Our COO interviews Munish Walther-Puri, the Head of Intelligence Analytics at Terbium Labs and a former Threat Intelligence Analyst for Citi Group.
Stabilitas is always learning from both customers and industry leaders, and in turn, to share what we have learned. To kick off the year, Chris Hurst, Stabilitas COO, interviewed Munish Puri on topics at the intersection of artificial and human intelligence in the security space. Our goal was to help corporate security teams, analysts, GSOC operators, and Chief Security Officers better understand artificial intelligence (A.I.) and how it affects security.
One of the core beliefs at Stabilitas is that humans and technology can work together as one to solve security problems. Munish has been working with cutting edge technology as an analyst and an intel trainer for more than a decade - as a vendor, and as an end user.
Two Perspectives: Vendors and End Users
Chris Hurst: What do you most intelligence vendors fail to realize about their clients’ challenges?
Munish Puri: The first element is to understand that you’re part of a greater team. Your client has several resources that they’re using and they’re going to come to you for certain aspects. In terms of value that outside groups can provide, I think it really comes down to finding what others cannot.
“...your capabilities, your network, and your technology allows you to identify a threat that they might not be able to catch.”
The second element is what I call “The Blindside Hit.” This is what separates the better outside consulting firms and vendors from the best.
It is the ability to find something that’s going to impact an organization that the organization might miss. It’s not because their analysts aren’t good and it’s not because they’re not asking the right questions, but it’s that your capabilities, your network, and your technology allows you to identify a threat that they might not be able to catch. Again, it really comes down to finding what they cannot.
CH: Thinking about the reverse, what do you think most end user security teams fail to realize about the tech that is available to them?
MP: Two aspects to that answer. The first is about data. Which data do you have access to? How do you have access? Who owns the data? End users need to understand that data is useless without the partnerships to explore and analyze it. Utilizing technology, having your own internal data, and identifying partners that are going to help you is critical to your success.
The second element is about human resources and training. Of course you need the budget to procure the technology and the training that comes along with that, but the really critical piece that many end users miss is connecting methodology and technology. In other words, understanding when analysts should be using a specific tech tool in their workflow.
CH: So it sounds like you’re saying you can’t just deploy a solution and walk away without ensuring that the training is there?
MP: Yes. Think of it more in terms of longevity and retention. Training to me is a sequence. I would rather do two or three hours at a time and spread it out over several months than two days - and then you’re done. It's important to build strong habits over time.
Successes and Failures
CH: In the past, we spoke about the misconception that A.I. is replacing humans in the security space, when the truth is that humans are more effective working with machines ("augmented intelligence") rather than humans alone. Can you give a concrete example of “humans and machines” working really well?
MP: Computers are good at one set of things: volume, scale and computation, where humans are good at another: creativity and intuition. Aligning those factors is really important. Two main examples pop into my head: the first is around weather, and the second around directions and mapping. Both examples are data driven and both examples were previously human-based prior to technology. They also involve specific, granular decisions by humans.
Let’s start with weather. With weather there is a ton of data to sort and categorize. People want to know: Do I need an umbrella today? A jacket? Snowchains? Traditionally this information was provided by local human resources but now it’s delivered by an app. Same thing with mapping. Traditionally, newcomers to an area would talk to locals who knew the directions and routes, but Google Maps (and previously Yahoo maps and MapQuest), users could immediately find different and faster routes, thus saving time.
Editor's note: In the theme of humans and machines working together, we love that Google Maps or Waze traffic maps get better over time, with both active and passive user feedback. We think the same type of collaboration can be true for security.
CH: How about some of the failures? Times when humans and machines do NOT work well together?
MP: There are a lot of them (laughs). Failures happen, but I think it’s when we don’t learn from them that can be detrimental.
Let’s talk for a moment about Distributed Denial of Service or DDoS attacks as a diversion tactic. I’ve seen security software handle these as “oh that’s part of the DDoS traffic,” not knowing that an adversary is causing that attack. This is because the adversary knows how a machine would read the attack, what the algorithm islooking for, and creates a cat and mouse game of who caused what.
Failure isn’t a bad thing, if you learn from it. I think that’s where organizations really need to push themselves - to figure out what can machines do that humans aren’t really good at and vice versa.
CH: Let's look further into the future. How will corporate security look different five years from now?
MP: There are two things that I would say.
1. The use of visualization as analysis. The best briefers use auditory and visual tools to enable data visualization.
2. The second is the division between physical and corporate information security. Adversaries look for weaknesses and exploit them. Setting up people who are in charge of security in different lanes creates blind spots. So having analysts that are more of hybrid analyst or All Source is better. Having analysts who understand a range of threats, from geopolitical to natural hazard to technology risk is the most productive way.
The Full Interview
If you would like to read the full transcript of Chris’s interview with Munish, click here. The full interview includes advice for young analysts, a discussion on training, and Munish’s reflections of past and future tech.
Stabilitas is always striving to inform, educate and learn from industry leaders. We would like to extend our thanks to Munish Puri for his time and generous advice. Please check back for more information, posts, and interviews on AI-security related topics.
For more information about AI, physical security, risk management, or all-in-one incident detection and crisis communications technology, please reach out to us at firstname.lastname@example.org or (202) 683–7760. Or schedule a demo at https://stabilitas.io/.
Photo Credit for Fist-Bump Image: TechCrunch