Automating security? Robots can't replace humans in decision loop

While technology can be used for malicious purposes, such as hardware used for DDoS attacks, it's the human that crafts the malware, determines the victim, and orchestrates the crime.
Written by Jennifer Leggio, Contributor

Getty Images/iStockphoto

It's about a month after RSA Conference, where security vendors turned San Francisco's Moscone Center into an array of bright lights, competitions and gamification, and the schilling of giveaways, branded schwag, and printed sales collateral.

Every year it's easy to spot the security decision-makers on the expo hall floor enter into an almost zombie-like trance as they ingest so many same-sounding messages. Occasionally you'll see a sign of the human still there, indicated by the occasional eyebrow raise when a sales tactic or marketing message simply does not make sense.

"Why do so many vendors this year think they can sell me something that can... do my job for me?" was a question I received from a chief security officer friend during a happy hour.

My response? "Oh sweet, naive angel. Only one in four security marketers tell the truth; don't confuse the product with the marketing." (Consequently, 67 percent of all marketers make up statistics.)

The problem isn't limited to marketing, however, and it's not limited only to RSA or other demand generation-focused conferences. It's that companies trying to demonstrate a "vision" are going too far in trying to indicate that they can do that much better than competitors, almost to the point of making wild claims.

Because I like to mix metaphors, let's switch from zombies to infomercials. "It slices! It dices! It does your taxes! It picks up your brother from the airport!" is akin to "Automation! Machine Learning! Artificial Intelligence (AI)! can do everything security for you!"

No. There always has to be a human in the decision loop.

Automation and other advances such as machine learning and AI, have critical roles in security solutions. And, to some extent, automation of processes helps organizations reduce overhead.

Tiffany Rad, adjunct professor in the computer science department at the University of Southern Maine as well as a Founder and CEO of Anatrope, Inc., a big data company in the connected vehicle industry, says that automation is becoming a near-future reality for everything from fast food to driver-less vehicles. However, when there are too many variables or if the decision-making necessitates experience, automation may not be enough.

"There are some excellent software programs that automate security penetration testing," Rad said. "However, I have not known of a company to fully accept the results from an automated penetration test and not also request an experienced security engineer to manage the process and review the results for false positives and false negatives."

Security has almost reached an innovation apex where some reversion is required. For years vendors depended so much on the technological innovation of solutions for determining the existence of malware from endpoint to network and how to automate remediation, which is critical and continues to evolve. But with the automation and machine learning discussion now going a bit too far, there are discussions in the industry, in the same vein of, "Back the truck up, we still need people."

This week research and advisory firm Securosis introduced the second installment of its Threat Operations Series, focusing on "accelerating the human." The article, authored by analyst and firm president Mike Rothman, clearly states that with so much focus on automation and orchestration, some might think that "carbon-based entities (yes, people!) are on the way out for executing security programs." If anything, he writes, infrastructure will continue to get more complicated and adversaries will continue to improve, so humans are actually increasing in importance. I spoke directly with Rothman before reading this installment, and he made the point that there are things you can automate and a lot of things that you can't, but success isn't about making tasks go away, it's about making your people better.

"If they are less sophisticated, make them passable," he said. "If they are more sophisticated, automation merely gives them an accelerant. The goal is to make humans as effective as possible, because there simply are not enough of them."

Rothman went on to say that the challenge, especially with machine learning (It dices!), is this alarming idea that it's going to tell you what you don't know and then just do things, and he, like many security professionals, do not trust and are not comfortable with that notion.

"I am going to focus on the patterns that I know and actions that I know and let my humans do the rest," he said. "Anything that doesn't fit into a very contained box is going to get in front of a human; what I want to do is to make sure that the analyst has the information that they need in order to determine the most appropriate action."

The 15 top malware threats facing you and your organisation

To be crystal clear, automation does not replace humans, humans do not replace automation. We absolutely need both. In the words of a good friend of mine, "Security is an intellectual profession," which is true. I'd like to think that security marketing is also an intellectual profession, and while I couldn't live without my spreadsheet formulas and marketing automation dashboards, neither are going to decide the best strategy for my company.

"Automation and human talent augment each other," said Christie Terrill, partner at IT consulting firm Bishop Fox. "Far too many companies buy products to solve security problems that are hinged on business processes or attack chains of existing weaknesses the companies don't entirely understand to begin with. In those instances, you can't avoid the need for a human to understand the root problem and prioritize the output of a product in a business context."

Adversaries are largely human, and while they can wield technology with malicious intent to perform their trickery, such as hardware used for distributed denial of service (DDoS), it's the human that crafts the malware, determines the victim, and orchestrates the crime. Knowing this, security practitioners are not going to put their defense solely in the hands of automated security or intelligence, much in the same way one wouldn't put a clunky robot in a boxing ring with a welterweight.

At the end of my conversation with Rothman, I asked him what he says, or would say, to the vendors who are carrying these claims of automation, AI, or machine learning too far.

"They clearly don't know a lot about how security works," he said. "f they are selling customers a bill of goods that they can automate everything, they are doing themselves a disservice as well as a disservice to their customers.

"I couldn't be more clear than that."

VIDEO: Hackers can steal your data just from a PC's blinking LED lights

Editorial standards