Catching and investigating cyber attacks feels a bit like detective work. And whenever I think of detectives, one of my favorites comes to mind: Sherlock Holmes.

The Sherlock Holmes stories are always a fun read as well as a great mental workout.  I’m always fascinated by the way Sherlock Holmes takes a seemingly impossible case and solves it at the last moment with shocking simplicity and elegance. ‘Excellent!’ I cried. ‘Elementary,’ said he.” 

Back to cyber security: it would be great to be Sherlock Holmes, wouldn’t it?  He would use the smartest and most efficient forensics. Zoom in on the important facts and ignore the noise. Clearly articulate what happened. And of course – solve the case!

At first it doesn’t seem like a fair comparison. Today’s hyper-connected world moves a bit faster than Holmes’ Victorian England.  And Holmes was always called in AFTER the crime was discovered. He had the luxury of picking his cases. Today’s security analysts must sift through tons of data just to discover the cases, and investigate dozens of them simultaneously.

“Data! Data! Data!” he cried impatiently. “I can’t make bricks without clay.”

How can we help cyber analysts to be the modern version of Sherlock Holmes?  Holmes had Dr. Watson – a solid, reliable physician with excellent forensic skills – to bring him the information he needed to solve his crimes. Today’s analysts could certainly use a cyber-watson to help collect and sort all of the information they need.

Which brings us to the next problem – finding qualified people.  Forget Sherlock Holmes – just hiring a junior analyst is a big challenge these days.

So what if we could automate Dr. Watson?  Several of them, in fact, working 24×7? My ideal cyber-watson would handle the initial stages of security investigation that take so much time – reviewing alerts, triaging, gathering forensic evidence, validating leads and dismissing false positives, identifying possible connections for follow up.

Automation would certainly help address two our biggest headaches – the huge amount of data that needs to be analyzed, and the lack of skilled people to analyze it. So let’s consider how a modern, Holmes and Watson security operation would look.

“There is nothing like first-hand evidence.”
To start, an automatic investigation must provide the full context of every incident – the entire storyline across the attack chain, along with the raw forensic data relevant to every stage.

“You know my methods.”
With all of the evidence in hand, the automated investigator should then simulate what good analysts do: continuously assess all of the facts, determine which ones are relevant, choose the next step in the investigation, and finally establish a coherent attack storyline.

“Nothing clears up a case so much as stating it to another person.”   
Last but certainly not least, an automated investigator needs to share its findings in an intuitive way. Dr. Watson was indispensable because he communicated his findings clearly and thoroughly. He reached his own conclusions, but he was always humble enough to hand over the final analysis to Holmes.

And that, in a nutshell, is what a human analyst needs in order to fully trust an automated assistant – a complete storyline.

“When you have eliminated the impossible, whatever remains, however improbable, must be the truth.”

It’s become virtually impossible for security teams to investigate the thousands of alerts that surface each day.  It’s time for something different. By automating cyber investigations with thousands of virtual Dr. Watsons, we can turn every security analyst into a Sherlock Holmes, with a small number of incidents to investigate each day, each clearly laid out with all of the forensic evidence required to make decisions and remediate quickly.

Learn more about how Verint is combining the brilliance of man with the efficiency of a machine to revolutionize incident detection and response.