“In every block of marble I see a statue as plain as though it stood before me, shaped and perfect in attitude and action. I have only to hew away the rough walls that imprison the lovely apparition to reveal it to the other eyes as mine see it.” Michelangelo (1476-1564)
Michelanglo was once asked how he came to carve such a beautiful statue of an Angel in the Basilica of San Domenico. His response is seen above.
I have many times expressed that intrusion analysis and incident response is more art than science. Expertise lies with experience rather than book knowledge and gut instinct is invaluable and as likely correct as an educated guess.
I then wondered: if Intrusion Analysis is an art, to which art should it compared?
I recalled this, one of my favorite artistic quotes, and how aptly it applies to the domain of intrusion discovery and analysis.
In many ways, the answers we analysts seek is in the data. It only requires us to “hew away the rough walls” of the unimportant data revealing the activity of interest.
I teach many new analysts that to find the new and unknown you must distinguish the old and known, remove that, and you are left with what you are seeking.
Minh
This post really hit home. Perhaps by chance that I had a conversation earlier today with a senior leader whom seemed convinced that automation can be done for analytics. To a degree this could and should be done for scalability reasons. I stated that the analysis that I perform today is far better than that of a few years ago. It’s the constant cultivation in problem solving and critical thinking which hones an analyst in becoming better.
How then can a human invention replace the analytical mind when only recently that we were able to program machines to replicate the behavior of a fish brain? As we use more technology upon new technologies we must be able to discern the science from the artistry. The analytical mindset cannot be replicated; the tools which aid Michelangelo can. If Michelangelo had a 3D printer, who knows how many awesome things he could made?
On the topic of discovery of the new and unknown I agree, the best method of finding the new is understanding the knowns first. Only then can you realize that you are in fact looking at something new. Sir Arthur Conan Doyle said it best, “when you have eliminated the impossible, whatever remains, however improbable, must be the truth.“
Jose
Couldn’t agree more with you and Minh. Not 3-4 weeks ago I had a similar discussion where I tried to convince that we need to consistently find the known to better understand how to identify the unknown. Keep it up!