Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10/30/2015
12:45 PM
By Carl Herberger, VP, Security Solutions, Radware
By Carl Herberger, VP, Security Solutions, Radware
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Dawn of Lights-Out Security

In the future, the role of humans will focus on the architecture, design and automation of security, not in the actual testing or operational management.

The world around us is changing at such a break-neck pace that it’s often hard to understand the macro implications. For the information security professional, this dynamic has the potential to broadside your career track -- or worse, the effectiveness of your job. Here are two issues companies are trying to address:

Cyberattack effectiveness is often a result of human error 

  • Humans represent one of the most common vectors for a successful hacker
  • Human technical authentication is problematic as people struggle to remember strong authentication sequences such as long passwords
  • Human training is, at best, fleeting in effectiveness and not consistent

Cyberattack tools and techniques are more effective   

  • Hacking tools benefit from big development efforts.  Hacking is a very lucrative business and significant money is being invested as hackers see big returns.  
  • Tools have been automated: In order to run hacking tools at scale, the tools require automation and behavioral characteristics that avoid "cleaning" from security efforts and discovery from detection efforts. 
  • Tools are now robotic (aka "bots").  They use behavioral and artificial intelligence algorithms to anticipate security defenses and quickly adjust and react to new more offensive strategies. 

Offloading "thinking" in comparison to the 6,000-year-old trend of offloading "physical labor" by automation is a major shift in societal behavior. According to the BBC’s website, nearly 80 percent of the security professional’s job will be gone in the next few decades, driven by answers to the trends above.

There are three major trends that are threatening information security officers globally.

  • Artificial Intelligence (AI):  Automation overall is giving rise to AI in everything we do. The threats are driven by AI, but our defenses are still by and large, manual technical defenses.
  • Humans are the best attack vector: Automation is driving de-humanization and accelerating non-technical vulnerabilities. These non-technical vulnerabilities are, ironically, accelerating the idea that data privacy / confidentiality is not the sole responsibility of information security professionals.
  • Lights-out security: Ironically, our future threat is also our answer. Haste, waste, or delay in automation defines future failure.

In AI, threats are automated, defenses are manual 
Humans have been automating work for a long time, but we’ve never had the capability to really automate thinking. From this perspective, the natural inclination is to believe that we’ve been here before, but this concept is new. It is also a serious threat and, ironically, our biggest opportunity for technical breakthroughs.

Most of us have become so numb to the omnipresence of bots in nearly all security attacks that we haven’t bothered to look deep at how bots themselves have evolved. They’ve evolved into highly efficient tools which automate nearly everything an attacker might want to accomplish, from escalating privileged access, to decrypting traffic, to driving volume in DDoS attacks. Most of the major security threats such as application DDoS, brute force, and SQL injection are executed at least in part through botnets. These tools are designed to select actions based upon the anticipated responses from you, the defender. As people have become more and more predictable in detection and mitigation, the bad guys are designing tools to adjust to our defenses faster than we can detect their changes.  

Humans have become the best attack vector in new ways
From social engineered attacks like phishing and USB drive attacks, humans have distinguished themselves as being highly vulnerable creatures and commensurately not easily secured. Two big human behavior security issues which can be addressed by automation include:

  1. Security bots that would dramatically improve Identity and Access Management (IAM).  Let’s face it. No humans, no need for human-esque passwords. In addition, scores of security technologies (and security teams by extension) continue to rely on the IP address, as a primary means of identifying legitimate users and blocking malicious traffic sources. Security professionals need new, more accurate technologies that are not prone to error caused by the myriad of ways an IP address can be spoofed or obfuscated.
  2. Security bots that can deprecate or remove much of the human’s training, performance unpredictability, and reliability.  The sobering truth is that to err is human and there is no patch or process that will solve this problem, no matter how much training or effort.    Intelligent and predictable bots or AI are solutions that are being deployed in highly successful environments. That success may give us hope, but also have dramatic implications for the future of information security. AI replacing humans is already occurring in high-risk “human” industries such as trading exchanges and transportation.

The truth is that the future of information security will look dramatically different. We make a case here that nearly every facet of security will eventually remove humans, from penetration testing and vulnerability testing to SOC  operations to incident response. The role of humans will focus on the architecture, design, and automation of security, not in the actual testing or operational management of security.

New automated paradigms are being spawned and aided by newer technologies which enable automation and orchestration such as software-defined networking, network feature virtualization, cloud services, APIs, and of course, algorithms with intelligence.

In addition to process changes, there will also need to be huge overhauls in technology and attention to four major areas of security changing the paradigm from defense in-depth to defense in what we call attack mitigation pillars: collection, detection, command and control, and mitigation.

In the end, there is a lot of good news for security, including the variety of new tools, like device fingerprinting, that employs various methodologies to gather IP-agnostic information about the source. The device fingerprint uniquely identifies a web tool entity by combining dozens of attributes of a user’s device to identify and then track their activities, generating a behavioral and reputational profile of the user. In addition, there are powerful cross-vendor automation and orchestration tools which are dramatically assisting the security professional in automating their collection & mitigation. 

Lastly, the growth in algorithms and the adoption of these new powerful toolsets will be the difference between the future successful and secure company, as opposed to companies like Ashley Madison that clearly define the way of the past. However, if we don’t see the need to remove people from security operations, testing and auditing and install instead lights-out security centers we will not be able to handle the future AI-driven attack landscape.  

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Carl is an IT security expert and currently manages Radware's security practice in the Americas. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danelleau1
50%
50%
danelleau1,
User Rank: Strategist
11/2/2015 | 6:29:16 PM
Automation Is Key
Agree... We need to fight attackers' use of automation with automation. Otherwise, we face a losing battle. There is still a place for the human element -- but hopefully by combining with automation, we use our limited pool of cybersecurity talent on the more strategic tasks. 
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
CVE-2021-20208
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-27458
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
CVE-2020-27241
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
CVE-2021-3497
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.