Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10/30/2015
12:45 PM
By Carl Herberger, VP, Security Solutions, Radware
By Carl Herberger, VP, Security Solutions, Radware
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Dawn of Lights-Out Security

In the future, the role of humans will focus on the architecture, design and automation of security, not in the actual testing or operational management.

The world around us is changing at such a break-neck pace that it’s often hard to understand the macro implications. For the information security professional, this dynamic has the potential to broadside your career track -- or worse, the effectiveness of your job. Here are two issues companies are trying to address:

Cyberattack effectiveness is often a result of human error 

  • Humans represent one of the most common vectors for a successful hacker
  • Human technical authentication is problematic as people struggle to remember strong authentication sequences such as long passwords
  • Human training is, at best, fleeting in effectiveness and not consistent

Cyberattack tools and techniques are more effective   

  • Hacking tools benefit from big development efforts.  Hacking is a very lucrative business and significant money is being invested as hackers see big returns.  
  • Tools have been automated: In order to run hacking tools at scale, the tools require automation and behavioral characteristics that avoid "cleaning" from security efforts and discovery from detection efforts. 
  • Tools are now robotic (aka "bots").  They use behavioral and artificial intelligence algorithms to anticipate security defenses and quickly adjust and react to new more offensive strategies. 

Offloading "thinking" in comparison to the 6,000-year-old trend of offloading "physical labor" by automation is a major shift in societal behavior. According to the BBC’s website, nearly 80 percent of the security professional’s job will be gone in the next few decades, driven by answers to the trends above.

There are three major trends that are threatening information security officers globally.

  • Artificial Intelligence (AI):  Automation overall is giving rise to AI in everything we do. The threats are driven by AI, but our defenses are still by and large, manual technical defenses.
  • Humans are the best attack vector: Automation is driving de-humanization and accelerating non-technical vulnerabilities. These non-technical vulnerabilities are, ironically, accelerating the idea that data privacy / confidentiality is not the sole responsibility of information security professionals.
  • Lights-out security: Ironically, our future threat is also our answer. Haste, waste, or delay in automation defines future failure.

In AI, threats are automated, defenses are manual 
Humans have been automating work for a long time, but we’ve never had the capability to really automate thinking. From this perspective, the natural inclination is to believe that we’ve been here before, but this concept is new. It is also a serious threat and, ironically, our biggest opportunity for technical breakthroughs.

Most of us have become so numb to the omnipresence of bots in nearly all security attacks that we haven’t bothered to look deep at how bots themselves have evolved. They’ve evolved into highly efficient tools which automate nearly everything an attacker might want to accomplish, from escalating privileged access, to decrypting traffic, to driving volume in DDoS attacks. Most of the major security threats such as application DDoS, brute force, and SQL injection are executed at least in part through botnets. These tools are designed to select actions based upon the anticipated responses from you, the defender. As people have become more and more predictable in detection and mitigation, the bad guys are designing tools to adjust to our defenses faster than we can detect their changes.  

Humans have become the best attack vector in new ways
From social engineered attacks like phishing and USB drive attacks, humans have distinguished themselves as being highly vulnerable creatures and commensurately not easily secured. Two big human behavior security issues which can be addressed by automation include:

  1. Security bots that would dramatically improve Identity and Access Management (IAM).  Let’s face it. No humans, no need for human-esque passwords. In addition, scores of security technologies (and security teams by extension) continue to rely on the IP address, as a primary means of identifying legitimate users and blocking malicious traffic sources. Security professionals need new, more accurate technologies that are not prone to error caused by the myriad of ways an IP address can be spoofed or obfuscated.
  2. Security bots that can deprecate or remove much of the human’s training, performance unpredictability, and reliability.  The sobering truth is that to err is human and there is no patch or process that will solve this problem, no matter how much training or effort.    Intelligent and predictable bots or AI are solutions that are being deployed in highly successful environments. That success may give us hope, but also have dramatic implications for the future of information security. AI replacing humans is already occurring in high-risk “human” industries such as trading exchanges and transportation.

The truth is that the future of information security will look dramatically different. We make a case here that nearly every facet of security will eventually remove humans, from penetration testing and vulnerability testing to SOC  operations to incident response. The role of humans will focus on the architecture, design, and automation of security, not in the actual testing or operational management of security.

New automated paradigms are being spawned and aided by newer technologies which enable automation and orchestration such as software-defined networking, network feature virtualization, cloud services, APIs, and of course, algorithms with intelligence.

In addition to process changes, there will also need to be huge overhauls in technology and attention to four major areas of security changing the paradigm from defense in-depth to defense in what we call attack mitigation pillars: collection, detection, command and control, and mitigation.

In the end, there is a lot of good news for security, including the variety of new tools, like device fingerprinting, that employs various methodologies to gather IP-agnostic information about the source. The device fingerprint uniquely identifies a web tool entity by combining dozens of attributes of a user’s device to identify and then track their activities, generating a behavioral and reputational profile of the user. In addition, there are powerful cross-vendor automation and orchestration tools which are dramatically assisting the security professional in automating their collection & mitigation. 

Lastly, the growth in algorithms and the adoption of these new powerful toolsets will be the difference between the future successful and secure company, as opposed to companies like Ashley Madison that clearly define the way of the past. However, if we don’t see the need to remove people from security operations, testing and auditing and install instead lights-out security centers we will not be able to handle the future AI-driven attack landscape.  

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Carl is an IT security expert and currently manages Radware's security practice in the Americas. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danelleau1
50%
50%
danelleau1,
User Rank: Strategist
11/2/2015 | 6:29:16 PM
Automation Is Key
Agree... We need to fight attackers' use of automation with automation. Otherwise, we face a losing battle. There is still a place for the human element -- but hopefully by combining with automation, we use our limited pool of cybersecurity talent on the more strategic tasks. 
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...