informa
/
Risk
Commentary

The Dawn of Lights-Out Security

In the future, the role of humans will focus on the architecture, design and automation of security, not in the actual testing or operational management.

The world around us is changing at such a break-neck pace that it’s often hard to understand the macro implications. For the information security professional, this dynamic has the potential to broadside your career track -- or worse, the effectiveness of your job. Here are two issues companies are trying to address:

Cyberattack effectiveness is often a result of human error 

  • Humans represent one of the most common vectors for a successful hacker
  • Human technical authentication is problematic as people struggle to remember strong authentication sequences such as long passwords
  • Human training is, at best, fleeting in effectiveness and not consistent

Cyberattack tools and techniques are more effective   

  • Hacking tools benefit from big development efforts.  Hacking is a very lucrative business and significant money is being invested as hackers see big returns.  
  • Tools have been automated: In order to run hacking tools at scale, the tools require automation and behavioral characteristics that avoid "cleaning" from security efforts and discovery from detection efforts. 
  • Tools are now robotic (aka "bots").  They use behavioral and artificial intelligence algorithms to anticipate security defenses and quickly adjust and react to new more offensive strategies. 

Offloading "thinking" in comparison to the 6,000-year-old trend of offloading "physical labor" by automation is a major shift in societal behavior. According to the BBC’s website, nearly 80 percent of the security professional’s job will be gone in the next few decades, driven by answers to the trends above.

There are three major trends that are threatening information security officers globally.

  • Artificial Intelligence (AI):  Automation overall is giving rise to AI in everything we do. The threats are driven by AI, but our defenses are still by and large, manual technical defenses.
  • Humans are the best attack vector: Automation is driving de-humanization and accelerating non-technical vulnerabilities. These non-technical vulnerabilities are, ironically, accelerating the idea that data privacy / confidentiality is not the sole responsibility of information security professionals.
  • Lights-out security: Ironically, our future threat is also our answer. Haste, waste, or delay in automation defines future failure.

In AI, threats are automated, defenses are manual 
Humans have been automating work for a long time, but we’ve never had the capability to really automate thinking. From this perspective, the natural inclination is to believe that we’ve been here before, but this concept is new. It is also a serious threat and, ironically, our biggest opportunity for technical breakthroughs.

Most of us have become so numb to the omnipresence of bots in nearly all security attacks that we haven’t bothered to look deep at how bots themselves have evolved. They’ve evolved into highly efficient tools which automate nearly everything an attacker might want to accomplish, from escalating privileged access, to decrypting traffic, to driving volume in DDoS attacks. Most of the major security threats such as application DDoS, brute force, and SQL injection are executed at least in part through botnets. These tools are designed to select actions based upon the anticipated responses from you, the defender. As people have become more and more predictable in detection and mitigation, the bad guys are designing tools to adjust to our defenses faster than we can detect their changes.  

Humans have become the best attack vector in new ways
From social engineered attacks like phishing and USB drive attacks, humans have distinguished themselves as being highly vulnerable creatures and commensurately not easily secured. Two big human behavior security issues which can be addressed by automation include:

  1. Security bots that would dramatically improve Identity and Access Management (IAM).  Let’s face it. No humans, no need for human-esque passwords. In addition, scores of security technologies (and security teams by extension) continue to rely on the IP address, as a primary means of identifying legitimate users and blocking malicious traffic sources. Security professionals need new, more accurate technologies that are not prone to error caused by the myriad of ways an IP address can be spoofed or obfuscated.
  2. Security bots that can deprecate or remove much of the human’s training, performance unpredictability, and reliability.  The sobering truth is that to err is human and there is no patch or process that will solve this problem, no matter how much training or effort.    Intelligent and predictable bots or AI are solutions that are being deployed in highly successful environments. That success may give us hope, but also have dramatic implications for the future of information security. AI replacing humans is already occurring in high-risk “human” industries such as trading exchanges and transportation.

The truth is that the future of information security will look dramatically different. We make a case here that nearly every facet of security will eventually remove humans, from penetration testing and vulnerability testing to SOC  operations to incident response. The role of humans will focus on the architecture, design, and automation of security, not in the actual testing or operational management of security.

New automated paradigms are being spawned and aided by newer technologies which enable automation and orchestration such as software-defined networking, network feature virtualization, cloud services, APIs, and of course, algorithms with intelligence.

In addition to process changes, there will also need to be huge overhauls in technology and attention to four major areas of security changing the paradigm from defense in-depth to defense in what we call attack mitigation pillars: collection, detection, command and control, and mitigation.

In the end, there is a lot of good news for security, including the variety of new tools, like device fingerprinting, that employs various methodologies to gather IP-agnostic information about the source. The device fingerprint uniquely identifies a web tool entity by combining dozens of attributes of a user’s device to identify and then track their activities, generating a behavioral and reputational profile of the user. In addition, there are powerful cross-vendor automation and orchestration tools which are dramatically assisting the security professional in automating their collection & mitigation. 

Lastly, the growth in algorithms and the adoption of these new powerful toolsets will be the difference between the future successful and secure company, as opposed to companies like Ashley Madison that clearly define the way of the past. However, if we don’t see the need to remove people from security operations, testing and auditing and install instead lights-out security centers we will not be able to handle the future AI-driven attack landscape.  

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5