Cyber attacks have become more sophisticated, happen faster and cause more business disruption than ever before. Preventative tools like anti-virus and IDS, have not kept pace. Not by a long shot. This is a problem, because if we are not going to make any progress at all in defending against cyber attacks we will need both automation and artificial intelligence to help win the fight.
For far too long, the key strategy in defending networks has been prevention, or not allowing bad things to happen in the first place. This strategy involves defending every single ingress and egress point and protecting against all threats to these points at all times. This strategy is far too complicated for most companies to ever get right. It involves addressing every possible vulnerability while the attacker only needs to find the single problem that was missed. Factor in a company’s third and even fourth party vendors, cloud and mobile technologies and the complexity of implementing this defense immediately goes well beyond the capabilities of today’s already over-stressed security teams. Security and IT teams operate with limited budgets and staffing and will likely continue to do so for some time as competing business priorities and the talent shortage continue with no end in sight.
A relatively new approach to scaling information security defense involves replacing people with computers capable of machine learning and automated system responses. This emerging category of tools promises to automatically detect and react to an attack and take protective measures without human intervention. So an attack could happen at 2 a.m on Christmas eve and a system responds without pulling a single person out of bed. Talent shortage solved?
Sounds great. Unfortunately, we are a very safe distance from this utopia.
The concept of automation has actually been used in security for quite some time. For example, when a known virus is introduced, our anti-virus software detects, cleans or quarantines the issue and logs what happened without any human intervention whatsoever. Some companies have gone further, automating intrusion prevention, firewalls and authentication systems. But there are limits on how much we trust this automation and what processes we actually feel comfortable automating.
"With some refinement, automation and some form of machine learning will become powerful and effective components of a cyber security defense program"
As security professionals, we have been surrounded by tools that only partially get the job done and in many cases come with their own set of operational issues and security vulnerabilities. There is a fear, and likely a well-founded fear of allowing these systems to take unrestrained actions with little or no human intervention.
The problem with automation and machine learning is fundamentally the same problem that a technology like antivirus behavioral heuristics scanning has had since its inception. It can only catch fairly obvious, clunky attacks without causing a ton of false positive alarms or even being turned against itself or its host by a clever attacker. In other words, it’s good at spotting the obvious, but not so good at predicting that a given behavior may or may not wind up being bad.
If we are to succeed in defending our companies against the cyber threat, we will have to do much more of both automation and using artificial intelligence and machine learning to analyze the barrage of security events. While there is certainly some misgivings by many security professionals about trusting the technology, there is also too much promise with the general approach to dismiss it out of hand. At the same time, we need to acknowledge that there are some inherent limitations and that this technology won’t be a simple fix for the cybersecurity problem.
It’s not just security tools though. We shouldn’t discount the general value of automating other IT processes, including patch deployment, common system builds, scripting and configuration management. All of this automation could add tremendous value in creating predictability and resiliency of the IT infrastructure. Sound patch management alone could go a long way in reducing the threat of attackers against our systems, yet many of us are still struggling to get this right. Tools like Puppet and Jenkins and even Amazon’s own AWS CodeDeploy can allow IT staff to deploy code updates and patches across multiple systems simultaneously and ensure consistency across the environment. And a more resilient IT infrastructure is easier to both defend and to recover in the event of an actual incident.
With some refinement, automation and some form of machine learning will become powerful and effective components of a cyber security defense program. Will these tools ultimately replace our incident response staff? Doubtful, the reality is that they will likely be more effective at automatically responding to simple or obvious attacks and then helping to identify, but probably not respond to more sophisticated threats. At least not without some help from the security pros.
Still, we shouldn’t discount the value of help in responding to the obvious threats. This could focus our existing staff on finding the more sophisticated threats by reducing the noise level. Every little bit helps.