Reducing the cognitive burden in cyber defence

by Richard Yorke

It’s no secret that the volume, sophistication and impact of cyber attacks are continuing to rise and with this detection systems are raising ever increasing volumes of alerts and logs. Cyber analysts play a vital role in the operational security of business critical networks but the increasing cognitive burden placed upon them is not sustainable.

The reason for this is that there are two BIG PROBLEMS with cyber analysts…

BIG PROBLEM #1: They’re only human.

Some might disagree — not that cyber analysts are human (although there are some who are so talented that they stretch the very definition!), but that the very fact they are human is a weakness. And to some degree they’d be right. The human brain is amazing at spotting patterns in what appears to be a disparate and confusing world of chaos. Machine Learning is catching up, but human brains are currently, still, better value for money in spotting things that haven’t been spotted before.

Where the human frailty plays a part is in our ability to continue to make complex decisions over long periods of time. Logical thinking and decision making is expensive when it comes to power usage in the human body. That’s why Spock never wasted calories on a smile! And we often tend to reach for the cake to keep our brains going at times of stress…

But calories alone aren’t enough, and even the fittest minds with copious calories will eventually become exhausted.

Next time you’re standing in-line at airport security, you’ll notice that the people concentrating at the X-Ray machines swap over every 20 minutes or so, changing from the high concentration job of looking for bad things to more manual and menial jobs of asking people if they can take their shoes and belts off…

Legend has it that the reason Steve Jobs always wore his iconic black polo neck and jeans, and why Mark Zuckerberg always wears the same coloured T-shirt or hoody is because it is one less decision to make each day, giving their brains more cognitive capacity to worry about the more important decisions that need to be made.

Closer to home, how many of us have experienced those moments after an incredibly busy day at work making difficult decisions on behalf of the people in your company or your customers? For example, when you get home and your partner asks you:

  • shall we go to your mum’s or mine for Christmas?;
  • we need to decide where we’re going on holiday; or
  • would you like red wine or white?

Boom! Too many difficult decisions for one day! Time for a break!

So if human beings are great at thinking, they just can’t concentrate hard for long periods of time, then when it comes to cyber defence, why don’t we solve the problem like airport security do with short 20 minute shifts and high levels of rotation. We just need to get more cyber analysts, right? And this brings us onto the second BIG PROBLEM with cyber analysts:

BIG PROBLEM #2: There aren’t enough cyber analysts. In the world!

Anyone who’s been involved in cyber analyst recruitment knows how hard it is to find experienced professionals in this area. Cisco have reported that there are 1 million unfilled jobs in cyber security worldwide, and Forbes estimated that there will be a shortfall of 1.5m cyber analysts by 2019.

So if machine learning (ML) can’t do what humans can do, and if there aren’t enough humans to do the jobs that need doing, we need to do more with the cyber analysts we’ve got. Here at Deep3®, we believe that the way we get more out of our cyber analysts is by getting them to do less:

  • Less banal decision making…
  • Less decisions on how to do something…
  • Less decisions on analysing false positives…

This is the background that led to our Dstl joint-funded project aimed at lightening the cognitive load for cyber analysts, helping them reach their objectives, and why we called the project Sherpa.

The Sherpa project delivered a prototype that automates aspects of the cyber event triage process. We used machine learning techniques to spot patterns of events based upon similarities to other patterns of events in its cyber defence library, automatically prioritise events and recommend courses of action in response.

The User Interface and User Experience (UX) design was influenced by psychological and cognitive load theories and aims to reduce extraneous cognitive load by reducing the number of decisions that need to be made when using the system. Workflows, font design, colour theory, and keyboard control all form part of an interface that is intuitive to use and reduces the many micro-decisions analysts have to take when using more traditional tools… By taking away the decisions a cyber analyst shouldn’t have to make, we aimed to induce the psychological state of flow… a state that allows people to remain focused, in the zone as it were, for hours at a time.

Together, we believe this ML + UX combination can turn mere mortal cyber analysts into superhuman cyber analysts, with the right information to make the right decisions for longer.

As well as creating knowledge and learning for Dstl, the Sherpa project has also been hugely beneficial to us at Deep3® as a company. It’s been an exciting and different type of project for the team, creating new skills that we’re now able to provide to our customers. We have IP, not just in the prototype product itself, but also in the knowledge that we’ve generated across the company. Again, this has value in the day to day work we deliver, but also there’s a mountain of knowledge and IP here that could have value to the SIEM sector.

Contact Us

Do you have highly complex and secure challenge you’d like our help solving? Or some expert R&D insight to drive your operations forward? It’s easy to get in touch:

Your message has been sent. Thank you!

Our offices

Cheltenham Office
Darwin House
67 Rodney Road
GL50 1HX

Manchester Office
The Landing
M50 2ST

London Office
Tintagel House
92 Albert Embankment