šŸŽ‰ Exciting news! Coalition has acquired Wirespeed to accelerate cybersecurity for all.

Read more
Cover for Blue Teams Think in Algorithms
Tim MalcomVetter avatar

Tim MalcomVetter

Co-Founder / CEO

Blue Teams Think in Algorithms

Everything can be done algorithmically, even responding to security alerts.

Previously, I told a story about how Red Teams can think in algorithms. Today, letā€™s tell part 2: Blue Teams thinking in algorithmsā€¦

#A Blue Team Sequel

Sitting in a different conference room years after the prior Red Team story, I found myself staring at the exact same problem but in reverse: the defenderā€™s angle. Blue Team SOC Analysts, under a time crunch to meet response time SLAs, needed help. Alerts were streaming in and piling up. Air Traffic Controller level stress built with each new case in our ticketing system, as analysts needed to triage faster and faster to clear the queues. Each time they moved faster, they were more concerned they were assigning proper verdicts to the alerts. Choose a false positive verdict and you annoy the customer, triggering their alert fatigue. Choosing a false negative verdict means you might not tell a customer about the solitary signal that could prevent an early stage intrusion from becoming a disaster on national news. By far, this is a super stressful position to be in on a good day, and way worse when the queues accumulate backlog. Our most senior analysts didnā€™t believe there was much that could be done, short of hiring more SOC analysts than we could afford.

Then it hit me: Iā€™ve seen this problem before.

I started asking them about the ā€œalgorithmā€ they were following to triage cases, and I got the same response as I did with my Red Team years before.

ā€œAlgorithm? What algorithm? Weā€™re not following an algorithm. I canā€™t define an algorithm for this. I have to see each case one at a time and decide what to do with it.ā€

ā€œThat sounds an awful lot like ā€˜I have to feel the shell,ā€™ā€ I thought to myself.

Blue Team Algorithms

I took them through the same mental exercise:

ā€œShow me an example case. What would you do here?ā€

We walked through many examples before they realized what I already saw: they had an undefined algorithm in their head for how to triage alerts.

Then came my next epiphany: Not only were the most senior analysts thinking in an unknown-to-them algorithm, but we were also training our SOC analysts to think in an algorithm. We just didnā€™t recognize it ourselves. We would tell them:

ā€œIf you see [A] and [B], then you need to escalate the case. Except, of course, if you also see [C], which is how you can tell the case can be dismissed.ā€

Unfortunately, most junior SOC analysts are not only new to that particular role, but also new to cybersecurity, so this was a high pressure fire hose of information to them, much of which didnā€™t stick the first time (or several times).

What I didnā€™t realize in that moment (but now have the clarity of hindsight) is that Wirespeed began right there as a background thought in my mind. Like an earworm that wouldnā€™t leave me alone, the ideas began growing and fomenting ā€¦ now theyā€™re becoming a reality we can share with you.

Want to see what Wirespeed is all about? Follow us on LinkedIn / X or join our mailing list.