Let humans do what humans do best

When presenting the ConnectWise SIEM and SOC services to partners or potential customers, I often get the question: "Why can't you automate every-thing? Why do we need a SOC?"

It's a great question. In the SOC, we are constantly tuning our tools and rules to capture unique situations or threats in the environment. For instance, if SOC engineers always respond to a particular set of circumstances in the same way, we will seek to automate that process. This increases the speed of response and prevents SOC burnout and customer alert fatigue.

However, there are just some things that humans are still better at doing than machines. So, we must also seek to provide the SOC team with visual repre-sentations of data where patterns and context can be easily seen.

To illustrate, take this cartoon from the XKCD book "What If?":

What happened here? Did the cat knock over the vase? The adult? Contextually, as humans, we can figure out this picture fairly quickly. But as Randall Munroe states in the book, "All the computers in the world couldn't figure out the correct answer faster than any one parent could."

Could you program a computer to figure this out? Sure, we could perhaps use some machine learning or AI to program this, but we would have to know that it is coming and how all the events preceding this might occur. We'd have to create models and test them. We'd need humans to tell us what is correct or incorrect. Our results would be fuzzy, perhaps returning values such as "it is 80% likely that the kid knocked over the vase with the lasso, and the cat is investigating."

In the world of cybersecurity, this is not always very helpful. For one, you need clear, actionable data to present to your customers, and we honestly don't know and can't predict what new form of attack could be coming or what new technique will be invented tomorrow. We are involved in an asymmetric war here, and the bad actors have the upper hand.

Humans also have the advantage of context. Many contexts, in fact. A SOC engineer might be familiar with the partner's environment and that particular client's environment. They would know what alerts are standard or out of the norm for the environment. They have a bird's-eye view of all the partners and organisations and what is typical across that broad international scope. They can remember things that might not be obvious at first or not in the "search space" of the machine. Additionally, they can perhaps relate what's happening in real-time based on the news of the day, long before a new rule or "indicator of compromise" is published by the community.

There will always be value from humans in the SOC, especially if we can present them with good visual data—such as historical risk charts, attack chain diagrams, timeline views, network traffic views, cross-partner events, etc.—that can alert them to a situation that is out of the norm.

There are things that machines can do much better than humans, but humans are still needed to determine what is worthwhile. Married to a human's ability to naturally put things in context, there are some things that humans just do better.