We need to stop dehumanizing security before it’s too late

If you’re in security, how do you describe your job? If you’re not in security, how do you describe security?

Security seems to survive on a steady mental diet of negativity. Overwhelmed with news of failures coupled with a growing pressure to perform — flawlessly — often creates an operating environment that feeds on chaos. We’re drawn to security and seem to resign ourselves to feeling bad.

I was recently reminded of this when speaking with Gary Golomb, co-founder at Awake Security. Gary has nearly two decades of experience in threat analysis and has led investigations and containment efforts in a number of notable cases. If you go far enough back, he was a researcher on the Dragon NIDS/HIDS, and before that he served in the United States Marines 2nd Force Reconnaissance Company.

Gary says when he asked people to describe their jobs, the answers were sad. People feel overwhelmed, unappreciated and set up for failure. It’s a horrible way to work. Gary says we need to take a different approach.

Here is his Security Slap Shot:

Today’s security products take the human element out of the security operation center

Maybe it’s just nostalgia, but when I think about my early days as a security analyst in the time around Y2K, I recall exciting and interesting work. Then, analysts required very critical thinking, since many offensive tools and procedures were poorly documented in that time before the roughly coordinated intelligence sharing we have today. Most analysts were also engaged in solving interesting problems (with only a few primitive solutions), which itself forced you to master the craft of threat discovery and refine critical hunting skills.

Over the past few years, I’ve spent a lot of time speaking with security analysts around the globe, and the same sense of engagement and motivation is definitely missing today. When I ask analysts to describe their job, I frequently hear words like “tedious ” and “demoralizing” — a far cry from my rose-colored memories. At the end of each of those thousands (or millions) of alerts is an analyst accountable for deciding whether to pull a computer from the network. If the wrong decision is made, it’s not the alerting tool but the analyst who carries the scars for “interrupting the business.” Unsurprisingly, this creates a disincentive for analysts to respond to the more “mistakeable” types of threats, while both directly and indirectly increasing frustration and burnout.

Security tools today are focused on identifying patterns rather than empowering analysts. This creates an environment that prioritizes the delivery of as much machine-relevant data as possible. There is, however, very little human-relevant information about the data. Instead, the analyst now spends most of their time linking machine-relevant data, often requiring as many as 30-plus tools to do so, and making their decision-making process even more error-prone.

This not only hinders analysts, but it prevents them from sharpening many skills that truly matter, which is, of course, demoralizing. It also precludes high-value security tasks like proactive hunting — and it’s not because organizations don’t have the skills, as many folks contend, but rather because the tools at their disposal prevent such functions. Hunting in the enterprise is not new; the difficulty enabling it is.

We’re up against creative attackers. While it can be lucrative, as well, make no mistake — hacking is fun. It’s puzzle solving and creative thinking — the same things that helped me fall in love with security analysis. Unfortunately, today analysts on the front lines of corporate defenses are juggling tools that transform them from experts in the craft of security to worker bees performing rote, repetitive tasks.

At its heart, security has always balanced on human creativity: people outsmarting people, and we’re letting our analysts down by turning their jobs into repetitive tedium. Even with automation, we are only eliminating the last mile. The solution is for us as an industry to deliver tools that focus not only on computational algorithms, but also on the cognitive attributes and procedural knowledge that empower veterans and novices alike to most confidently decide whether to interrupt a business process or not, and to become more knowledgeable in the process.

My analysis (color commentary)

I’m impressed that Gary asked people to describe their roles. We know security is focused on the negative – if only to prevent “bad things” from happening. I’ve publicly lamented the disconnect between security and people. I hadn’t considered the role of security advances and new solutions to also disconnect us from the process. Straight Talk is all about translating value to forge connections… with people. My work centers on the importance of people, on elevating them, and celebrating what we are capable of. I love the promise of technology when it puts people first. It creates an opportunity to let each of us deliver remarkable value. I’d like to see more of that.

Your turn — react

What do you think? Are our current solutions taking the human element out of security, specifically in the SOC? Is that good or bad? Too late to change, or is now our time to make the changes we need?

Take it to our Facebook page and engage with me on Twitter (@catalyst).

What do you think? Ready, set, react!