(Not Fifty) Shades of Gray

I was perusingDarkReading, a favorite security news site of mine, when I stumbled upon this article,Talking 'Bout My Reputation, that discusses the underlying fact that in security monitoring, automation can only take you so far.

No matter how much context you have when monitoring (and more is always better!) you still need the understanding, creativity, experience, and knowledge of security experts to make the final verification and decision regarding the veracity of the information your security monitoring platform is providing.

In the article, one kind of context is discussed, security intelligence, but there are many other sources of context including vulnerabilities, assets, users, applications, and the organization itself. (For a more comprehensive discussion see ourcontextual security white paper.)The one thing that sometimes seems to be missed in this discussion is that even in the best scenarios, where security alert and log information is enriched with context from these sources, they need to be treated as indicators not definitive. As the article points out, one issue is the lag that can occur between the time something hits a security intelligence feed and when it ceases to be a threat. This is especially true in a world of fast flux DNS and auto-domain-generation enabled botnets.

You cannot completely eliminate the human element. Solutionary is certainly proud of ourActiveGuard® monitoring platform that powers our MSSP services, and we believe it creates a qualitative advantage in transparently cross-correlating information that has been enriched to the maximum extent possible.

Having said that, without the Security Engineering Research Team (SERT), the ActiveGuard engineers, and most importantly the SOC Analysts performing final validation and verification; it is only a tool. And the information it provides needs to not be treated as black and white, but as strongly dispositive with the human being the final arbiter of fact.