ESG Blog: RSA - Detaching Hype from Reality
Author: Dan Conde
As the RSA Conference continues to grow, along with interest in cybersecurity, many solutions presented at the show strive to rise above the fray of similar messages and voices. Of interest in the last few years have been the application of AI, machine learning, and big data analytics to the problem of improving security.
That is a fine thing, provided it is not treated as a magic bullet. If it gets overhyped, there will be a danger of backlash.
Automation is a great way to try to solve part of the cybersecurity skills shortage. Bruce Schneier, who spoke at an event hosted by BMC, made that point. We see great examples in spam protection, where you rarely see false positives in Gmail. However, automation can’t solve all problems. If you’re going against a predictable adversary, then relying on the data helps. If you’re going up against something unpredictable, you need better execution. Unpredictable attacks require you to be smart and execute appropriate counter measures, and simply throwing more horsepower designed for older attacks won’t work against a new form of attacks. Furthermore, adversaries are using automated methods too, so it's a losing game to try to simply deliver a high volume of “dumb” responses, since the adversaries will raise their volume, attempt to outwit you, or just win the arms race.
This was echoed at a panel hosted by Gigamon that also discussed the dangers of relying too much on AI. First, people confuse AI and machine learning. They are different things, and ought to be used for different purposes. Furthermore, you need a human element. Lessons from experts need to be fed into these systems (to make the system learn) and you cannot expect a blank slate to evolve to become a proficient security analytics system without a baseline to start from.
What people often neglect is that automation is an augmentation of existing human knowledge and skills sets and processes may be the key basic lessons that all IT organizations can benefit from. If the SecOps team does not talk to the NetOps team, the organization may be ultimately doomed to a breach since it never has the holistic view of what’s going on, and gaps may exist between the two teams. So the lesson ought to be to apply common sense and fix the basics at the organizational level, making your staff more effective. On top of that good foundation, you can apply whatever automation or AI tools you need.
Post a comment