Artificial Security and Why It's Important in an Innovative Society
There have plenty of headlines the last few years about computer security breaches. Recently the Equifax breach highlighted how everyone’s information is vulnerable and that vulnerability is beyond our control. There have been countless others before Equifax and yet best I can tell the only true driver of security standards are compliance regulations that are implemented by the very people that build the vulnerable systems, to begin with. The process of implementation and maintenance of these regulation standards is also very heavily weighted in case-by-case human decision making.
There are a number of security compliance standards that have been forced on businesses over the last 15 years. Excuse the acronyms, but I personally have been part of an ISO, a SOC, a SARBOX, a FERPA, and several PCI certification processes. There’s also ITIL - lots of IT folks have ITIL certs and practice change management based on the framework. The financial industry has FINRA and healthcare has HIPPA. In the legal world, we are forced to endure endless security audits that flow through an audit cottage industry.
On the infrastructure side of things, there are firewalls, IDSs, IPSs, two-factor authentication systems, virus/malware/spam/phishing/spoofing controls, complex password requirements, NAC, locked down plans, secure messaging systems, patching management systems, vulnerability scanners, penetration tests, etc. It’s a long list and they all cost money and a lot of time to manage.
Despite all of those efforts, most organizations have low confidence in their security. If you ask a CIO or security officer - and they are honest - they will tell you they are likely vulnerable.
We have made all of these rules and regulations and spent a fortune on security and yet clearly our data is not secure.
As far as I can tell there are three major factors:
The Internet was designed to let people in, not keep people out. The same protocols that the Internet ran on 20+ years ago are still around. As an example: there are more secure versions of TCP/IP and DNS compared to what is widely in use - the modern versions are not in use because moving to them is a lot of work and expensive. The Internet’s governing bodies must force this - the private sector has shown it will not do so on its own.
Generally computer security is designed the same way we design physical security - with a fence, doors, locks, alarms, etc. Every place I have worked has had firewalls but also unencrypted data. Data is the gold - but you cannot keep data in a vault - it has to be accessible. Encrypted transmissions of unencrypted data is like moving gold in a Brinks truck only to ultimately store it under a mattress. Data needs to be encrypted at rest.
We are expecting humans to do what only technology can. Humans write code, choose passwords and patch systems. That means there are going to be mistakes - lots of them. Statistics show that 80% of all compromises are breaches of credentials - aka passwords. The majority of the remaining 20% are unpatched systems. This is human error in mass and no regulation is going to fix that. What can fix it is developing technology to solve these problems for us. Technology that makes security streamlined and take less time - and thus starts to move the human element out of the equation.
There is Hope (and Progress)
The good news is that there is movement in the right direction. More SaaS products are offering encryption at rest with customer controlled encryption keys. Also, recently I have implemented two innovative new companies’ product offerings that are utilizing machine learning to move the needle.
Privva offers a machine learning approach to security audit response. The service drove down the amount of time it takes to respond to a 300 question audit by 90% in our first use of it. This is the type of work humans shouldn’t be doing - yet so many organizations spend countless hours typing answers to audit questions - the same questions over and over again. Security professionals aren’t spending time securing things if they have to fill out questionnaires all the time.
Edgewise Networks offers a new approach to network security. They term what they do as “Trusted Application Networking”. Edgewise is applying machine learning to securing a network instead of having a human figure out how to craft a detailed (and dynamic) firewall policy. Humans managing firewall policies as akin to what we use to do in finance before the spreadsheet. Edgewise is the kind of solution you look at and wonder why everyone hasn’t been doing this all along.
I imagine we’ll see a lot more machine learning / AI in the security space in the next few years and hope it moves our data to a better place.
John Arsneault is the CIO at Goulston & Storrs, a law firm with offices in Boston, New York and Washington DC. He is also active in the tech startup space as a private equity investor.