Too busy

The other say I essentially heard:

We’re too busy doing the stupid tasks to work out how to automate the stupid tasks so that we don’t have to do them any more


Machine Learning Fails

  • “A robot arm with a purposely disabled gripper found a way to hit the box in a way that would force the gripper open”

OMG Skynet is born

  • “Agent kills itself at the end of level 1 to avoid losing in level 2”

No it’s fine, we’re safe

People complain that computers don’t do what they are told. The truth is the opposite, they do exactly what they are told.  The real problem is that we as humans badly set the environment/parameters/questions.

Which is why a fire and forget SOAR approach isn’t always best, consider adding interactive steps:

  • SOC/CIRT analyst guiding the playbook via the WebUI
  • Comms over email/slack/sms/other
  • Interact with non SOC/CIRT user, e.g. let a business owner control the playbook flow

Look at the following two approaches, and decide which is safer.

Option 1 – Automatically find the alert, auto extraction, auto enrich, auto decision making, auto block

Click to enlarge

Option 2 – Automatically find the alert, auto extraction, auto enrich, auto decision making, but ask a user (email, slack, sms) to validate

Click to enlarge



Three Analysts Walk into a Bar

Yesterday we used this image at the eCrime conference and asked “what’s wrong with this picture?”

three analysts in a bar


The ‘official’ answer was “SOC Analysts don’t have time to be in a bar”, as they likely have an alert queue 500 long.

However the audience gave equally funny answers:

  • They are smiling
  • We can’t get a team who work in the same city/country
  • We can’t find 3 good analysts

And who wouldn’t expect a room full of analysts to give an analytical answer

  • There’s no barman