As stated in previous posts the cybersecurity market is VERY crowded – dominated by venture capital and Silicon Valley start-ups. Intoxicated by notions of automating tough problems normally handled by humans and leveraging the meteoric advances in machine learning and AI, the Valley has rushed forward towards the “light”. Understandable right? Well understandable maybe, but is it the correct approach?
When it comes to cybersecurity, there is a sharp divide on the efficacy of this sweeping movement towards machine-based analytics. Consequently, technology has become more prized than tradecraft[i].
This shift has far-reaching ramifications that are downright scary. First, as companies remove human intuition from cybersecurity workflows, we are rapidly losing understanding of our cybersecurity data and, how our automated tools arrived at the various conclusions.
Secondly, these automated tools all too often mistake anomalous activity by insider bad actors as normal when they are anything but normal. And finally, are these automated systems being successful? How many SIEM or UEBA projects have we all heard about that never actually made it off the ground. Or, worse yet, abandoned after spending months of time and millions of dollars?
Being geographically located in the shadows of the NSA and other pillars of our national intelligence complex, it is apparent there is a striking contrast between the worlds of Silicon Valley and Washington. This difference is one of technology versus tradecraft.
Automation Good – Humans Bad
We all know and understand Silicon Valley’s appetite for automating everything and replacing human intelligence for Artificial Intelligence anywhere possible. When it comes to self-driving cars, I might agree with that goal. Driver error causes accidents and we will eventually wrap our mind around that as a society as one example.
Traditionally, the Washington intelligence mindset views algorithms as powerful tools that can assist human analysts but certainly not replace them. They understand the importance and rigor of verification, checks and balances and thorough understanding of how the results were arrived at. Why? Because the stakes are way too high to do otherwise.
Insider Threats Much Worse Than Insider Threats
Another scary component of this trend away from tradecraft and towards automation is the problem of the insider. In cybersecurity an insider threat is those categories of damage caused by bad actors already have access to important data. This might be the disgruntled employee, the misguided contractor, or an industrious bad guy that has happen to acquire carelessly- guarded passwords or other credentials.
Undetected, these actors move freely within a network or IT infrastructure causing massive damage along the way or ex-filtrating private documents out the door and into the dark web. Said another way, this behavior is “normal” behavior in the eyes of many automated cybersecurity tools. Of course the outside bad guy who has obtained credentials also enjoys the same freedom. Again, this may very well show up as normal to many highly automated analytic engines.
Further, bias towards the outside “bad guy” penetrating the target organization’s perimeters causing damage dominates most cybersecurity approaches. [There really isn’t such a thing as a perimeter anymore but that is beside the point.]
The insider threat, on the other hand, is frequently weighted much lower than the outside threat in terms of focus and cybersecurity budget. Many experts believe insider threats are many times more dangerous than outside threats. Outside threats none-the-less get the IT dollars and certainly, that is where Silicon Valley venture capital spends. So, a false sense of security exists around purely analytical and automated tools and predominately focused on external threats.
High Failure Rate
Finally, projects that replace tradecraft with artificial intelligence and automation have a high failure rate. Why? There are several reasons. Most of the time automated cybersecurity systems alert non-conformity with the security policy. However, the first thing that’s often discovered when implemented is the complexity of how the network actually operates and how many overlapping systems and conflicts are involved.
These friction points typically creates such an abundance of alerts that the projects are either abandoned or the outputs ignored and labeled as “false positives”. Quite simply security teams become overwhelmed. The solution? More orchestration, automation and event management of course! What better to make sense of all the orchestration, automation and event management chaos you have created. All but the very largest organizations tend to “tap out” of this headlock with good reason at that point (or before).
Similarly, Silicon Valley has lulled us into an expectation that these new systems will work off the shelf. This “black box” mentality is very far from the truth. There’s a significant technical component to these projects that organizations often overlook—they simply assume they will work easily and automatically “right out of the box.”
The organizational payload of these systems is also substantial. To work correctly and efficiently, everyone needs to work together to accommodate its operation. Addressing the following factors are a must:
- Application development
- Patch management and change control in all departments
- Access control in all departments
- Server and authentication team
- Security infrastructure team
- Network team
- Storage team
- Audit and compliance
- Necessary changes in organizational IT roles and responsibilities
Getting these groups to sing from the same hymnal is nontrivial.
Finally, these projects are never complete. As things change in a network or IT infrastructure, the cybersecurity automation infrastructure must also get its “care and feeding” too. Moreover, the cybersecurity threat landscape changes perpetually. How can a machine learning or analytics engines keep up with that? Impossible.
Managed Detection and Response (MDR)
Cybersecurity tradecraft and human-centric detection are the route that many of us have chosen instead. The focus of Managed Detection and Response (MDR) is on detection, not compliance. Why? Because the things you are trying to comply with change faster than you can comply. Also, by the time you figure out if something is out of compliance, it is frequently too late to do anything about it and the damage done. Finally, the withering overhead and cost of maintaining these systems in a form that is useful is overwhelming for all but the very largest organizations.
Instead, optimized MDR resources detect anomalous behavior and then react to it. Very straight-forward and efficient. Implementation of MDR uses internal resources and third-party tools or through a managed services provider (MSP) for a fixed fee per month. This MSP route focuses on internal and external threats, requires no capital outlay, and can be implements very rapidly since it is already in place and protecting other organizations. These economies of scale also allow the MSP to change and adapt the system nearly as fast as the bad guys as things change in your organization or the threat landscape and without any vendor lock-in.
The Valley Promise
The promise of Silicon Valley cybersecurity automation is for real but not quite ready for prime time. Eventually, as the hundreds of Valley firms dwindle down to a handful – as is always the case, historically, in maturing markets – sanity will prevail.
Until then, the rest of us non-Fortune 100 organizations must come to grips with the same realities the Washington Intelligence community has. Automation, artificial intelligence, machine learning, deep learning, algorithms and analytics are a great but must be part of a symbiotic human-machine analytic process. The tail cannot wag the dog.
[i] For those new to the term tradecraft it usually refers to the intelligence communities’ structured analytical techniques for improving intelligence analysis originated and perfected at the CIA. Cybersecurity tradecraft uses a similar approach to analyze and detect cyber events and are largely human-centric.