When it comes to protecting an enterprise from a cybersecurity Silver Bullet standpoint, leaders need to act fast
maintain visibility and detect threats as soon as possible. In the cybersecurity Silver Bullet world, automation provides scale and consistency that can be used to deliver repetitious work and react fast to certain conditions. Even better is intelligent automation based on artificial intelligence (AI) or machine learning (ML).
If conditions are diverse—and they generally are—or can vary widely, though, automation starts to become less useful due to the fact that a level of context is required to determine what to do next. Automation is great for breadth and scale but not depth. Depth requires intelligence to act depending on the specific challenge.
In cybersecurity Silver Bullet, the challenges can be of a similar vein—protecting something—but the threats can vary wildly.
Pitting Software Against Humans To Win The Cyber War
The “elephant in the room” is context and depth.
Cybersecurity Silver Bullet Risk, for example, is the possibility of something bad happening. The definition of “bad” is contextual and requires human understanding. Automation is not quite playing that sport yet.
In general, a determined attacker focuses on depth to discover and exploit a vulnerability resulting in a breach of an organization’s defenses. Be it a complex or simple or business logic flaw, automation may not always be capable of detecting such an attempt or detecting such a vulnerability to mitigate risk. Reliance on automation alone is pitting automated software against human intelligence. Currently, humans would win the majority of the time.
When talking to my peers in the enterprise, cyber executives, and CISOs regarding the reliance on ML, AI, or pure automation to autonomously defend an enterprise, one will discover quickly that faith and belief are not their Cybersecurity Silver Bullet. Many organizations should still strongly desire to have humans at the helm.
In order to understand this point, let’s look at a couple of examples from the vulnerability management Cybersecurity Silver Bullet and risk-detection space to understand, based on my experience, what solutions might be best suited for automation.
Penetration Testing
Penetration testing is a form of automation-based software testing software, websites, and systems.
Some of the strengths include:
- Logical and contextual issues are detected.
- Accuracy based on human intelligence and complex exploits can be discovered.
- Prioritization can be communicated to the business easily, taking business risks into account
- Vulnerability discovery is due to human understanding of what is being tested and how a system is intended to operate.
Some of the weaknesses include:
- Not easily scalable.
- Not as cost-efficient.
- Not on-demand/push-button due to the manual effort required.
- Does not fit with DevOps due to speed and the continuous nature of DevOps requirements.
Vulnerability Management
- Vulnerability management is a form of automation-based software testing software, websites, and systems.
Some of the strengths include:
- More easily scalable.
- On-demand by “pushing a button.”
- DevOps friendly.
- Quickly detects “low-hanging fruit.”
Some of the weaknesses include:
- Accuracy, as automation, does not understand the risk context or business purpose of what’s being tested.
- The risk rating is weak, as the software does not understand risk.
- Coverage and depth due to shortfalls in detecting logical and complex vulnerabilities.
- Requires human expertise to validate output.
- Metrics are poor due to accuracy and coverage weaknesses.
What We Need To Do Now
From the above, we can deduce that automation is good at volume, speed, cost, and scale but falls short on accuracy. Accuracy is vitally important in terms of cybersecurity Silver Bullet due to the pressure on risk prioritization and focuses on what matters.
Prioritization is paramount to address the question: “What do we need to do now to be more resilient?” This requires an understanding of the business, defining what assets are critical and where the areas of most risk and exposure are.
Cybersecurity Silver Bullet Defining “ground truth” (or what we know is true) for adversarial-aware machine learning is especially difficult since the concept of threatening, abusive or malicious behavior is often quite vague.
Cybersecurity Silver Bullet Impactful vulnerabilities may require an understanding of the purpose of the system being assessed, which is not necessarily a strong point of automation. Attackers attempt to hide their activities so that even humans are not able to identify them, and then complex vulnerabilities, which, in many cases, are not easily detected and can lay dormant and undiscovered for years.
To identify a system’s typical use cases, it is necessary to formally describe non-adversarial and typical activities for each case, potentially using domain-expert knowledge, and to treat deviations from these typical activities as potentially adversarial events. This, in effect, results in the automated sentinel (AI/ML) being required to completely understand what it’s defending.
The Human Element Is Here To Stay For Quite Some Time
The strengths of cyber automation come into their own when we need to deal with large volumes of data and make human-defined decisions based on the trends and analytics gleaned from processing data over time.
Cybersecurity Silver Bullet automation also works very well if consistent and repeatable tasks are required without the bounds of the decision changing too much over time. In many cases, the environment in which we find ourselves defending against a cyberattack is very dynamic and falls outside the bounds of automated decision software due to a multitude of variables that need to be taken into account.
AI is great at learning patterns and behaviors, such as detecting fraudulent transactions and joining other circumstantial data Cybersecurity Silver Bullet delivers a confidence level that the event is a risk, but it does not understand what it’s defending (or attacking in some cases), resulting in a minimal business context or impact analysis.
Personally, the combination of automation and human intellect is the winning option. Automation is best for “heavy lifting,” fast response, repeatable tasks, and leveraging humans to consider risk context, priority, and complexity. Automation can be very effective at delivering strong data analytic output, sifting through lots of circumstantial data and environmental factors, but it is still not a replacement for the poor old emotional, curious, and sometimes deviant human.
