UPDATED 17:05 EDT / FEBRUARY 08 2019

NEWS

Software trains away the human slips implied in 95% of security breaches

Cybersecurity is in a pretty scary state. The news is a steady cycle of menacing headlines: Look at this fresh hell hackers are visiting on enterprises.

The Hail Mary of security teams is artificial intelligence and automation. Enterprises hope AI will patch the skills gap expected to leave 1.8 million jobs unfilled by 2020. The problem is, hackers are getting good at AI too — really good.

What about people in organizations — both security pros and non-pros? What percentage of their brains are they devoting to security? Perhaps they can crank out a little extra defense power to catch and remediate threats.

People in security often repeat the truism that the human will always be the weakest link. Mistakes and slips will happen, again and again. There isn’t any way to change the occasional carelessness that comes with being mortal, they say.

“I personally never believed that,” said Masha Sedova (pictured), co-founder and chief executive officer of Elevate Security Inc.

The number of breaches that humans fumble, trip or slip into is too high not to warrant inspection. “Something like 95 percent have a human error related to it,” she said.

Must we bow our heads and live with the disgrace? Or can people learn consistent security posture and procedures that cut down on slips and overall breaches?

Sedova spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the CloudNOW “Top Women in Cloud” Innovation Awards event in Menlo Park, California. They discussed how learnable behaviors can improve security and why tech alone won’t never be enough.

Attitude adjustment

People can indeed reduce the number of dangerous slips they make, according to Sedova. To do so, they need to change their attitude toward security.

“What would it look like if people wanted to do security instead of had to? What would it look like if people were champions for security not because we made them do it, but because each of us were invested in it?” Sedova asked.

Then security is not an add-on that those people in the security room worry about. It is something security pros and everyone else know about. And they can skillfully prevent and handle threats through good security behavior day in, day out, Sedova pointed out.

Treating human behavior as a tunable anti-threat device is the basis of Elevate, which Sedova co-founded a couple of years ago. “I took a step back from my computer-science and computer-security background and dove into the field of behavioral science, positive psychology, and game design and started exploring how people think and how we make decisions to see if I can start applying that to security.” 

AI and automation — final solution or temporary fad?

Security folks that believe human error is ineradicable usually see improved technology as the best defense. The threat landscape is constantly shifting; the way to respond is with innovative technologies that fight new attack types.

The security tech du jour is automation and AI. Twenty-five percent of 4,000 security and IT professionals surveyed use AI and machine learning for security, according to a Ponemon Institute research report from last September. Another 26 percent had plans to implement it, and 63 percent felt it would increase effectiveness of security teams.

In parallel, new types of threats often involve hackers using AI and machine learning to breach targets.

“The more we use AI in security, the more the bad guys will use it as well to create an arms war,” said Michael Fauscette, chief research officer at G2 Crowd Inc., as quoted by SiliconANGLE, which aggregates reviews of business software. “The only thing you can do is keep current, do everything you can possibly do, and then do more.”

Vendors are selling automation to enterprises as invisible hands to detect, and even remediate, threats for them. Early detection and automated blocking can handle a vast number of threats, Terry Ramos, vice president of business development at Palo Alto Networks Inc., recently told theCUBE.

“A simple piece of malware? They shouldn’t be having to look at that. That should be automatically stopped,” he said.

Splunk Inc. is investing heavily in new security automation technology to meet growing trend. By the year 2020, “We envision that 90 percent of the tier-one work that an SOC analyst would be doing will be automated,” Haiyan Song, senior vice president of security markets at Splunk, told theCUBE.

Human resources

Sedova isn’t convinced that technology alone is the answer to hackers’ growing cyberattack arsenals. Attacks involve more than technology; they involve humans. Leaving human defenders out of the loop would be a big mistake, she pointed out.

“[A cyberattack] is a human being attacking another human being with a bunch of technology in the middle, and if we keep solving it with just technology, we’re going to keep ending up making the same mistakes we’ve been making for decades,” Sedova stated.

The Elevate platform aims to ratchet up security IQ and good behavior across organizations. Its Hacker’s Mind virtual experience is a group-based, gamified training tool. Users learn to think like a hacker and spot and exploit vulnerabilities. They consequently become better at preventing and fixing vulnerabilities before real-life hackers find them.

Users report 40-percent fewer user-generated incidents; a 50-percent reduction in successful phishing attacks; and an 82-percent increase in employee reporting.

Its recently announced Snapshot is a dashboard that measures individuals’ progress with visibility and insights. It rewards them for improvement and points out areas in need of improvement. Tools like thinking about security as not just technology, but a way of working and behaving, according to Sedova.

“If we look at the human element — why we make mistakes and how we let ourselves learn from them and make … better choices — we can actually move the needle in a really significant way,” she concluded

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the CloudNOW “Top Women in Cloud” Innovation Awards event:

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.