ArchiveDecision IntelligenceOODA Original

Why is cyber threat detection so hard?

Why is cyber threat detection so hard? The most obvious reason threat detection is hard is that “threat” is too abstract to solve. It may seem obvious, but effective problem solving requires problem framing. Hence, everyone involved in the process clearly understands the problem and what it is not. We get distracted by vague and amorphous claims of AI outthinking humans or being “slightly” conscious. We forget that problem-solving is more complicated than pip install tensorflow.

Of course, problem framing requires domain knowledge. You must know something about the problem you want to solve, or you will have to learn about it. Unfortunately, this takes time and even then, the problem may be too complicated to understand and articulate fully.

To explain, understand that we tend to know a lot about complex problems after we need to know them. We see this reflected in traditional threat detection which is very rigid and historically implemented in security information and event management systems (SIEMs) with rules and knowledge bases such as signatures. These so-called expert systems manipulate information to detect known threats and alert users. They are called “expert” because they capture specialized knowledge and not because they have a generalizable performance to adjacent threats.

While expert systems capture specialized knowledge, the knowledge itself is often rudimentary. The reason is that few problems contain unambiguous facts that are universal and completely formalizable. This is true for complex problems but especially true for the edges of complex problems. For example, threat hunters––working on the edges of the threat detection problem––rarely know they are making decisions. These skilled experts are fluidly interacting with the problem and responding to patterns they recognize without considering what rules might apply, mainly because few explicit rules apply.

Explicit rules seem to be available only for more straightforward problems, and why so-called expert systems such as SIEMs are, in practice, more akin to beginner systems. I vividly recall a typical “top talkers” response from cybersecurity analysts when asked what to look for when designing threat detection algorithms. This is not to poke fun at security professionals––quite the opposite. They are working on a complex problem where aspects can be challenging to solve because they can be tough to explain to others. The paradox is that for problems for which we need the most help, we are often in the weakest position to ask for it or give it. The lesson I’ve learned is to find beginners and have them tell you what they do. Then, find experts, and watch what they do.

So, problem-solving requires problem specification. However, you can’t specify something you don’t know, nor can you learn something from someone who can’t tell. This is reason behind the adoption of machine learning in many domains, including cybersecurity. Machine learning relaxes the requirements of problem-solving: specifically, the requirement of having to know every detail about a problem which is a requirement for traditional software development and expert systems (e.g., SIEMs). There may be no other development like machine learning that promises this impact on problem-solving. Unfortunately, machine learning does not obviate the requirements of problem-solving. Therefore, domain comprehension and problem framing requirements still exist.

Figuring out where to start is often the most challenging part of problem-solving. We get weighed down by the size of problems and which direction to take. When stuck, we wonder if we can get ourselves unstuck at all. If you don’t know where to start, consider picking the smallest and most accessible part of the problem and try to solve the problem with the smallest and most straightforward solution. Working toward simplicity is an effort to understand any aspect of the problem rather than being weighed down by every part of the problem. Try to find the minimum number of changes needed to create a solution where the problem does not exist. The goal of problem-solving is not to find the most complex version of the problem to solve or build the most complex solution, but rather the least complicated versions of both.

Of course, you can go too small of problem specification. You can make a problem so narrow that you make it trivial. Trivial solutions to narrow problems do not reliably create customers. Moreover, while reductionism is a methodology for approaching complex problems, it is not a solution for complex problems by itself. In other words, reductionism at all costs has a cost, even for problems it is best suited for, like threat detection.

Reductionism is a good place to start, but it’s not the best place to finish. For example, point products are rather common in cybersecurity including threat detection. These products provide a partial solution to a specific threat vector rather than addressing all the requirements that might otherwise be met with a multipurpose solution like a SIEM. Point products constrain a problem to achieve performance gains but at the expense of adjacent parts of the whole of the problem. The result is an incomplete response, creating new problems because partial solutions struggle at the edges of adjacent problems. A partial solution without the support of other partial solutions will result in a solution for which the size of the underlying problem tears the partial solution apart.

The point is that problem-solving should start small but understand that you will oscillate between solving parts of a problem and the whole of the problem and between reductionism and holism in practice. The reason is simple: practical problem solving requires understanding all aspects of a problem, the various levels of a problem, and how everything interacts. These are essential boundaries that all need to be understood because boundaries tell you what to do and not to do.

In part two of this series, we will discuss why threat detection is so hard despite the application of machine learning.


To continue reading please consider joining as either a subscriber or full member to support our continued research and analysis. For more on benefits of membership see below.

Want more insight? Log in for the full report

Already a member?  Sign in to your account.

Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency


The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

Rich Heimann

Rich Heimann

Rich Heimann is Chief AI Officer at Cybraics Inc, a fully managed cybersecurity company. Founded in 2014, Cybraics operationalized many years of cybersecurity and machine learning research conducted at the Defense Advanced Research Projects Agency. Rich is also the author of Doing AI, a book exploring what AI is, is not, what others want AI to become, what you need solutions to be, and how to approach problem-solving. Please find out more about his book here.