The security industry faces a workforce shortage, with an estimated deficit of 1–2 million workers in the coming years. In security operations centers, this shortage is compounded by nonintuitive interfaces and complex query languages that further impede the capabilities of the current security workforce. Researchers tackling this problem have focused more on augmenting analysts through standardized analytic processes, such as collaboration and information sharing, and less on providing user-friendly capabilities to help inexperienced and experienced analysts alike. Assistive technologies, such as conversational interfaces (e.g, chatbots), could fundamentally shift the way defenders interact with and wrangle the increasingly complex and growing data challenges.
Conversational interfaces and other assistive technologies have increasingly been employed in use cases that have big data problems along with users who lack the time, resources, or skills to analyze the data. These intelligent assistants can provide best practices guidance and recommended paths to desired actions within an intuitive, natural language interface. Could intelligent assistants similarly help security professionals defend their networks? To answer this question, Bobby Filar and Rich Seymour conducted user-experience research across diverse roles, behaviors, and workflows employed during day-to-day operations and documented many of the key pain points of experienced and inexperienced analysts, including alert fatigue, data overload, and complex user interfaces.
Bobby and Rich explain how they used this research to develop a chatbot, combining machine learning within an intuitive UI to expedite data search and discovery and enhance detection and response to security threats. They offer an overview of the research and development process—including the user-centric research and personas that scoped the problem, the findings from the study, and the design requirements generated—and lead a case study dissection of Artemis, their conversational interface to reduce alert fatigue through natural language search, workflow recommendations, and guided triage. Along the way, they discuss the challenges they encountered (and some solutions) and stress the importance of the feedback loop and user testing that helped them hone a conversational interface that fits within but also augments the current workflow, expediting detection and discovery for security professionals.
Bobby Filar is a senior data scientist at Endgame, where he employs natural language processing and machine learning to drive cutting-edge detection and contextual understanding capabilities in Endgame’s endpoint detection and response platform. Previously, Bobby worked on natural language understanding problems such as inference, conversational interfaces and topic modeling at a research nonprofit. Bobby has given talks at several industry conferences, including AISec and PyData.
Rich Seymour is a senior data scientist at Endgame, where he works on integrating R&D successes into the company’s platform and experimenting with new techniques to make security sensible. He holds a PhD in materials science and an MS in computer science, both from the University of Southern California, where he worked on high-performance computing simulations of nanoscale materials under stress.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org