Evaluating cybersecurity defenses with a data science approach
Cybersecurity analysts are under siege to keep pace with the ever-changing threat landscape. The analysts are overworked as they are bombarded with and burned out by the sheer number of alerts that they must carefully investigate. Brennan Lodge and Jay Kesavan explain how to use a data science model for alert evaluations to empower your cybersecurity analysts.
| Talk Title | Evaluating cybersecurity defenses with a data science approach |
| Speakers | Brennan Lodge (Goldman Sachs), Jay Kesavan (Bowery Analytics LLC) |
| Conference | Strata Data Conference |
| Conf Tag | Making Data Work |
| Location | London, United Kingdom |
| Date | April 30-May 2, 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Cybersecurity analysts are under siege to keep pace with the ever-changing threat landscape. The analysts are overworked as they are bombarded with and burned out by the sheer number of alerts that they must carefully investigate. This intense workload can be a true testament to anyone’s patience. Our industry is struggling to keep up and is alternatively promoting silver bullets and panaceas to catch zero days, defend against APT and use AI to detect attacks better and faster. Instead of detecting or preventing better and faster, we should be looking inwardly at our security operation centers (SOC) to be better serve our human analysts. Security departments should be seeking data-driven approaches for more efficient evaluations on operations. Approaches like data science and algorithms to statistically evaluate the operations within a SOC will help. Big data is becoming a big problem for SOCs, but it should be a solution. Brennan Lodge and Jay Kesavan explain how to use a data science model for alert evaluations to empower your cybersecurity analysts and help them overcome the monotonous work that leads to career burnout. Analysts’ laborious investigations already include a variety of data points, logs, notes, escalations, and conclusion tags. Combining these data points or independent variables can feed a ML algorithm against a dependent variable or conclusion tags to build an evaluation score against sensors and detection rules. With proper labeling and data wrangling, an evaluation score can be gleaned from a logistic regression algorithm. This output can evaluate the efficacy of alerts from SIEMs. With this insight, security engineers, management, and analysts alike can be empowered to make data-driven decisions to tune and lessen the burden on the SOC from investigating fewer false-positive-related cases.
