Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


10:30 AM
Amit Yoran
Amit Yoran
Connect Directly
E-Mail vvv

Back to Basics: AI Isn't the Answer to What Ails Us in Cyber

The irony behind just about every headline-grabbing data breach we've seen in recent years is that they all could have been prevented with simple cyber hygiene.

Earlier this month, many of the planet's most influential leaders met at the World Economic Forum in Davos to address some of the most pressing issues of our time, including artificial intelligence (AI). AI was touted as the answer to everything from bespoke cancer therapies to more-efficient cheese making. Some people in cyber are turning to AI as well, arguing that machines will be able to more quickly adapt to and manage threats, and eventually even be able to predict (and therefore prevent) attacks.

AI has a great PR machine behind it and may hold good long-term potential. But it's not the answer to what ails us in cyber. In fact, I'd put AI in the same camp as advanced persistent threats (APTs) — sophisticated cyberattacks usually orchestrated by state-sponsored hackers and often undetected for long periods of time (think Stuxnet). Both are really intriguing, but in their own ways they're existential distractions from the necessary work at hand.

At the crux of just about every high-profile breach and compromise, from Yahoo to Equifax, sits a lack of foundational cyber hygiene. Those breaches weren't about failing to use some super-expensive, bleeding-edge, difficult-to-deploy and unproven mouse trap. In cyber, what differentiates the leaders from the laggards isn't spending millions and millions of dollars on sexy bells-and-whistles interfaces. It's about organizations setting a culture in which security matters. That means they prioritize cyber hygiene. They understand that cyber risk equals business risk in our digital age.


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Consider the Equifax breach. When the company was called to testify before Congress about the catastrophic breach that affected 145 million Americans, they displayed a dazzling disregard of cyber-risk. Their willingness to blame the breach on a single engineer's slow response to a known vulnerability highlighted a lack of procedural discipline and rigor, to say nothing of the organization's immaturity in cybersecurity basics. AI cannot address or solve for this cultural misalignment.

Cyber Hygiene 101
Let me be clear — perfect cybersecurity is not possible, no matter what anyone may say. If someone is determined at all costs to get through your defenses, the odds are good that they'll find a way in. But the irony behind just about all the headline-grabbing data breaches we've seen in recent years is that they could have been prevented with basic cyber hygiene. Why? Because even when state actors are behind an attack, they most often take advantage of lackadaisical security practices and use known vulnerabilities and exploits to get in. It's cheaper. It's easier. You don't have to burn a zero-day. Attribution is much harder, and there is a slew of other good reasons, which brings us back to the fact that basic cyber hygiene is the cheapest, easiest, and most effective way to improve your security posture. 

What's even better news? Very good cybersecurity is within reach for most organizations. It begins with the fundamentals, and if you follow some of these best practices, you can prevent the vast supermajority of breaches and exploits.  

Best Practice 1: Know your systems really, really well. This may seem obvious but it's astonishing how many organizations do not know precisely what technology they're using. This presents a twofold problem. First, you can't protect what you can't see. Second, technology is not risk free. For every digital investment — IT, cloud, mobile, apps, the Internet of Things, and DevOps — there is an accompanying risk. Most organizations fundamentally don't understand the extent of the systems they're using, how those systems can be exploited, or what they need to do to prevent that from happening.   

Best Practice 2: Use state-of-the-art authentication and access management. If you're using passwords today, you simply fail to understand the reality of our threat environment. You need to embrace multifactor authentication. Think of TouchID or FaceID or something similar. Getting rid of passwords and the associated user failures moves the needle, and can improve user frustration. Along with that, manage account privileges based on what access is needed by whom.

Best Practice 3: Invest in better monitoring and more efficient response. The average number of days between the time a breach occurs and when it is detected consistently clocks in at over six months. Organizations can take advantage of the technologies that shrink this time by providing greater visibility into computing platforms — cloud, hybrid, or on-premises — to ensure that security teams have a complete view of their entire attack surface.

Here's a challenge that we should all embrace — let's make 2018 the year we all get serious about cybersecurity fundamentals. Let's get the basics right. Let's not throw our arms up in despair or search endlessly for the latest cure-all until we're adequately addressing the basics. Investing in AI is no substitute for sound fundamentals. 

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
2/9/2018 | 12:13:31 PM
A few more points
A good article, with several important best practices. 

As for AI (Artificial Intelligence), it's an unfortunate choice for a label, for something that is actually a dynamic artifact of collective human intelligence.  You're right about the effective PR. 

You can add a couple of more items to your best practices list:
  • Limit data access, and type of access, on a needs basis.  If a knowledge worker doesn't require access of a particular kind, and from a particular source, in order to do their job, they shouldn't have it.
  • Know what data you have.  Very hard to tell if something is missing or has been altered, if you don't know what you have, and where it is.
  • Limit the proliferation of data.  Yes, you need a well thought out plan to recover compromised data; but more backup copies doesn't equate to more security - just the opposite.  Also, limit the data used for analysis, using the same needs-based criteria mentioned above.  Part of that is not running analysis directly on line-of-business/transactional data. 

Each of these goals is easier to implement if your organization uses the proper modeling methodologies. 
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.