Will data science, machine learning and AI ‘save’ IT security?
In a few short months, thousands of information security professionals will descend upon San Francisco, California for the RSA Conference 2018. The conference is the security industry’s largest and has been since it began in 1991. It is the conference; the one that all vendors – early-stage startups, mature startups, and well-established companies – want to have a presence at.
As we race toward RSA and conference season in general, we cannot (provided that we're paying attention to industry trends) do so without bracing ourselves for the imminent onslaught of sales pitches that will occur prior to the conference. A torrent of pitches will be heard early and often at the conference. And one that’s seemingly more interesting to the general population of attendees – myself included – than all of the others is related to the nexus that exists between data science, machine learning, and artificial intelligence.
Data science, along with the technologies such as machine learning and artificial intelligence, has found its way into countless security products, solutions, and services as of late. While I count myself as a big fan of data science and its various forms of implementation, I can’t help but be skeptical that these technological advancements are the equivalent of a messianic promise to “save us.”
The Devil’s in The Data…And the Salvation Is In the Tooling…. Or Is It?
Data can be defined as any and all facts and/or statistics collected together for reference or analysis. There are many sources of data and data sets that we might want to be cognizant of in order to better understand our environments, our networks, our assets, and our personnel. Some of which are more interesting to information and cybersecurity professionals than are others.
Understanding this is key to forming an awareness and appreciation of the various disciplines and technologies that comprise the data sciences. For those of us who spend our time laboring over investigations while researching threats, threat actors, and campaigns, the importance of identifying data sources, collecting those sources, and applying them wisely is key to prevention, the reduction of threat actor dwell time, and threat mitigation in general. And as important as that high quality, diverse, rich data is, there are only a few good ways to work with it in its raw form, hence the need for automated data science-driven solutions.
Everybody’s Talking and No One Says A Word
With all of this in mind, what can we expect to hear at a conference like RSA when it comes to these topics? I imagine we’ll hear a bit about the merits and advantages of these complex technological disciplines and concepts as they pertain to the enterprise, mobile, and cloud security concerns.
We’ll likely hear promises with respect to the efficacy of these innovations in detecting and identifying threats using “math” (mathematics is one of many forms of data science). We’ll hear assertions that these advances will make better decisions in far less time than a human might which translates to a “safer” environment (this is questionable and we’ll address later in this piece). We’ll also hear some pitches that will cross into the realm of the fantastic, made by people who really cannot speak with authority on such complex capabilities. There’s also a good chance we’ll hear nothing due to the cacophony of mixed messages in the weeks leading up to the conference.
When it comes down to it, the questions that will matter most to customers will revolve around money and safety. Will these technologies help us avoid a breach? Will they help us be more effective? Will our investment be worth it? Will it save us?
Can Data Science, Machine Learning and Artificial Intelligence Save Us from Ourselves?
No. I don’t believe that data science, machine learning or artificial intelligence will save us from ourselves.
In my mind, these are tools and platforms that can – provided we’re intelligent in maintaining them – help us, but save us? No. No, they will not save us. They are not the cavalry coming in at the last possible moment to save the day. There are no silver bullets. There have never been and there never will be.
What’s going to save us from ourselves and from our adversaries is a return to the core principles of IT and security hygiene: patching, asset management, and the use and application of encryption. What’s going to save us is “living off the land” or identifying and taking advantage of data sources within our enterprise environments. It’s only once we’ve identified all of our data that we can develop the clearest, richest picture of our environment’s risk posture.
Furthermore, what will contribute to our salvation is our recognition and application of tradecraft driven through experience – experience which often and only exists in the minds of human beings who’ve devoted a lifetime to their craft as opposed to systems which have been “taught” to understand it.
What’s going to save us is the identification and recognition of our gaps, our shortcomings, and our willingness as businesses and organizations to address them as they relate to how we do business. What’s going to save us is identifying high-quality threat intelligence that will complement what we have in-house and aid us in making quicker, more informed decisions that will have a material impact.
But here’s the good news. If you and your organization have been putting the core principles of IT and security hygiene into practice regularly, and have stayed ahead of the threats to date, data science, machine learning, and artificial intelligence may help you further shore up and fine tune your security programs. Remember, what’s going to save us isn’t the application of data science, the integration of machine learning or artificial intelligence into our ecosystems. What’s going to save us is ourselves.