Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

End of Bibblio RCM includes -->
7/13/2021
10:00 AM
Steve Durbin
Steve Durbin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

The Trouble With Automated Cybersecurity Defenses

While there's enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword.

Speed and accuracy in identifying and responding to threats are the alluring promises of automated cybersecurity defenses. The average cost of a data breach is $3.86 million, with the average time to detect and contain pegged at 280 days, according to Ponemon Institute research. Any system that can reduce those figures is welcome, so it's no surprise that artificial intelligence (AI) and other automated defenses are seeing rapid and wide adoption.

Related Content:

Cyber Is the New Cold War & AI Is the Arms Race

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

While there's enormous promise in AI-powered tools and machine learning, they are very much a double-edged sword. Cybercriminals and other threat actors can engage the same techniques or manipulate the automated systems businesses employ. Because these technologies are not mature or well understood by the average IT department, there's also scope for misconfiguration and disruptive clashes between overlapping systems.

Unrealistic Expectations
Hype accompanies every new cybersecurity trend. A wave of automated defense technology is being hailed as the answer to skills shortages and increasing levels of attack. Security orchestration automation and response (SOAR), extended detection and response (XDR), and user and entity behavior analytics (UEBA) are leading the charge. The trouble is that their capabilities are sometimes oversold, and the problems they introduce can outweigh the benefits.

The scope and complexity of most organizations make adoption challenging. To reap the rewards of an automated system requires proper planning and compatible infrastructure. There's also a dangerous temptation, especially after making a large investment, to push these new technologies to handle things they were not designed to handle.

While they may enable cost-cutting in the longer term, proper integration and management of automated systems can increase costs in the short term. Unrealistic expectations and complacency can lead to disaster.

Lack of Understanding
Automated cybersecurity is a competitive space. The SOAR market is growing fast and expected to reach $1.3 billion by 2026, up from $721 million this year, according to 360 Research Reports. The leaders are naturally determined to protect their intellectual property. Many machine learning systems also rely on a black-box model, so there is very little, if any, insight into these products' inner workings.

If the vendors don't understand why decisions are being made, how can their customers?

Placing this level of trust in an unproven autonomous system is very risky. To make matters worse, there's a knock-on effect in terms of diminishing skills throughout your workforce. As automated systems take over with the expectation they will plug the skills gap, there will be fewer hires and less incentive for training.

Poisoning Datasets
One of the biggest dangers of placing trust in an automated system is that it can be manipulated by threat actors. The organization under attack has no way of knowing if the system has been tampered with. It can be alarmingly easy to poison automated systems with tainted datasets. This could dangerously skew machine learning algorithms over time or cause innocent traffic to be flagged as anomalous in the short term. Attackers don't necessarily have to fool the system; they can just overload it, prompting shutdowns of services or networks that could leave everyone locked out.

Even without malicious actors at work, some automated defenses may clash with other tools and systems on your network. Take the analogy of infection causing fever in the human body. The immune system is turning up the heat to try and kill the bacteria invading your body, but the fever can incapacitate or even kill you in extreme circumstances.

How to Approach Adoption
While there are risks, automated cybersecurity defenses also represent a real opportunity. But they must be handled carefully. Adoption should be fully planned, set a reasonable expectation level, and ensure that you have the internal skills to properly configure and interpret the automated system.

It's crucial to assess the level of autonomy these systems have and limit their ability to shut down services without some human oversight. Build trust slowly. Closely examine the sources that automated defenses rely upon, and find a way to continuously monitor the data sets to guard against poisoning attempts.

Mitigate risk by drafting incident response plans to cater to different automated system failure scenarios. Rehearse these response plans and tweak them as necessary to ensure they are effective. It's also wise to implement strict testing and change management to curtail overreliance on any automated system.

There's little doubt that automated cybersecurity defenses will have an increasingly important role to play, but we must resist the temptation to move too rapidly. Choose a considered strategy over blind trust and temper your expectations to get the most from this burgeoning technology.

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board's role in cybersecurity and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42585
PUBLISHED: 2022-05-23
A heap buffer overflow was discovered in copy_compressed_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.
CVE-2021-42586
PUBLISHED: 2022-05-23
A heap buffer overflow was discovered in copy_bytes in decode_r2007.c in dwgread before 0.12.4 via a crafted dwg file.
CVE-2022-1825
PUBLISHED: 2022-05-23
Cross-site Scripting (XSS) - Reflected in GitHub repository collectiveaccess/providence prior to 1.8.
CVE-2022-28874
PUBLISHED: 2022-05-23
Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attack...
CVE-2022-29599
PUBLISHED: 2022-05-23
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.