Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

// // //
7/13/2021
10:00 AM
Steve Durbin
Steve Durbin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

The Trouble With Automated Cybersecurity Defenses

While there's enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword.

Speed and accuracy in identifying and responding to threats are the alluring promises of automated cybersecurity defenses. The average cost of a data breach is $3.86 million, with the average time to detect and contain pegged at 280 days, according to Ponemon Institute research. Any system that can reduce those figures is welcome, so it's no surprise that artificial intelligence (AI) and other automated defenses are seeing rapid and wide adoption.

Related Content:

Cyber Is the New Cold War & AI Is the Arms Race

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

While there's enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword. Cybercriminals and other threat actors can engage the same techniques or manipulate the automated systems businesses employ. Because these technologies are not mature or well understood by the average IT department, there's also scope for misconfiguration and disruptive clashes between overlapping systems.

Unrealistic Expectations
Hype accompanies every new cybersecurity trend. A wave of automated defense technology is being hailed as the answer to skills shortages and increasing levels of attack. Security orchestration automation and response (SOAR), extended detection and response (XDR), and user and entity behavior analytics (UEBA) are leading the charge. The trouble is that their capabilities are sometimes oversold, and the problems they introduce can outweigh the benefits.

The scope and complexity of most organizations make adoption challenging. To reap the rewards of an automated system requires proper planning and compatible infrastructure. There's also a dangerous temptation, especially after making a large investment, to push these new technologies to handle things they were not designed to handle.

While they may enable cost-cutting in the longer term, proper integration and management of automated systems can increase costs in the short term. Unrealistic expectations and complacency can lead to disaster.

Lack of Understanding
Automated cybersecurity is a competitive space. The SOAR market is growing fast and expected to reach $1.3 billion by 2026, up from $721 million this year, according to 360 Research Reports. The leaders are naturally determined to protect their intellectual property. Many machine learning systems also rely on a black-box model, so there is very little, if any, insight into these products' inner workings.

If the vendors don't understand why decisions are being made, how can their customers?

Placing this level of trust in an unproven autonomous system is very risky. To make matters worse, there's a knock-on effect in terms of diminishing skills throughout your workforce. As automated systems take over with the expectation they will plug the skills gap, there will be fewer hires and less incentive for training.

Poisoning Datasets
One of the biggest dangers of placing trust in an automated system is that it can be manipulated by threat actors. The organization under attack has no way of knowing if the system has been tampered with. It can be alarmingly easy to poison automated systems with tainted datasets. This could dangerously skew machine learning algorithms over time or cause innocent traffic to be flagged as anomalous in the short term. Attackers don't necessarily have to fool the system; they can just overload it, prompting shutdowns of services or networks that could leave everyone locked out.

Even without malicious actors at work, some automated defenses may clash with other tools and systems on your network. Take the analogy of infection causing fever in the human body. The immune system is turning up the heat to try and kill the bacteria invading your body, but the fever can incapacitate or even kill you in extreme circumstances.

How to Approach Adoption
While there are risks, automated cybersecurity defenses also represent a real opportunity. But they must be handled carefully. Adoption should be fully planned, set a reasonable expectation level, and ensure that you have the internal skills to properly configure and interpret the automated system.

It's crucial to assess the level of autonomy these systems have and limit their ability to shut down services without some human oversight. Build trust slowly. Closely examine the sources that automated defenses rely upon, and find a way to continuously monitor the data sets to guard against poisoning attempts.

Mitigate risk by drafting incident response plans to cater to different automated system failure scenarios. Rehearse these response plans and tweak them as necessary to ensure they are effective. It's also wise to implement strict testing and change management to curtail overreliance on any automated system.

There's little doubt that automated cybersecurity defenses will have an increasingly important role to play, but we must resist the temptation to move too rapidly. Choose a considered strategy over blind trust and temper your expectations to get the most from this burgeoning technology.

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board's role in cybersecurity and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42002
PUBLISHED: 2022-10-01
SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.
CVE-2022-39268
PUBLISHED: 2022-09-30
### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end use...
CVE-2022-34428
PUBLISHED: 2022-09-30
Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.
CVE-2022-34429
PUBLISHED: 2022-09-30
Dell Hybrid Client below 1.8 version contains a Zip Slip Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.
CVE-2022-40923
PUBLISHED: 2022-09-30
A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.