Learning to Whitebox the SOC-in-a-Box
Even as organizations automate their security operations with orchestration and AI, some of the most important parts of security investigations continue to depend on human analysis and talent. These critical moments in the investigation remain frustratingly slow, and need categorically different technologies that are optimized for human-in-the-loop analysis.A balanced security strategy requires us to augment and extend human skills and abilities for the many daily tasks that we cannot trust to bots. This is one of the key goals at Graphistry, and we have previously described the fuzzy data aspect of the problem in our previous article, “Security in the Age of Maybe”. Orchestration and AI are important parts of modern security strategies, but we have to remember that analysts need to deal with them. This article digs into our experiences around the challenges and opportunities presented when orchestration and AI meet critical human-in-the-loop phases of an investigation.
Hurry Up and Wait
Security investigation workloads have outpaced the ability of organizations to hire analysts, so it is no surprise that teams are replacing people with programs for low-level and low-risk tasks. The interesting part, as in most things, is where automation stops short.
Security-critical workflows still often end in or depend on human-in-the-loop (HITL) analysis, and for good reason. Distinguishing real threats from false positives, understanding the true scope of an infection or intrusion, or pulling the thread to expose a hidden attacker are just a few examples where human analysis remains essential. The outcome of these investigations determines the real security of an organization, so tickets and projects remain a daily reality.
Unfortunately, these investigations often remain slow and laborious, and are where efficiency and insight can go to die. As soon as tools make the handoff to the human analyst, the process regresses by 15 to 20 years. We go from automated process to an analyst squinting at dashboards and writing command-line style search queries. In order to make security operations run faster, we need to bring the same ethos of automation, orchestration, and intelligence to the messier, more complicated iterative work of human in the loop analysis. If we don’t, then much of the anticipated benefit of investing in those tools could be lost in a case of “hurry up and wait”. This means that the speed, visibility, and reliability we gained through automation could be lost at moment it matters the most!
Augmenting Human Analysis
If we want to improve a human outcome, it makes sense that we design for and try to extend natural human skills. That is why Graphistry has made unprecedented investments into building best-of-class visual technology. Unlike programs, people understand information visually. Humans deal with enormous amounts of data and complexity every day when it is shown visually, and this is why we convert virtually any data into visual graphs. Using graphs we literally see the connections and relationships between our events, entities, and metadata. That could be seeing the progression of an attack along the kill chain or it could be seeing the layers of obfuscation within a money laundering scheme. In either case, a picture instantly reveals what would be relatively impenetrable if analyzed in a table of data.
Analysts are also wrestling with new types of data that may not always be intuitive. Machine learning and AI have become central to all types of analysis. The problem for many analysts is that the algorithms driving these models are often a black box that the analyst simply has to take on faith. Graph visualization has the power to provide analysts with the human UI into machine learning insights. Instead of looking at a generic alert reporting anomalous behavior, an analyst can actually see clusters, outliers, and complex relationships in the data. Likewise, the graph provides a direct visual interface for easily driving these systems, such as steering machine learning towards different parts of the dataset, and triggering actions on identified regions.
Leveraging Scale Without Letting It Get in the Way
The team at Graphistry has created a variety of core GPU technologies, which lets us unlock the needed flexibility to visually interact with large amounts of data. That includes simply seeing and understanding 100X+ more of our data in context. But since the final answer that we are looking for is often small, we also need to easily remove the noise and drill down or pivot to follow the intuitive flow of the investigation.
The goal is that we never want to limit the scope of an investigation, because we can’t see all of the important data, but at the same time we need to make sure the data doesn’t get in the way of seeing what’s really important. This is frankly where most see the difference between having a pretty picture and having a truly interactive investigation. Analysts need the ability to pivot across data sources on the fly, view events in the context of a timeline, or view data in the context of the network. Being able to do this without changing screens or writing new queries is critical for making sure analysts can investigate intuitively, creatively, and actually leverage the skills that make human analysts so valuable.
Automating the Human Workflow
In the previous topic, we were focused on improving our analysts vision: enable them to see more information, see deeper into relationships, and adapt on the fly. To close the loop, we need to focus on the speed of the workflow and how we accelerate those insights. Just because a workflow involves a human doesn’t mean that we can’t speed it up by orders of magnitude. This why Graphistry has pioneered the use of investigation templates and visual playbooks as a highly interactive investigation environment rather than rigid and hard-to-edit software.
First, a template allows an investigation to automatically begin with all the data that an analyst will need. With a trigger as simple as a single SIEM alert, Graphistry can automatically connect to and query any and all data sources to pull in the relevant context. This could be logs from other tools in the SIEM, NetFlow stored in a Spark cluster, and a variety of metadata from Bro logs in Elasticsearch. Without writing a single query, the analyst can right click on an incident, and all the necessary data is queried and prepared for analysis.
Crucially, that data is delivered through a highly interactive and visual workflow. Each step or pivot can have its own unique visualization setting tied to the needs of the analyst. Instead of being rigidly predefined, the analyst can tweak settings such as to look at a wider time range or find out more about a specific entity of interest, thus remaining fully interactive and explorable.
Organizations face a similar challenge when bringing orchestration into human-in-the-loop scenarios. Scripts should not be a blackbox that only other scripts can use. The visual graph and templates solve the human side of orchestration: analysts can simply click-and-fire!
This is just the beginning of what Graphistry does, but it hopefully serves to illustrate the path forward for security organizations. Analysts are some of the most critical assets in the enterprise, and it doesn’t make sense to simply automate around them. They need to be in the process. This is what we call turning the blackbox into a whitebox. To do so, we need to give analysts tools that augment their skills, and close the loop around automated workflows around data lakes, AI, and orchestration. At Graphistry, that is our mission.