Minimizing threats by augmenting human security teams
DUBAI, July 2, 2019
By Rabih Itani
Today’s security threats are evolving each day, with security teams having to monitor everything from the data centre to the edge, as well as the millions of connected devices which log in to their systems each year.
The workplace is currently in flux – we can work from mobile devices in any location we choose as well as working with many different applications. When things change, security teams have to readjust policies and controls. Is it fair to expect them to chase after us, all day, every day to keep us safe?
CIOs can no longer ignore the high-profile attacks that continue to threaten organisational reputations around the world. It’s no wonder that security is the top of the agenda in many boardrooms or that a new C, the CISO (Chief Information Security Officer), has joined the management team. Protecting the organisation is obviously a huge priority.
But how is this actually achievable, unless we are able to anticipate the small, but significant, changes that are happening on the network day to day?
If we are asking human security teams to constantly monitor the data being shared by incoming and existing devices, which can easily reach into the thousands for a large enterprise, then we are creating security systems that lack the ability to scale in line with the threats.
Because human teams can get tired and make mistakes (they are human), the most common approach is to make blanket rules and restrictions across the network to serve as a catch-all against new inbound threats. The problem here is that very quickly the user experience suffers. Which in turn, can affect productivity, and even morale.
This is where machine learning comes to the aid of human security teams.
Augmenting, not replacing
With any luck, that last sentence will not have made your eyes roll. We should be moving past concerns about AI replacing human roles, or being relied upon as a cost-saving measure. The point about machine learning, in the context of security, is that it gives us an always-on, 24/7 tool that allows us to spot the type of threats and exploits that it would be difficult, or even impossible, to detect with human eyes.
The way many companies run IT security today leaves definite room for improvement. Either you are running with such sensitive filters that it generates a mountain of false positives, meaning you can’t see the wood for the trees. Or filters are turned down to a manageable level, leaving big gaps in your defences. Both scenarios, of course, risk genuine threats sneaking through.
With machine learning, there is an ability to detect minute changes in data that would likely slip through traditional defences. Using machine learning for NTA (Network Traffic Analysis) and UEBA (User and Entity Behavioural Analytics), we are able to set historical and peer baselines for every single device connecting to the network, from the latest user mobile device to the air conditioning unit, connected as part of a new IoT initiative. Everything is quickly recognised, profiled and connected, giving each connected entity, its own unique risk profile and its current risk score.
As soon as a device behaves in a way that strays outside of its recognised profile or baseline, the network sees it, and takes action. This action could be to raise the risk, re-route the data for deeper analysis to confirm if the anomaly is malicious or immediately raise an alert, which compels human security teams into action. Assuming there is no wrongdoing, the user experience is not impacted, beyond perhaps being asked to confirm the activity was indeed them and all is OK.
In the case of anomaly itself is confirmed to be malicious based on discrete attack analytics or in case the case a full Kill Chain is confirmed, the NAC (Network Admission Control) systems can be triggered with manual or even automated response to quarantine the device from the rest of the network in order limit any potential damage that might have occurred. All because the machine is analysing millions of individual packets of data and thousands of systems logs, all the time. It’s a job that no human team can realistically do, or would want to do.
With machine-led security continually learning, adjusting baselines and detecting new threat patterns, humans teams are not usurped. They are enormously aided, by being alerted only to the issues that they really need to inspect. This automatic monitoring offers security staff exceptional time savings, which actually means an improvement to their job role. Instead of fighting fires, security teams will be able to focus on building better IT experiences across their organisation, and saying yes to new innovations. Security teams may actually become a revenue driver for the business.
How security impacts the workplace
The tasks of human security workers may well change as the world of machine learning, building to full AI, begins to accelerate. But we should never fear change. Especially when the likely new roles carry even wider business relevance. The promise of machine learning is there, but it still needs highly skilled teams to build it into the core of the network, re-apply it to other business areas, and proactively monitor it for new insights.
We’re faced by intelligent threats, targeting valuable user data, across a network that has more end points (and entry points) than can be counted. Isn’t it about time we acknowledge that human security staff need the help they can get?
About the author
Rabih Itani is regional business development manager - Security, Middle East and Turkey at Aruba, a Hewlett Packard Enterprise company, a leading provider of secure, intelligent networks.