Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10/30/2015
12:45 PM
By Carl Herberger, VP, Security Solutions, Radware
By Carl Herberger, VP, Security Solutions, Radware
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Dawn of Lights-Out Security

In the future, the role of humans will focus on the architecture, design and automation of security, not in the actual testing or operational management.

The world around us is changing at such a break-neck pace that it’s often hard to understand the macro implications. For the information security professional, this dynamic has the potential to broadside your career track -- or worse, the effectiveness of your job. Here are two issues companies are trying to address:

Cyberattack effectiveness is often a result of human error 

  • Humans represent one of the most common vectors for a successful hacker
  • Human technical authentication is problematic as people struggle to remember strong authentication sequences such as long passwords
  • Human training is, at best, fleeting in effectiveness and not consistent

Cyberattack tools and techniques are more effective   

  • Hacking tools benefit from big development efforts.  Hacking is a very lucrative business and significant money is being invested as hackers see big returns.  
  • Tools have been automated: In order to run hacking tools at scale, the tools require automation and behavioral characteristics that avoid "cleaning" from security efforts and discovery from detection efforts. 
  • Tools are now robotic (aka "bots").  They use behavioral and artificial intelligence algorithms to anticipate security defenses and quickly adjust and react to new more offensive strategies. 

Offloading "thinking" in comparison to the 6,000-year-old trend of offloading "physical labor" by automation is a major shift in societal behavior. According to the BBC’s website, nearly 80 percent of the security professional’s job will be gone in the next few decades, driven by answers to the trends above.

There are three major trends that are threatening information security officers globally.

  • Artificial Intelligence (AI):  Automation overall is giving rise to AI in everything we do. The threats are driven by AI, but our defenses are still by and large, manual technical defenses.
  • Humans are the best attack vector: Automation is driving de-humanization and accelerating non-technical vulnerabilities. These non-technical vulnerabilities are, ironically, accelerating the idea that data privacy / confidentiality is not the sole responsibility of information security professionals.
  • Lights-out security: Ironically, our future threat is also our answer. Haste, waste, or delay in automation defines future failure.

In AI, threats are automated, defenses are manual 
Humans have been automating work for a long time, but we’ve never had the capability to really automate thinking. From this perspective, the natural inclination is to believe that we’ve been here before, but this concept is new. It is also a serious threat and, ironically, our biggest opportunity for technical breakthroughs.

Most of us have become so numb to the omnipresence of bots in nearly all security attacks that we haven’t bothered to look deep at how bots themselves have evolved. They’ve evolved into highly efficient tools which automate nearly everything an attacker might want to accomplish, from escalating privileged access, to decrypting traffic, to driving volume in DDoS attacks. Most of the major security threats such as application DDoS, brute force, and SQL injection are executed at least in part through botnets. These tools are designed to select actions based upon the anticipated responses from you, the defender. As people have become more and more predictable in detection and mitigation, the bad guys are designing tools to adjust to our defenses faster than we can detect their changes.  

Humans have become the best attack vector in new ways
From social engineered attacks like phishing and USB drive attacks, humans have distinguished themselves as being highly vulnerable creatures and commensurately not easily secured. Two big human behavior security issues which can be addressed by automation include:

  1. Security bots that would dramatically improve Identity and Access Management (IAM).  Let’s face it. No humans, no need for human-esque passwords. In addition, scores of security technologies (and security teams by extension) continue to rely on the IP address, as a primary means of identifying legitimate users and blocking malicious traffic sources. Security professionals need new, more accurate technologies that are not prone to error caused by the myriad of ways an IP address can be spoofed or obfuscated.
  2. Security bots that can deprecate or remove much of the human’s training, performance unpredictability, and reliability.  The sobering truth is that to err is human and there is no patch or process that will solve this problem, no matter how much training or effort.    Intelligent and predictable bots or AI are solutions that are being deployed in highly successful environments. That success may give us hope, but also have dramatic implications for the future of information security. AI replacing humans is already occurring in high-risk “human” industries such as trading exchanges and transportation.

The truth is that the future of information security will look dramatically different. We make a case here that nearly every facet of security will eventually remove humans, from penetration testing and vulnerability testing to SOC  operations to incident response. The role of humans will focus on the architecture, design, and automation of security, not in the actual testing or operational management of security.

New automated paradigms are being spawned and aided by newer technologies which enable automation and orchestration such as software-defined networking, network feature virtualization, cloud services, APIs, and of course, algorithms with intelligence.

In addition to process changes, there will also need to be huge overhauls in technology and attention to four major areas of security changing the paradigm from defense in-depth to defense in what we call attack mitigation pillars: collection, detection, command and control, and mitigation.

In the end, there is a lot of good news for security, including the variety of new tools, like device fingerprinting, that employs various methodologies to gather IP-agnostic information about the source. The device fingerprint uniquely identifies a web tool entity by combining dozens of attributes of a user’s device to identify and then track their activities, generating a behavioral and reputational profile of the user. In addition, there are powerful cross-vendor automation and orchestration tools which are dramatically assisting the security professional in automating their collection & mitigation. 

Lastly, the growth in algorithms and the adoption of these new powerful toolsets will be the difference between the future successful and secure company, as opposed to companies like Ashley Madison that clearly define the way of the past. However, if we don’t see the need to remove people from security operations, testing and auditing and install instead lights-out security centers we will not be able to handle the future AI-driven attack landscape.  

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Carl is an IT security expert and currently manages Radware's security practice in the Americas. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danelleau1
50%
50%
danelleau1,
User Rank: Strategist
11/2/2015 | 6:29:16 PM
Automation Is Key
Agree... We need to fight attackers' use of automation with automation. Otherwise, we face a losing battle. There is still a place for the human element -- but hopefully by combining with automation, we use our limited pool of cybersecurity talent on the more strategic tasks. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...