by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : September 2014
INSIDER THREAT DETECTION 16 GCN SEPTEMBER 2014 • GCN.COM do make honest mistakes," Crouse said, and organizations must distinguish be- tween the malicious and the accidental in their incident response. Being able to see precursor behavior to an incident helps in making this distinction and also can identify behavior that can predict an attack. Raytheon's SureView is a host-based endpoint monitoring tool that helps with this task. The product has been around for about 10 years, and in the last few years customers have begun asking for more features with ability to distinguish user behavior as well as device configu- ration, Crouse said. Because user visibility generates large amounts of data, automation is necessary to help with analysis. Role-based access policies and established profiles of nor- "We've got to get humans out of the equation. They can't react fast enough." --- MATT DEAN, FIREMON Cybersecurity is being pushed in two directions. On the one hand, the growing complexity of information systems and the onslaught of threats facing them are putting a premium on speed. Automation is the future of security, said Matt Dean, vice president of product strategy at FireMon. Decisions made about who and what gains access to resources need to be smarter and faster. The trend toward automation is evident in the government s growing emphasis on continuous monitoring of systems and networks. It is the only practical way to achieve the situational awareness promised by continuous monitoring. Agencies are supposed to be using SCAP-compliant security tools, and the "A" in SCAP stands for Automation: Security Content Automation Protocols. On the other hand, Randy Hayes, who leads Booz Allen s global predictive intelligence business, said more humans are needed in the loop. "You do need fully automated solutions," Hayes said. But machines can t do it all. Agencies need security operations centers (SOCs) sta ed with highly trained analysts to monitor alerts and connect the dots, using human intelligence to anticipate attacks in a way that even the fastest machines can t do. "We need to bring more intelligence tradecraft to bear." Hayes advocates an approach called resiliency, an operational strategy that treats cybersecurity like warfare. Protecting yourself from an attack with static defenses provides a false sense of security, he said. Attacks must be anticipated through knowledge of the enemy and blocked before they occur. The two views of security are not mutually exclusive. As Hayes acknowledged, automated solutions are necessary, if not su cient, for cybersecurity. And proponents of automation recognize that a primary benefit is to free analysts from routine chores so that they can concentrate on the threats that require human attention. The conflict comes down to two questions: How many humans are needed in the cybersecurity loop and how many humans can we a ord? How many are needed will vary depending on the size, complexity and criticality of the enterprise being protected, of course. The more e ective the automated tools being used, the more attention humans can give to serious issues. But with increasingly tight budgets and an employment market in which government is competing with the private sector for scarce human resources, agencies are likely to be perennially short sta ed with experienced cybersecurity professionals. Hayes is convinced that the money to provide adequate human intelligence for cybersecurity across government already is there, if budgets are just prioritized properly at the highest levels of management. Many agencies already are operating their own SOCs or have access to shared facilities, Hayes pointed out. But human sta ng remains a problem for cybersecurity analysis, according to a report from the Homeland Security Department s inspector general. Evaluating DHS e orts to coordinate federal cyber operations centers, the IG found that the National Cybersecurity and Communications Integration Center s (NCCIC) incident response capability could be hindered by the inability of the O ce of Intelligence and Analysis and the Industrial Control Systems CERT to provide around the clock sta ng. Cyberattacks can happen at any time, but the O ce of Intelligence and Analysis provides coverage only 14 hours a day for five days a week, which less than half of the week. NCCIC told the IG it does not have funding to hire more analysts. Doubtless, more e ective use could be made of existing budget and sta , but it is unlikely that personnel for e ective 24/7 analyst sta ng in government SOCs will be available soon. To fill this gap, there will have to be greater reliance on automation rather than humans for the time being. --- William Jackson Security automation: Are humans still relevant? ?