[BreachExchange] The future of computer security is machine vs machine

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 22 18:53:13 EDT 2018


https://www.csoonline.com/article/3262992/cloud-security/the-future-of-
computer-security-is-machine-vs-machine.html

A growing number of computer security thinkers, including myself, think
that in the very near future, most computer security will be machine versus
machine--good bots versus bad bots, completely automated. We are almost
there now.

Fortunately or unfortunately, I don’t think we’ll get to a purely automated
defense for a long, long time.

Today’s security defenses

Much of our computer security defenses are already completely automated.
Our operating systems are more securely configured out of the box, from
firmware startup to the operating system running apps in secure
hardware-enforced virtual boundaries, than ever before. If left alone in
their default state, our operating systems will auto-update themselves to
minimize any known vulnerabilities that have been addressed by the OS
vendor.

Most operating systems come with rudimentary blacklists of “bad apps” and
“bad digital certificates” that they will not run and always-on firewalls
with a nice set of “deny-by-default” rules. Each OS either contains a
built-in, self-updating, antimalware program or the users or administrators
install one as one of the first administrative tasks they perform. When a
new malware program is released, most antimalware programs get a signature
update within 24 hours.

Most enterprises are running or subscribing to event log message management
services (e.g., security information event monitoring, or SIEM), that
aggregate security events, report on them, and maybe automatically
implement corrective actions (i.e., “self-healing”). Each of these
protective services gets better and more accurate over time.

Tomorrow’s security defenses

Operating system vendors are working to provide even more automated
security in the near future. One of the most daunting tasks for any
enterprise admin is to make sure all the computers and devices under their
control are securely configured and stay that way over the long run. Most
enterprises already have software programs that inventory and control
system security configuration settings. What is changing is that OS vendors
will let trusted third parties, which have a better and more up-to-date
understanding of the current security climate, more easily configure
everyone’s computer.

The customer will subscribe to a cloud-based service, which will completely
manage the security configuration of their devices. It’s already offered
and happening today, but most of the services aren’t overly sophisticated.
Many of these services manage only a few dozen settings. This is quickly
changing. In the near future, I expect customers to have dozens of
sophisticated configuration services to choose from with myriad
configuration options. Your people will likely not be making most of the
security decisions. That’s what you’ll be paying the managing vendor to do.

Another change will be more timely updates of security configurations based
on current security conditions. Today, the security configuration managers
can take weeks to respond to a new, growing threat. In the near future,
when a new security threat is noticed, the necessary defensive
configuration changes will likely be pushed out in a few hours. If a new
ransomware or advanced persistent threat (APT) becomes known, it will be
put down in hours well before it can do your organization harm--not just at
the antimalware signature level, but at all the places (e.g., firewall or
blacklisting) that are needed to put down the threat.

Good AI-driven bots will travel and scour your network looking for badness
and misconfigured computers. If your device is compromised, expect that
device to heal itself. It will back up your data, if needed--probably not
because it’s protected in the cloud--and then restore the OS to the last
known uncompromised copy.

Future battles: hacker vs centralized security services

Because so much of our computing infrastructure will be protected and
controlled by well-informed, cloud-based decision makers, the malware and
hackers of the future will be forced to fight the centralized services
first and foremost if they ever hope to spread. They will probably
subscribe to these same services and look for holes, or subscribe to a
malicious service that belongs to multiple services and looks for and sells
weaknesses, much like some services do today fighting the accuracy of
VirusTotal.

This is where the future defense and attack scenarios start looking very
machine versus machine. Our future defenses will be more centralized,
coordinated, and automated. The hackers will have to do the same thing to
stay ahead. If they don’t automate as much as or more than the defensive
services do, they won’t be able to do as much badness.

Hackers and malware will turn to automation and AI just as much as the
defenders. When the defenders block the malicious thing that was being
successful a few minutes ago, the malicious automated service will have to
quickly respond. Whomever’s AI is better will ultimately win.

Humans will never be completely out of the equation

Since the beginning of computers, human-based compromises such as social
engineering and phishing have been among the top computer threats. It has
proven very difficult for any software or hardware solution to stop humans
from making bad security decisions. If it was easy, we would have defeated
these types of threats decades ago. Instead, we will continue to rely on
end-user education to varying extents, possibly forever.

Will Skynet become self-aware?

Unlike Elon Musk (what does he know?), I don’t worry about artificial
intelligence (AI) and automation being a huge threat to humanity. Sure, as
we become more centralized about security and configurations, a single
mistake can take out more computers than ever before. We’ve already seen
similar instances where a large antimalware scanner mistakenly removes a
critical operating system file. We occasionally have these misfires, they
cause a temporary interruption, and we learn and move on. Over the longer
time horizon, occasional mistakes are worth it for the protection we gain
in return.

It’s important to realize that greater, more centralized computer security
solutions are likely to be part of your future computer security career and
decisions. Just like email and your applications moved to the cloud, so,
too, will your computer security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180322/0c62d5c7/attachment.html>


More information about the BreachExchange mailing list