Automation and artificial intelligence are the future of security
If you work on IT security in a large enterprise, chances are you’re overwhelmed. Just as the capacity of your systems and networks grows and the amount of data going through them mushrooms, the number and complexity of threats grows as well. And if things weren’t hard enough, government regulations put time pressure on security personnel to identify breaches and report them promptly.
Even if throwing people at the problem were the answer—and it might not help at all—you probably don’t have the budget for it. To deal with a large number of potential real-time threats, what you need is a lot of real-time analytical power. The obvious answer is software.
The IT community recognizes that artificial Intelligence, combined with increased automation of security tasks, is the only way to keep up with a threat landscape that will only get more difficult. A recent study, conducted by the Ponemon Institute, and sponsored by Aruba, a Hewlett Packard Enterprise company, demonstrates this clearly.
Data was collected from security teams around the world in a wide variety of industries, including financial, healthcare, public services, retail, and industrial. Of the 3,866 survey respondents, 59 percent hold supervisory positions or above, and all are involved in the purchase, evaluation, or administration of IT security investments in their organizations. Respondents are from large organizations, two-thirds of which report worldwide revenues of more than $500 million, and have a global head count greater than 1,000 employees.
Security issues vary; IoT devices continue to be weak link
Keeping a large, global, technology-focused organization concentrated on IT security can be difficult, especially given that 76 percent of respondents said that more than 25 security solutions are in use in their organizations and were often adopted in an ad hoc, point-in-time manner.
Overall, a majority of respondents perceive significant challenges with their enterprise security and their ability to improve it. The most commonly cited concerns included:
- The disappearance of the network perimeter and the resulting spread of assets and data into the cloud, across mobile networks and IoT devices, makes their protection very difficult. Many aspects of securing these devices are out of IT’s hands and now the responsibility of third-party service providers.
- IT lacks visibility into many of the behaviors of assets it is held responsible for. This is particularly true of IoT devices, which have comparatively simple computing resources and lack the capacity to run software that would allow full IT management of the devices. A large majority of respondents said visibility into the application, cloud, and network are important to providing effective security.
- Respondents view IoT devices as a particular problem. They overwhelmingly believe even those devices that simply monitor or perform minor tasks are potential security threats.
- IT departments, particularly security staff, feel outmanned. Forty-eight percent of respondents say a lack of adequate staff with security expertise has led to a skills gap. They view attackers, on the other hand, as “persistent, sophisticated, well-trained, and well-financed.”
- Respondents view compromised legitimate users as the greatest risk to networks. No matter how strong your identity and access management is, if a user’s credentials are compromised, the attacker gains all the user’s access. Such attacks are generally based on social engineering, such as spear-phishing attacks, and therefore target the weakest element of the security system (i.e., the user).
- Many security products produce too many alerts and, largely as a result, too many false positives, respondents said.
Another major concern is compliance with government regulations, with the European Union’s General Data Protection Regulation (GDPR) specifically mentioned. Article 33 of GDPR requires that the “controller” (the organization in possession of an individual’s personal data) notify relevant EU authorities of a breach of that data within 72 hours of the controller becoming aware of the breach. Article 34 requires notification of the individual "without undue delay."
The consensus solution is AI as applied to security, using techniques such as machine learning (ML) and behavioral analytics. A secondary and related focus is on automation.
AI helps detect threats that would otherwise go undetected
Respondents believe AI techniques will make their security teams more effective, more efficient, and better able to detect threats that would otherwise slip through the cracks.
Products that use these techniques are already available. Twenty-nine percent of respondents have implemented ML, with 12 percent having extensively implemented it throughout their organizations. Some 46 percent expect to have AI or ML solutions implemented soon, and 26 percent within the next year.
The use of AI makes good sense as a solution to the systemic problems identified in the survey. Human capacity to manage security and respond to attacks can’t scale with the growth of the problems. Machine intelligence, on the other hand, can scale and makes good use of the vast computing resources of the cloud.
The volume and complexity of attacks contribute to the lack of visibility. It is often the case that detailed log data and telemetry are available but in such a volume and form that it is impenetrable in raw form. Analytical software, armed with intelligence from elsewhere in the enterprise and beyond, can learn to separate the mundane and the spurious from the truly dangerous.
This last characteristic raises another advantage of intelligent software. For many years, security intelligence companies have been sharing intelligence, officially and unofficially, in an effort to make protection more widespread and, thereby, stop attacks more quickly. There are even standards and APIs now to help sites gather and use intelligence from multiple trusted sources. The nature of the cloud and the markets for such intelligence argue that defensive capabilities are improving and should continue to improve.
With respect to regulatory compliance, and specifically with GDPR Articles 33 and 34, AI and automation are the only reasonable way to prepare accurate responses in a reasonable time period. The survey shows that respondents are aware of this.
Automation has been a major focus in security and other IT functions for years as part of the DevOps phenomenon. DevOps attempts to marry development and operations using monitoring and automation. In the cloud, these processes can reach the point of building up and tearing down whole levels of infrastructure in software.
Automation key to investigating alerts, reducing false positives
Survey respondents overwhelmingly (71 percent) view automation as key to reducing the amount of time and effort required to investigate an alert, while 68 percent view it as an important tool in reducing the number of false positive alerts. This kind of automation is the only way to make GDPR compliance practical.
The capabilities of automation are almost limitless in theory, and yet certain applications of it are problematic. When automation would shut a certain user out of the network or stop a business process, clearly a responsible human staff member is needed for immediate attention to the matter. Even so, it is for attack containment and remediation that survey respondents see the most value in automation. There’s no substitute for speed in such situations, and if intelligent software can filter out the false positives effectively enough and then use automation to direct staff to the real problems—even at the cost of short disruptions to business—it's a good bargain.
IoT, again, is a major concern. As with the early days of BYOD, business units are clamoring for such capabilities and often impatient with security concerns. Intelligence plays a role here, but product vendors and service providers also need to beef up their device and network security—and the market will force them to do so. In the meantime, the analytic capacity of security products infused with machine learning and artificial intelligence will spread a dragnet that attackers will find difficult to escape.
On the other hand, it has proved difficult to improve the security capabilities of users, which is why social engineering is a more effective form of attack than ever. Intelligent software and automation must play a major role here as well. One example cited by survey respondents is network access control (NAC), which checks whether systems attempting to connect to the network conform to policy requirements, such as having current operating system updates and antivirus definitions. If users don’t qualify, they are shifted to an isolated 802.11 subnet, which allows them to apply necessary updates but not cause any damage. NAC has been streamlined over the years and now installs quickly to deliver immediate value. It helps with IoT devices because it allows security teams to define policies that restrict device access to only those resources they need for their mission.
It's not a path to the future—it is the reality now
Constant change is a challenge for security. It’s hard to keep up with all the changes, including all of the inevitable vulnerabilities in new technologies, while keeping businesses running. The new technology itself must be a big part of the solution, and it seems natural that it will be. Machine learning and pervasive automation will work their way into security products at all levels, kicking security response up to Internet speed.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.