CIOReview
| | MAY 20189CIOReviewWith some refinement, automation and some form of machine learning will become powerful and effective components of a cyber security defense programJeffrey W Brownof machine learning and automated system responses. This emerging category of tools promises to automatically detect and react to an attack and take protective measures without human intervention. So an attack could happen at 2 a.m on Christmas eve and a system responds without pulling a single person out of bed. Talent shortage solved? Sounds great. Unfortunately, we are a very safe distance from this utopia. The concept of automation has actually been used in security for quite some time. For example, when a known virus is introduced, our anti-virus software detects, cleans or quarantines the issue and logs what happened without any human intervention whatsoever. Some companies have gone further, automating intrusion prevention, firewalls and authentication systems. But there are limits on how much we trust this automation and what processes we actually feel comfortable automating. As security professionals, we have been surrounded by tools that only partially get the job done and in many cases come with their own set of operational issues and security vulnerabilities. There is a fear, and likely a well-founded fear of allowing these systems to take unrestrained actions with little or no human intervention. The problem with automation and machine learning is fundamentally the same problem that a technology like antivirus behavioral heuristics scanning has had since its inception. It can only catch fairly obvious, clunky attacks without causing a ton of false positive alarms or even being turned against itself or its host by a clever attacker. In other words, it's good at spotting the obvious, but not so good at predicting that a given behavior may or may not wind up being bad. If we are to succeed in defending our companies against the cyber threat, we will have to do much more of both automation and using artificial intelligence and machine learning to analyze the barrage of security events. While there is certainly some misgivings by many security professionals about trusting the technology, there is also too much promise with the general approach to dismiss it out of hand. At the same time, we need to acknowledge that there are some inherent limitations and that this technology won't be a simple fix for the cybersecurity problem. It's not just security tools though. We shouldn't discount the general value of automating other IT processes, including patch deployment, common system builds, scripting and configuration management. All of this automation could add tremendous value in creating predictability and resiliency of the IT infrastructure. Sound patch management alone could go a long way in reducing the threat of attackers against our systems, yet many of us are still struggling to get this right. Tools like Puppet and Jenkins and even Amazon's own AWS CodeDeploy can allow IT staff to deploy code updates and patches across multiple systems simultaneously and ensure consistency across the environment. And a more resilient IT infrastructure is easier to both defend and to recover in the event of an actual incident. With some refinement, automation and some form of machine learning will become powerful and effective components of a cyber security defense program. Will these tools ultimately replace our incident response staff? Doubtful, the reality is that they will likely be more effective at automatically responding to simple or obvious attacks and then helping to identify, but probably not respond to more sophisticated threats. At least not without some help from the security pros. Still, we shouldn't discount the value of help in responding to the obvious threats. This could focus our existing staff on finding the more sophisticated threats by reducing the noise level. Every little bit helps.
< Page 8 | Page 10 >