CyberSecurity Future: Humans & Machines Work Symbiotically
Cybersecurity's future will require humans and machines to work symbiotically.
In yesterday’s world of enterprise security, there were a few well-known points of weakness for the bad guys to target in their attacks, which made defending against threats, well, much simpler. But today’s mobile and cloud-enabled world offers thousands, if not millions, of touch points for attacks.
Driven by the advent of the Internet of Things, connected cars, homes, retail sensors, watches, cameras, utility meters, and more, over 40.9 billion connected devices are expected to be in use within five years, nearly five times the 8.7 billion connected devices recorded in 2012. That is the primary reason for a massively expanding attack surface.
As a result, we predict the surface area for potential cyber attacks will grow 10x larger from 2010 to 2020. Although companies are building their own security solutions to help them detect and mitigate attacks at the earliest possible stages, as time goes on and more devices get shared across contexts by multiple users. That means the methods by which attacks will be perpetrated will multiply. The modern enterprise lives across the cloud, mobile devices, and the Internet of Things, which means the approaches we previously used to defend against cyber threats are no longer viable.
There are a couple of bills under debate in the U.S Congress that, if enacted, will enhance the flow of information about hackers’ tactics between the government and the private sector, particularly among financial institutions. Both sides need more data on the dangers they face, and sharing threat-related information is a good way to increase security while also potentially reducing corporate liability.
Among consumer-facing companies, Facebook is a few steps ahead of the curve. The company proactively launched ThreatExchange, a new API-based platform for sharing security threat information. Its early partners include Bitly, Dropbox, Pinterest, Tumblr, Twitter, and Yahoo.
Mark Hammell, manager of the threat infrastructure team at Facebook, explains Facebook’s motivation: “Our goal is that organizations anywhere will be able to use ThreatExchange to share threat information more easily, learn from each other’s discoveries, and make their own systems safer. That’s the beauty of working together on security. When one company gets stronger, so do the rest of us.”
Given the evolution of cyber threats, security needs to be addressed, with a collaborative, distributed systems mindset centered on protecting identities. Identity is a concept in modern consumer-facing digital services that aims to track and understand people across various devices they used based on their preferences, relationships, attributes, and interests.
Modern consumer platforms own the identities of their users, but many enterprises still use homegrown identity platforms that they can’t scale across their security products. These stacks don’t track privileges, relationships, or the context of user interactions.
Without a better understanding of identity, security professionals will have a hard time detecting and predicting attacks at scale, which is why today’s monolithic security products need to be rebuilt with identity at the core of a distributed system.
A ton of data is being collected and monitored across security systems around the globe without any substantial analysis. As a result, that data is not being put to any use in protecting against attacks.
Currently, security analysts are responsible for reviewing an incredible amount of data —both internal and external. And while more and more data inputs are coming in, enterprise security continues to rely on the same straightforward human resources.
In most enterprise settings, security data gets collected and correlated in SIEM (Security Incident and Event Management) products made by Splunk, LogRhythm, and others, and it ends up overwhelming the security analysts tasked with making sense of it. For example, one of the world’s largest banks plans to double its security professional staff to analyze and triage events—but that’s not going to stop it from being attacked. This huge demand for security professionals is a problem that is not just relegated to the big banks, either.
The real leverage in security will come with technology that can detect, prioritize and act against the millions of threats enterprises face on a daily basis. Unfortunately, today’s systems are not smart enough to determine which events and vulnerabilities need attention now.
When Target was attacked, the system detected it, but the security first responders didn’t see the alerts because there was no system in place to prioritize threats, characterize the cost of the impact, and force a response.
A defense built upon supervised machine learning and AI could resolve countless mundane attacks itself, so that security analysts could focus on the high-priority threats that matter most. Human expertise is always necessary to deal with the “unknown unknowns,” but having a machine act on behalf of humans for the high-volume, low-priority events could free up the humans to focus on high-priority events during an emergency.
We often think of the future as a battle for control between humans and machines, but in the world of security, we need a symbiotic relationship. The only way we can solve this problem is if humans train machines to do basic functions so that they can do the more important work.
To give one example already in use today, Google’s PageRank algorithm shows search results based on what links a user clicks most often — and then uses that data to inform what it shows the next person. Security platforms need to implement the same kind of supervised machine learning so that humans can teach the machines what to look for when assessing immediate threats and anomalies.
This structure will also provide a new weapon to defend our online borders. Based on deep learning and supervised AI, security professionals will get to the information that matters most before the attacks actually happen. A human expert would be hard pressed (actually, it would be impossible) to deliver the kinds of results needed for today’s complex security environment, but a new AI-armed security force would not only identify what has been compromised but also have the ability to quickly isolate the attack and prevent further harm.
It’s clear that the definition of security is changing from reactive to proactive, and it is one of the most exciting growth areas
of computer science. Enterprise security, which is a $76.9 billion dollar market today, is expected to grow to $86 billion by 2016, and whereas only 10 percent of enterprise security budgets are allocated to real-time detection and response at present, that’s expected to jump to 60 percent by 2020. I have been thinking a lot about the opportunities that now exist for entrepreneurs, as well as for my firm, Foundation Capital.
Tackling these opportunities is an enormous task, but it’s also going to be incredibly thrilling work. The way I see it, there are three key areas that we need to address in order to protect the world from evolving security threats. If you are thinking about starting a security company, one of these categories might be a good place to start.
Identity-Based Distributed Firewalls Fully distributed firewall services that act based on identity and application-level context. The last great firewall company, Palo Alto Networks, was created over 10 years ago, and the world has changed considerably since then. Centralized firewalls sitting in the DMZ are no longer the answer.
Security Operations Centers for the Cloud Blending cloud and on-premise security platforms that help enterprises better understand and manage incidents across traditional on-premise apps and modern cloud apps with a single tool. This unified approach is what every company should be striving for in the coming years.
Security Orchestration Enterprises spend millions on consulting services from companies like Mandiant and Verizon for outsourced security services and advanced forensic analysis. Providing enterprises with new tools that enable the average security professional to do detective-style forensic investigation without the expense of outside consultants will be huge.
As the world becomes more connected and our vulnerability increases, the need for more comprehensive security will become imperative for everyone from small businesses to multinational corporations—and, of course, for their customers. The opportunity is staggering.
VB: http://bit.ly/1HrFSNT