Sherlock Holmes or Dr Watson? It is all about (Cybersecurity) intelligence!

by in CyberRes

Although just a fictional character, Sherlock Holmes may be the most famous detective around the world. Holmes is known for his proficiency with observation, deduction, behavior analysis, and logical reasoning. Dr. Watson is Holmes’s best friend and assistant, in the stories he was always at the crime scene with Holmes and tried to draw a conclusion with his own observation.

How do you know who is the better detective? Sherlock Holmes or Dr. Watson? Who can help you to catch the criminal in the real world? Let’s do a simple comparison of their detective capabilities!


Sherlock Holmes

Dr. Watson


High. Holmes is equipped with complicated behavior analysis algorithm

Medium-Low. Dr. Watson uses simple algorithms for his crime detection.


Strong. Holmes’ experience was accumulated through hundreds of criminal cases. He learned to analyze criminal’s behavior from many different angles/models

Weak. With limited experience, Dr. Watson tends to analyze criminal behavior from limited angles/models

Time to conclusion

Medium-long. Although Holmes is smart and experienced, he still needs the whole story’s time to  determine the true criminal

Short. Dr. Watson tends to come to conclusion very quickly, with his simple algorithm and limited analysis models. But his conclusion was always a “false-positive

 No doubt, Holmes is a much better detective, comparing with Dr. Watson.

How do you know which security analytics product is better?

Sherlock Holmes or Dr Watson It is all about (Cybersecurity) intelligence

Nowadays, Artificial Intelligence and Machine Learning technologies are everywhere in the cybersecurity industry, at least, that’s how it seems. Suddenly overnight, bingo, all the security products have acquired some degree of intelligence and have become a smart “detective.” Everyone is talking about those fancy words: supervised / unsupervised machine learning, behavior profiling, neural network, Baynes algorithm… but in the end, how can we qualify the effectiveness of these security analytics product? We may be able to learn something from Holmes and Watson’s story to evaluate them with following criteria.

  1. Intelligence and Algorithm
  2. Experience and Data Models
  3. Time to conclusion 

Intelligence and Algorithm

The fundamental difference between Holmes and Dr. Watson is the “algorithm” in they are using. While people have the tendency to compare the number of algorithms embedded in different products, the crucial factor is to use the “right” algorithm for the right task. Supervised and unsupervised machine learning are two major categories of algorithms. While supervised machine learning is much like learning by example which is useful for “known” threat detection, unsupervised machine learning is learning by observation and is useful for “unknown” threat detection.

Experience and Data Models

With his limited experience, Dr. Watson is more “prejudiced” than Sherlock Holmes, as he can only analyze the suspect from limited angles, therefore, he always failed to identify the true criminal. Similarly, for the security analytics products, some of them claim to use complicated algorithms but are only equipped with limited data models for analysis. In real world, these products tend to generate huge volume of false alarms which only increase the operation costs. A well-designed security analytics product should be equipped with abundant out-of-box data models that automatically profile the user entity behavior on each model, calculate the anomaly probability based on deviation degree, then aggregate to derive the final risk score.


Time to Conclusion

Identifying the true criminal takes time, even for an intelligent and experienced detective like Sherlock Holmes. On the other hand, drawing a false conclusion can be very quick, like Dr. Watson. While products claim to “quickly” identify the threat with only small amounts of data, it only reveals the fact their system is based on simple algorithms with limited data models and are not a real security “analytics” product. These systems may be able to detect a known threat but would never be able to accurately identify an unknown threat. In the world of analytics, accuracy is overwhelmingly more important than speed. Without accuracy, those false alarms only waste the time and effort of the security operators.

ArcSight Intelligence

ArcSight Intelligence behavioral analytics gives you a new lens through which to detect, investigate, and respond to threats that may be hiding in your enterprise before your data is stolen. Using unsupervised machine learning and hundreds of out-of-box data models, ArcSight Intelligence distils billions of events into a prioritized list of high-quality security leads to focus on and accelerate the efforts of your Security Operations Center (SOC).


By implementing a true intelligent analytics product like ArcSight Intelligence, you will be able to identify the real threat among the millions of events and thousands of anomalies -- just like Sherlock Holmes. 

For more details on ArcSight Intelligence, watch the following demo to see our technology in action!

For more questions, please contact us

More Information:

Have technical questions about Security Operations? Visit the ArcSight User Discussion Forum. Keep up with the latest Tips & Info about Security Operations. Do you have an Idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below