McAfee roadshow: Human-machine teams to identify insider threats
The McAfee Canadian Security Operations Roadshow, which made a stop in Toronto recently, offered perspectives from Stephen Jou, chief technology officer at Interset; Jason Rolleston, McAfee’s VP and general manager, security intelligence and analytics; and Brian Brown, McAfee’s enterprise technical specialist. Together, they discussed how security operations teams can adapt to an increasingly volatile threat landscape.
The general theme among the speakers was “human-machine teaming solutions” — using automation and analytics to advance human capability.
Jou spoke about how analysts can use behavioural analytics and mathematical models to identify insider threats in an era of big data.
Generally, mathematical models look at previous reports of malware data and learn from past behaviours to identify threats. But how can these models provide a summarized view of risks and alerts?
Interset uses a probabilistic approach: their system performs aggregations and real-time monitoring to collect data on users to determine the “behavioural risk,” based on a model that looks at the user, machine, and the type and volume of data.
The more these behaviours coincide on the same entity (i.e., the same user account), the more likely it is an insider threat.
Meanwhile, Rolleston spoke to attendees about how security operations teams can identify threats through Security Information & Event Management (SIEM) systems.
What sec ops teams are currently doing in SIEM is not working, he explained.
Instead, SIEMs should focus on three areas: a data platform that brings in data at scale and makes it widely available; optimized sources that allow analysts to find anomalous data; and tools for investigation and response, Rolleston said.
In fact, McAfee is using log management tools and advanced analytics to identify, investigate and respond to anomalous data.
In an interview, Rolleston elaborated on the evolution of threats and the need for a more modular response.
“Hackers have become very sophisticated in how they attack, and so that’s where you see the adding of things like behavioural analytics…and using math and big data to spot behaviours that otherwise would have been very difficult to spot,” he explains.
As such, McAfee is focused on becoming a ‘device to cloud’ company, protecting users wherever they compute.
“Where you compute now is becoming a much broader surface,” adds Bryan Rutledge, McAfee’s regional vice president and country manager, Canada. “This year we made the acquisition of Skyhigh Networks, a CASB [cloud access security broker] leader, to round out the portfolio in the cloud, because … in Canada we see a lot of people adopting cloud technologies.”
Nevertheless, the ease with which hackers can access data still depends on multiple factors. Even when organizations do everything right to protect their data, their partners may not do the same.
Consequently, it is important companies have firewalls and encrypted data, as well as a response plan in place if they are hacked, Rolleston explains.
Additionally, security operations teams must have broader visibility of the data sets coming in and be able to identify a signal coming from all of the data, he says.
This is where the “human-machine teaming solutions” come into play, as doing this manually would be labour and cost intensive.
“One place you start seeing human-machine teaming … is in the context of analytics and using that data, not to supplant or remove humans, but to aid, to help them spot things they might not otherwise have seen,” Rolleston explains.
“Capacity is the word I look for,” Rutledge adds. “[Machines are] increasing the capacity that an individual can handle in their job.”