Hackers are now designing attacks that move at machine speed, yet security defenses are only as good as the humans who monitor them to repel breaches. Care to wager on who’s going to come out ahead?

The cybersecurity arms race has reached a new level, one where companies and even governments are realizing that the old model of watching for intrusions and chasing down threat actors after they’ve broken through firewall defenses simply doesn’t work anymore. That’s why experts in the security world, many of whom gathered at the Structure Security conference in South San Francisco on Tuesday, are beginning to embrace automation tools such as machine learning. They view automation as the only way to regain control of a threat environment that is rapidly spiraling out of control, as evidenced by the recent massive Equifax data breach.

“The model in the security industry is about finding threats, which puts us in a mode of chasing bad,” said Tom Corn (pictured, below), senior vice president of security products at VMware Inc. “What we need is an automated model that is based on ensuring good.”

What that automated model will look like is still a work in progress, although the signs are becoming clearer that major industry players are working hard to develop machine learning capabilities. Some of this work is being driven by companies in the mobile device ecosystem, where products such as smartphones gather vast amounts of data that become useful training models, and some of it is increasingly coming from enterprise cloud vendors.

Machine learning for Android

“We have a lot of data,” said Adrian Ludwig, director of Android Security at Google LLC, who said the company had been actively investing in automation technology. He revealed that 55 percent of new malware detections on the platform are now being made through machine learning tools. “We’re starting to see some return on that investment,” Ludwig said.

One of the clear messages from security experts was that new automation technologies developed for the enterprise cloud computing ecosystem could provide a more secure framework. Cloud security has issues of its own, as demonstrated by the Verizon breach reported in July, but a number of experts said new platform tools could provide improved protection. “The nature of cloud-native technologies allows for a new approach to security,” said John Morello, chief technology officer for security firm Twistlock Ltd.

One example offered by Morello focused on an application deployed in a Docker Inc. container, which is software that enables applications to be run the same on many computing setups. Machine learning can be applied to see what each container “image” is doing in the lifecycle, basically creating a whitelist of which functions make sense and which do not. “We know exactly what is good and anything not on that list is anomalous,” said Morello, who pointed out that machine learning can be scaled across the entire cloud computing stack.

New cloud tools leverage automation

One indicator of interest in the cloud security model can be seen in the spate of new automation tools released just in the last few weeks by companies such as Splunk Inc., Hewlett Packard Enterprise Co.-owned Aruba and VMware. On Tuesday, Splunk announced improvements to its data analytics product line which included new machine learning capabilities that speed up the alert system and help identify potential performance problems.

Meanwhile, Aruba announced on Monday the 360 Secure Fabric, a new tool that employs machine learning to spot attacks which may have evaded company security defenses. And last month, VMware introduced AppDefense, an automated incident response tool designed to protect applications running in virtualized and cloud environments.

Tom Corn, senior vice president of security products at VMware (left)

The release of multiple new products from the enterprise computing world over the past two months offers the possibility that the balance of power in advanced security innovation may be shifting, for the time being, to infrastructure and cloud vendors. “We’re starting to get to SOC [security operations center] and security architects at companies,” VMware’s Corn said. “We can start to leverage cloud and the virtual fabric as an overlay for security.”

Automation tools are also helping company security organizations tell a better story when they are called upon to describe actions to the chief executive officer or the board of directors. At companies such as Netflix Inc., metrics are used to define performance and security executives rely on automated tools to give them precise performance-related data.

These metrics include benchmarks such as success or failure by external “red teams” hired by the company to deliberately attempt attacks, or “dwell time,” an indicator of how long an attacker was in the Netflix system. The company’s security executives believe that they must innovate to stay protected. “The attackers are never using the same tools,” said Jimmy Sanders, head of information security at Netflix DVD.

A common refrain among cybersecurity experts is that the security industry had better embrace automation because it’s just a matter of time before hackers begin gravitating toward machine learning as well. Darktrace, a security firm that uses machine learning for cyberdefense, has been carefully monitoring advances by threat actors. “We haven’t seen much artificial intelligence or machine learning used by the attackers,” said Darktrace CEO Nicole Egan, although she did cite evidence of recent activity in India where attackers planted malware that was designed just to observe network activity and store the data using automated tools.

But the combination of dedicated hackers and the potential for them to magnify their efforts with machine learning and other automated tools means companies will need to follow suit. Bob Lord, the former chief information security officer at Yahoo Inc., described his first major meeting at the now Verizon-owned company where he presented a slide that said simply, “We are up against dedicated human adversaries who organize their work in campaigns.” Less than 10 months later, his point was validated when, before Lord arrived, Yahoo revealed a breach of 500 million user files.

The security community is clearly counting on automation to help combat those adversaries, but whether its efforts will be successful is far from certain.

Photo: geralt/Pixabay; SiliconANGLE (inset)