October, National Cybersecurity Awareness Month (NCSAM), is winding down, but there are important conversations that still need to happen. While we (the cybersecurity community) take this month to revel in what we do –making the world a safer place – we don't stop working. At the heart of our efforts is this year's NCSAM message, "Cybersecurity is our shared responsibility and we all must work together to improve our Nation's Cybersecurity."
Over my twenty plus years in cybersecurity, I've seen a lot change and very little change all at the same time. To me, the biggest change is simply the staggering growth of our industry. As one small data point, consider that RSA Conference grew from 2,500 attendees in 1997 to over 40,000 this past year. The cybersecurity ecosystem has matured to meet the growing demand. However, while we've certainly made progress, what hasn't changed all that much is the continuing struggle organizations face with basic security issues related to protecting sensitive information.
Many in the cybersecurity community feel we are on the verge of seeing real change in helping organizations solve these most fundamental issues. Technologies like Artificial Intelligence (AI) and Machine Learning (ML) hold great promise in helping organizations more intelligently and expeditiously triage the flood of security threats and alerts that inundate them daily. And while AI/ML are a beacon of hope for defending organizations against damaging data breaches, threat actors also use them to launch bigger and more sophisticated attacks.
Adversaries will undoubtedly use machine learning to build malware that evades intelligent defenses, make social engineering and spear-phishing attacks smarter and more personal, and bombard automated systems with false positives. Regardless of how they specifically plan to weaponize AI/ML, threat actors most definitely plan on using them against us.
We must work together in order to beat our adversaries in this high-stakes cyber arms race. In order to do that though, cybersecurity vendors and end-user organizations have to change some of the ways in which we communicate and share information with one another. Here are three ways in which the cybersecurity community can ensure we stay ahead of our adversaries and win the AI/ML cyberwar:
Think Like an Attacker
One thing attackers do surprisingly well is share information with each other. They routinely use the Dark Web to converse with and train each other, as well as to sell black-market cyber arms like credit card numbers, user credentials, voter records, and malicious software. Attackers also frequently rely on coordinated communications for reconnaissance, and attack execution. For instance, groups of bots (botnet) routinely share data with each other and with various command and control (C&C) servers, in order to stay synchronized.
Here is where cybersecurity vendors need to take a page from the attackers' playbook by knocking down the walls that physically separate your application, endpoint, identity, network, and other security solutions limiting the broader visibility and insights gained by correlating otherwise disparate information. The basic promise of AI is that someday machines will autonomously perform a variety of functions once reserved for humans. However, doing this effectively requires data, and lots of it.
Proactively Share Perceptions and Lessons Learned
Mobilizing your "security village" by connecting the dots between your various security solutions and external threat intelligence feeds is certainly the right strategy for getting to orchestration and automation – changing the game on our adversaries. AI provides the foundation for helping us do just that. However, actually making it all work seamlessly together can require significant planning and effort.
Cybersecurity vendors and end-user organizations need to come together to discuss AI perceptions, misconceptions and barriers to adoption. Are companies ready to connect their solutions together and let them act autonomously on their behalf? Probably not. Organizations that have dipped their toes in the AI waters can greatly help us all by sharing their stories and lessons learned. This will assist with aligning the vendor community and educating those on the fence to the dos and don'ts – in the hopes of giving those companies on the sidelines the courage to join the game.
Demystify the Black Magic
Data Science is a complex field involving the application of scientific methods and algorithms to gain insights and knowledge from both structured and unstructured data sets. While most of us will never comprehend the nuances of how a particular data model works, organizations looking to turn on AI based security solutions need more than just blind faith in black magic.
Organizations need to be able to peek under the hood to better understand how a machine learning engine works. While the overwhelming majority of security and IT pros have no aspirations of becoming data scientists, they need enough information to trust that a solution is doing what it's supposed to. For instance, why did an action or event generate a particular risk score? What were the major factors that contributed to this score, and how could these factors be manipulated to make it higher or lower? Cybersecurity vendors and AI providers need to take the mystery out of the magic, enough so that organizations can trust their results and establish predictable models for assessing risk. This, in turn, will enable organizations to achieve a certain comfort level with AI based solutions and begin rolling them out more broadly across their environments.
# # #
Manage Digital Risk
RSA is operating at the crossroads between business and security to ensure that our customers can create an explicit linkage between what security technologies indicate, and what that means in terms of risk to their business; leading to better business decisions and more efficient information security investments.
RSA calls this Business-Driven Security. Empowering organizations of all sizes to take command of their digital transformations with visibility, insight and action, to manage digital risk and ensure protection of what matters most.