Humans in the Loop – The Need for Experts When Delivering Managed Detection and Response


Jack Danahy, SVP, Strategy and Security Chief Evangelist, Alert Logic

In the MDR Manifesto, we describe the tenets that support delivery of the primary MDR value: reducing the likelihood or impact of successful attacks.  Within these are obvious requirements for 24X7 visibility across and organization’s infrastructure, an awareness of current and evolving threats, and meaningful responses that consider the business context of the attack and the target.

One of the tenets, Tenet #4, is not so obvious, particularly as product vendors continue to represent their solutions as intuitive, automatic, and easy to use.  Tenet #4 refers to the need for humans in the loop.  Specifically, Tenet #4 requires that MDR providers augment technology with human intelligence to ensure accuracy and value.  It continues to be a subject for discussion in this evolving market and deserves the attention it is getting.

Machine Learning, Automated Analytics, and Humans

As infrastructures have scaled up and as security analytics have integrated increasingly heterogeneous data sources the volume of security-related data has exploded.   We see an average of over 200G of data, per customer, per day.  This data is from disparate sources, in multiple formats, and every message may contain individual elements that are used to identify malicious or suspicious activity.  Automated analysis is therefore key to distilling value within a practical time window.  Well-structured and trained analytics synthesize and extract meaning from this flood, providing observations and incident data that point to security events.

So why the humans?

Machine Learning is a great technique for recognizing patterns that occur consistently in common use.  Natural language processing is a great example.  Words are words, and their combination into full thoughts and sentences obeys certain rules.  Nouns act on nouns.  Adjectives describe those nouns and adverbs describe actions.  ML can therefore be trained to recognize those patterns and consequently parse and interpret language.

Threat and attack data don’t follow such a regimented formulation.  Attackers thrive on unpredictability, both in their actions and the ways in which they construct their own tooling.  As a result, while ML provides irreplaceable value as a distiller, there is a sufficient area of unknowability that creates grey areas in the final conclusions. For some vendors and managed security service providers this is the basis for critical problems like alert fatigue, noise pollution, and event insensitivity.  When security teams are seeing constant alerts with inconsistent value, they slowly but surely stop paying attention.

Humans, and expert humans in particular, are needed to perform that last validation, to investigate and enrich event data, so that the MDR provider is delivering valuable results.

The Role of the Humans

This task of verifying and better informing security data, particularly when it will drive a predetermined response, requires skills in security technologies, in methodologies like threat hunting, in communications around complex topics, and a practical sort of curiosity.  MDR analysts who are performing the responsibilities in Tenet #4 need to quickly research the root causes of alerts, must be able to integrate external information to identify precursors or related attacks elsewhere, and must understand enough about the context of the target environment to be able to distinguish critical and urgent issues from those that are less impactful.

These humans also need to be able to quickly compartmentalize and close the issues that they are investigating.  In attacks that threaten to spread laterally and quickly, analysts need to immediately understand steps for isolation or containment.  In the case of threats or vulnerabilities that affect multiple systems, they need to be able to prioritize patching, mitigating controls, or monitoring.

Ultimately, the human element in MDR has two core functions: To ensure that events and incidents are triggered by actual security issues and to contextualize that realization and response.

The Humanity of It All

This focus on meaningful and credible detection and response, without the constant chatter of false positives and over-reactions, drives the human element in Tenet #4.  It’s possible that ML will, in time, be capable of recognizing such nuanced elements of an attack that automated analytics will not flag benign activity.  In that same period, it’s possible that the tuning of such targeted predictions will not create false negatives as attacks are missed because they are slight mutations of known attacks.

Until then, MDR providers will need to augment their analytics with their experts.  These experts will deliver the trusted reports and responses, and their capabilities will ultimately define the success and value of the MDR providers they serve.

Learn more about how to integrate MDR into your security portfolio.

Jack Danahy is SVP, Strategy and Security and Chief Evangelist at Alert Logic, where he applies nearly 30 years of security experience to the challenge of managed detection and response (MDR). He is an innovative security leader with proven success creating, delivering, and evangelizing new security approaches. He has founded three successful security companies, most recently the endpoint and behavioral analytics firm Barkly, acquired by Alert Logic in 2019. In 1999, Jack founded Qiave Technologies (acquired by WatchGuard Technologies in 2000) and in 2003, he started application security pioneer Ounce Labs (acquired by IBM in 2009). At IBM, Danahy was Director for Advanced Security, and also led the delivery of security services for IBM across North America. Jack holds a dozen security patents and is a frequent writer and speaker on a wide range of security topics.