with more," why the key to success could be doing less, but better.
6 October 2022

Let analysts be heroes in the multicloud environment.

In Part 1 of this article, we asked Mark Wojtasiak, VP Product Strategy at Vectra AI, how the attack surface for cybercriminals was significantly different in multicloud environments to monocloud or non-cloud environments, and how companies could get out in front of attackers who had very many more ways to attack them in these newer environments. In Part 2, we asked Mark to explain particularly the role that AI could play in aiding this fight against multicloud attackers.

THQ:

You said AI could free human analysts to focus on big attacks in the multicloud environment. How can it do that?

The philosophy of more

MW:

AI can help by automating the mundane manual tasks out of the analyst’s workflow. Right now, analysts are facing regular burnout, and there aren’t enough of them in the world to adequately monitor all the big threats and the small threats that are out there. One of the key things we need to embrace is the need to reframe and simplify the way we look at these problems, because trying to “do more with more” is simply not viable.

Think about it. There are any number of attackers out there in the world, and they’re all fairly smart at what they do, and highly motivated. If we try to match more attackers with more work for analysts, all we’re going to do is burn out more analysts more quickly, which ultimately leaves more systems vulnerable to attack.

THQ:

And that’s how you lose a data war.

MW:

Exactly. So what we need to do is reframe and simplify, and actually reduce the amount of mundane work on the analysts’ shoulders. That’s where AI can come in.

AI can do the mundane monitoring. It can track user behaviors against known threat behavior models, and it can flag up behaviors to analysts when and only when it looks like becoming something dangerous. Then the analysts can step in and do what humans do best – critical thinking – and can use all the available information on the behavior of a particular invader or attacker, to either shuffle them down electronic alleyways and out of the system, or just boot them out if the danger is imminent. By using AI as an underpinning technology, we can free up analysts to do the important human work, reduce analyst burnout, and create an AI-human partnership that’s hopefully better than the sum of its parts. Of course, that means a shared responsibility between the artificial intelligence side of the equation and the human analysts involved, and the question becomes whether AI can actually do this at scale, and at the speed of an attack.

And what we’ve found is that it can.

Heart and minds

THQ:

Is there a battle for hearts and minds to get that sort of shared responsibility in place?

MW:

Yes, I think so. I’ve been asking security leaders and practitioners and architect what one word sums up the picture of security – and it’s “More.” Everything’s about more, there’s more attack surface, there’s more evasive attackers, there’s more technology, there are more tools. So you’ve got to write more rules, you’ve got to pump more data into a sim, you’ve got to do more analytics, you got to do more. It’s always more.

And I think that, fundamentally, this whole approach of doing more is just making the problem worse, making it more difficult, and creating the burnout, etc. So how do you fundamentally deliver more to the organization, but by doing less?

THQ:

How indeed?

MW:

It’s a big challenge that I think a lot of CISOs have, and you see it in questions like “How do we report to the board? How do we talk about cybersecurity to the C-suite and to non-security people?”

And I think everything’s got to be risk-based. Which is similar to everything being outcome-based. What is the ultimate outcome we want here?

THQ:

To fight more attackers, with less human burnout?

MW:

Exactly. And being a defender in this day and age is not easy. It’s extremely difficult and it’s getting worse and worse because of this whole “more” dynamic, so as a technology partner, there are certain things that we have to do. How do you help businesses get more resilient to attack in a hybrid or multicloud world?

It comes back to those two questions – where are they exposed? And where are we compromised right now? If we can answer those questions, we can be resilient to these attacks as they’re evolving. The second thing is how do you help them be more efficient? How do you help them do more with less?

Helping analysts be heroes

And then third question is where is the outcome rooted in efficacy? Analysts just want to be effective at their job, they just want to come in, they want to know what they need to focus on. They don’t want to do manual mundane tasks on a day-to-day basis, like triaging alerts or maintaining rules, or whatever it might be, they just want to defend. So how do you begin? How do we help an analyst effectively defend their organization in a hybrid multicloud world? We believe if you take all of that mundane stuff out of their day to day, and let the AI handle it, you free them up to do the critical thinking that lets them think like an attacker, and so defeat the attackers that are out there, trying to get in.

That’s how we go about it – we create the AI system that can monitor attack behaviors, deal with the day-today triage and alerting, so that the analysts is free to be an analyst, and doesn’t get burned out with all the constant pressure to “do more.” We let them do less, but more effectively. We let them find their opportunity to add value to the organization as analysts, rather than as glorified watchdogs.”

That also means they can evolve their own learning as they go, and feed it back in to a streamlining process, feeding best practice into their peers – and processes.”

THQ:

That sounds like an uphill budgetary struggle – convincing the board that they need to spend more to let their analysts do less, when the number and attack landscape of multicloud threats is only ever increasing?

MW:

Explaining it to the CISO, or whoever holds the budget, is where the process currently falls down sometimes, yes. The explanation of “Here’s where we have delays, so we need to invest here, whether it’s process, whether it’s people, whether it’s tech, whatever it might be” still sometimes feels like the hard work. But if we’re able to do our job, if we can help the analysts help the business be resilient in a multicloud environment, I believe we can turn the tables on the attackers. I believe we can get ahead of this, and let the analysts be the heroes they can be when they’re not overburdened the “do more” philosophy. If we don’t, we’ll just see more and more analysts burn out.

And that’s good for no-one but the attackers.