There is a familiar trope in Hollywood cyberwarfare movies. A lone whiz kid hacker (often with blue, pink, or platinum hair) fights an evil government. Despite combatting dozens of cyber defenders, each of whom appears to be working around the clock and has very little need to use the facilities, the hacker is able to defeat all security and gain access to the secret weapon plans or whatever have you. The weapon stopped, the hacker becomes a hero.
The real world of security operations centers (SOCs) couldn’t be further from this silver screen fiction. Today’s hackers (who are the bad guys, by the way) don’t have the time to custom hack a system and play cat-and-mouse with security professionals. Instead, they increasingly build a toolbox of automated scripts and simultaneously hit hundreds of targets using, say, a newly discovered zero-day vulnerability and trying to take advantage of it as much as possible before it is patched.
Security analysts working in a SOC are increasingly overburdened and overwhelmed by the sheer number of attacks they have to process. Yet, despite the promises of automation, they are often still using manual processes to counter these attacks. Fighting automated attacks with manual actions is like fighting mechanized armor with horses: futile.
Nonetheless, that’s the current state of things in the security operations world, but as V.Jay LaRosa, the VP of Global Security Architecture of payroll and HR company ADP explained to me, “The industry, in general from a SOC operations perspective, it is about to go through a massive revolution.”
That revolution is automation. Many companies have claimed that they are bringing machine learning and artificial intelligence to security operations, and the buzzword has been a mainstay of security startup pitch decks for some times. Results in many cases have been nothing short of lackluster at best. But a new generation of startups is now replacing soaring claims with hard science, and focusing on the time-consuming low-hanging fruit of the security analyst’s work.
One of those companies, as we will learn shortly, is JASK. The company, which is based in San Francisco and Austin, wants to create a new market for what it calls the “autonomous security operations center.” Our goal is to understand the current terrain for SOCs, and how such a platform might fit into the future of cybersecurity.
The security operations center is the central nervous system of corporate security departments today. Borrowing concepts from military organizational design, the modern SOC is designed to fuse streams of data into one place, giving security analysts a comprehensive overview of a company’s systems. Those data sources typically include network logs, an incident detection and response system, web application firewall data, internal reports, antivirus, and many more. Large companies can easily have dozens of data sources.
Once all of that information has been ingested, it is up to a team of security analysts to evaluate that data and start to “connect the dots.” These professionals are often overworked since the growth of the security team is generally reactive to the threat environment. Startups might start with a single security professional, and slowly expand that team as new threats to the business are discovered.
Given the scale and complexity of the data, investigating a single security alert can take significant time. An analyst might spend 50 minutes just pulling and cleaning the necessary data to be able to evaluate the likelihood of a threat to the company. Worse, alerts are sufficiently variable that the analyst often has to repeatedly perform this cleanup work for every alert.
Data wrangling is one of the most fundamental problems that every SOC faces. All of those streams of data need to be constantly managed to ensure that they are processed properly. As LaRosa from ADP explained, “The biggest challenge we deal with in this space is that [data] is transformed at the time of collection, and when it is transformed, you lose the raw information.” The challenge then is that “If you don’t transform that data properly, then … all that information becomes garbage.”
The challenges of data wrangling aren’t unique to security — teams across the enterprise struggle to design automated solutions. Nonetheless, just getting the right data to the right person is an incredible challenge. Many security teams still manually monitor data streams, and may even write their own ad-hoc batch processing scripts to get data ready for analysis.
Managing that data inside the SOC is the job of a security information and event management system (SIEM), which acts as a system of record for the activities and data flowing through security operations. Originally focused on compliance, these systems allow analysts to access the data they need, and also log the outcome of any alert investigation. Products like ArcSight and Splunk and many others here have owned this space for years, and the market is not going anywhere.
Due to their compliance focus though, security management systems often lack the kinds of automated features that would make analysts more efficient. One early response to this challenge was a market known as user entity behavior analytics (UEBA). These products, which include companies like Exabeam, analyze typical user behavior and search for anomalies. In this way, they are meant to integrate raw data together to highlight activities for security analysts, saving them time and attention. This market was originally standalone, but as Gartner has pointed out, these analytics products are increasingly migrating into the security information management space itself as a sort of “smarter SIEM.”
These analytics products added value, but they didn’t solve the comprehensive challenge of data wrangling. Ideally, a system would ingest all of the security data and start to automatically detect correlations, grouping disparate data together into a cohesive security alert that could be rapidly evaluated by a security analyst. This sort of autonomous security has been a dream of security analysts for years, but that dream increasingly looks like it could become reality quite soon.
LaRosa of ADP told me that “Organizationally, we have got to figure out how we help our humans to work smarter.” David Tsao, Global Information Security Officer of Veeva Systems, was more specific, asking “So how do you organize data in a way so that a security engineer … can see how these various events make sense?”
That’s where a company like JASK comes in. Its goal, simply put, is to take all the disparate data streams entering the security operations center and automatically group them into attacks. From there, analysts can then evaluate each threat holistically, saving them time and allowing them to focus on the sophisticated analytical part of their work, instead of on monotonous data wrangling.
The startup was founded by Greg Martin, a security veteran who previously founded threat intelligence platform ThreatStream (now branded Anomali). Before that, he worked as an executive at ArcSight, a company that is one of the incumbent behemoths in security information management.
Martin explained to me that “we are now far and away past what we can do with just human-led SOCs.” The challenge is that every single security alert coming in has to go through manual review. “I really feel like the state of the art in security operations is really how we manufactured cars in the 1950s — hand-painting every car,” Martin said. “JASK was founded to just clean up the mess.”
Machine learning is one of these abused terms in the startup world, and certainly that is no exception in cybersecurity. Visionary security professionals wax poetic about automated systems that instantly detect a hacker as they attempt to gain access to the system and immediately respond with tested actions designed to thwart them. The reality is much less exciting: just connecting data from disparate sources is a major hurdle for AI researchers in the security space.
Martin’s philosophy with JASK is that the industry should walk before it runs. “We actually look to the autonomous car industry,” he said to me. “They broke the development roadmap into phases.” For JASK, “Phase one would be to collect all the data and prepare and identify it for machine learning,” he said. LaRosa of ADP, talking about the potential of this sort of automation, said that “you are taking forty to fifty minutes of busy work out of that process and allow [the security analysts] to get right to the root cause.”
This doesn’t mean that security analysts are suddenly out of a job, indeed far from it. Analysts still have to interpret the information that has been compiled, and even more importantly, they have to decide on what is the best course of action. Today’s companies are moving from “runbooks” of static response procedures to automated security orchestration systems. Machine learning realistically is far from being able to accomplish the full lifecycle of an alert today, although Martin is hopeful that such automation is coming in later phases of the roadmap.
Martin tells me that the technology is being used by twenty customers today. The company’s stack is built on technologies like Hadoop, allowing it to process significantly higher volumes of data compared to legacy security products.
JASK is essentially carving out a unique niche in the security market today, and the company is currently in beta. The company raised a $2m seed from Battery in early 2016, and a $12m series A led by Dell Technologies Capital, which saw its investment in security startup Zscaler IPO last week.
There are thousands of security products in the market, as any visit to the RSA conference will quickly convince you. Unfortunately though, SOCs can’t just be built with tech off the shelf. Every company has unique systems, processes, and threat concerns that security operations need to adapt to, and of course, hackers are not standing still. Products need to constantly change to adapt to those needs, which is why machine learning and its flexibility is so important.
Martin said that “we have to bias our algorithms so that you never trust any one individual or any one team. It is a careful controlled dance to build these types of systems to produce general purpose, general results that applies across organizations.” The nuance around artificial intelligence is refreshing in a space that can see incredible hype. Now the hard part is to keep moving that roadmap forward. Maybe that blue-haired silver screen hacker needs some employment.