Careers & People

1/18/2018
10:30 AM
Jose Nazario
Jose Nazario
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Keep Blue Teams Happy in an Automated Security World

The creativity and intuition of your team members must be developed and nurtured.

In the past year, several high-profile leaders have discussed the threats posed by artificial intelligence (AI), including entrepreneur Elon Musk and Stephen Hawking. While some have mocked the warnings about dangers that seem like Skynet from the Terminator films, recently more thought has gone into the impact of intelligent automation on the workforce.

In cybersecurity, skilled labor shortages have created a need for scaling up the workforce in the face of nonstop threats and attacks. That coupled with the copious amounts of readily available machine-readable data have led to decades of machine learning research. There's significant interest in deploying machine learning into production.

I'd argue that some of the fear is baseless. The hype is quite far-fetched, because generalized AI exists only in fiction or as a Mechanical Turk type of product. We won't have Terminators building themselves to eliminate humanity anytime soon.

But let's explore a plausible future of a cybersecurity world filled with "intelligent automation," which I would describe as the complement of systems (computers, data models, and algorithms) that work under human direction to automate parts of the workflow. In doing so, we see the concept may be drearier than we had imagined.

Foundations for Automation
In cyber defense, automation has been a long time coming. It includes the MITRE CVE effort, which enabled machine-to-machine observation linkages (vulnerability scans, IDS hits) and allowed products utilizing the OASIS OpenC2 and other standards to interoperate nearly seamlessly. Tools including McAfee's ePolicy Orchestrator and those offered by companies such as Phantom Cyber achieve automation typically through specific integrations.

In machine learning, the rise of big data and faster processing has opened new doors. Historically in cybersecurity, research using machine learning focused on getting big results out of as little data as possible. Countless malware classification papers, for example, and IDS systems focused on as few bytes as possible to achieve some high true positive score, but they typically fell flat on their faces in the real world. The rise of big data in cybersecurity could enable a more holistic approach and more accurate results in the real world. At least, I hope so.

What the Future Might Hold
With standards, interoperability, machine learning, and expert judgment and experience now converging, a significant amount of cyber-defense operations is ripe for automation. This includes automation of human knowledge and pattern recognition, which is basically expert judgment built over years of experience. Given the workforce gaps we face, I expect this to get addressed by the market in the coming decade.

Let's assume that all sorts of magic — technological and organizational — happens, that machine learning pans out, and cyber-defense automation gains significant traction. Algorithms will consume a wide variety of data from operational security tools, network and systems performance technologies, and even outside events. During an intrusion, the cyber-defense team will work together via a unified platform to isolate adversaries and prevent future intrusions. Networks will be blocked, software will be patched, and access controls will change in an instant. They will be able to rely partly on algorithms and agents (some personalized) to review statuses and delegate tasks to cyber-defense agents.

What is the role of people in that automated utopia? With machine learning algorithms doing the bulk of the detection work, and even response work, where do the various team members fit in?

I can imagine a scenario where lower tiers of security ops teams do basic alert and event classification work that ultimately trains and updates machine learning models. This layer of the staff, greatly reduced in number but significantly more effective (no fatigue, for example), will exist simply to keep detection algorithms up to date. One layer above would be used to augment those algorithms when they fail to develop firm enough judgments, with team members reviewing evidence to make final decisions.

The upper-escalation tiers, which typically are researchers or a "master layer," will hunt for adversaries, gather evidence, and help create new detection models. This will enable them to scale operations in time and space across their organizations and ultimately arm the next tier with "ninja"-level skills, even if they lack the years of experience typically needed to spot threats.

In some environments, people will remain in the loop to approve and deny actions that machines propose and then complete. These individuals will exist to avert catastrophes (remember War Games?), or even to accept blame, if you're feeling particularly sanguine. But, let's face it, this will be pretty dull work. People probably will be relegated to inspecting the results of automated responses and dealing with legacy systems that can't integrate with the automation framework. Overtime might go down, but workers will be slaves to a machine, which would be demoralizing.

This vision is somewhat dystopian. A career path that demands creativity and insight and rewards it with a great paycheck is likely to see a drop in demand and an entry-level workforce relegated to working while chained to algorithms.

Preparing for an Automated Tomorrow
To avoid that version of the future, companies need to work with their cyber-defense teams. Regardless of automation and machine-assisted decision-making, you still rely on a team of people to execute plans. To keep a satisfied team, it pays to invest in a vision and reality wherein the team uses algorithms to amplify their abilities, not replace them. Machines and algorithms are fallible, just as people are, but humans must do more than just act as backstops for misbehaving technology; their creativity and intuition, which must be developed and nurtured, needs to drive the human-algorithm partnership.

Related Content:

Dr. Jose Nazario is the Director of Security Research at Fastly, and is a recognized expert on cyberthreats to ISPs, network subscribers, and enterprises from cybercrime and malware. He was previously the Research Director for Malware Analysis at Invincea Labs. Before his ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
The Data Security Landscape Is Shifting: Is Your Company Prepared?
Francis Dinha, CEO & Co-Founder of OpenVPN,  8/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1712
PUBLISHED: 2018-08-16
IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery. An attacker, using specially crafted input parameters can trick the server into making potentially malicious calls within the trusted network. IBM X-Force ID: 146370.
CVE-2018-10139
PUBLISHED: 2018-08-16
The PAN-OS response page for GlobalProtect in Palo Alto Networks PAN-OS 6.1.21 and earlier, PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. PAN-OS 8.1 is NOT affected.
CVE-2018-10140
PUBLISHED: 2018-08-16
The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 and earlier may allow an authenticated user to shut down all management sessions, resulting in all logged in users to be redirected to the login page. PAN-OS 6.1, PAN-OS 7.1 and PAN-OS 8.0 are NOT affected.
CVE-2018-11771
PUBLISHED: 2018-08-16
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream,...
CVE-2018-1715
PUBLISHED: 2018-08-16
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 14700...