+
EDITOR’S QUESTION
SAM CURRY,
CHIEF SECURITY OFFICER
AT CYBEREASON
/////////////////
F
inding vulnerabilities in hardware or
software is expensive to correct the
later they are found. Further, they are
much riskier once they get into production
and out in the world at scale than when
caught in a development cycle or on the
drawing board. Vulnerabilities come from
many sources, from the avoidable errors in
design or coding by engineers to the much
more difficult to predict configuration or
complex vulnerabilities of the IT structures
we put out into the world. Early strategies, as
with most things, are human based, trying
to train people to code better or assigning
people, but as with most processes,
we begin to automate their detection,
seeking to find them earlier and more
completely. Ultimately, the best way to find
vulnerabilities in software or hardware will
be to use incredibly advanced, adaptive
machine intelligence. However, there is still
enormous value to human involvement in
the processes of vulnerability discovery,
triage and remediation and not leaving this
to the machines to fix.
The first critical concept to understand
is chaos systems, of which there are two
types. First, order chaos systems are ones
that behave the same regardless of what
victims do. The weather is a good example.
Hurricanes don’t change their behaviour
based on how humans take shelter. Second,
order chaos systems actually adapt and
respond to human behaviour. Crime in a
city is a good example of this, changing
where and how crime occurs based on police
presence and coverage. Unlike every other
service level risk in IT, security is a second
order chaos system. This means that raw
automation or machine-like execution is
predictable to attackers, who will naturally
seek to find vulnerabilities in the places the
automation doesn’t cover. In a world of
tit-for-tat, the vulnerability discovery and
remediation team will always be playing
catch up as it updates the machine discovery
and automation processes.
www.intelligentcio.com
“
THERE IS STILL
ENORMOUS
VALUE TO HUMAN
INVOLVEMENT
IN THE
PROCESSES OF
VULNERABILITY
DISCOVERY,
TRIAGE AND
REMEDIATION.
Machines are good at repeatability and
automation at scale, while humans are
very bad at that sort of activity. Humans
are the opposite, highly intuitive, adaptive
and creative but prone to error when bored
and repetitive. While the ultimate AI-driven
machine intelligence may lie in the far
future, augmenting humans with machines
is achievable today. The most pragmatic
and effective system would see humans
watching, responding and predicting
configuration and vulnerability exposures
and then rapidly equipping a machine-
driven, repeatable, scalable process. Further,
progressively more intelligent Machine
Learning can offer clues and reduce the
workload on humans, freeing them for more
rewarding and more valuable work.
INTELLIGENTCIO
33