DZone Research: The Future of Security
In this final installment of DZone security research, we dive into automation and its support by Artificial Intelligence (AI) and Machine Learning (ML).
Join the DZone community and get the full member experience.Join For Free
To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides.
We asked them, "What’s the future for security from your point of view - where do the greatest opportunities lie?" Here's what they told us:
- Ability to quickly respond to incidents. Ability to automate the response. Predict what needs to be responded to.
- The greatest opportunities lie around automation and platform approaches. We’re starting to see the market realize this as well, as customers are asking for automation platforms to replace their cobbled together point solutions. Today, many of the security and compliance tasks are manual or driven by third parties. They take too much time and drive little value back into the business. Automation — removing much of the repeated tasks and using a platform to complete this task — will change this struggle.
- Automation and SecOps pose a huge opportunity. DevOps has been well handled. Moving to a SecOps.
- While we see opportunities coming from better cohesion between discreet security tools, increased quantitative data related to compliance, adoption of security controls during development, and the business owner focus on security with the appropriate prioritization in the product backlog, Security's future lies in its automation. The amount of data will continue to grow exponentially, and algorithms will just need to get smarter and smarter to help humans make sense of everything. Moreover, while one organization can already sweep quite a bit of data, the collaboration between entities will become necessary in order to be able to map more interesting patterns, which would normally be out of reach.
- The future of security is as autonomous as possible — where a combination of real-time, intelligent analytics, and integrated automation and remediation cover an ever-increasing part of manual investigative and response runbooks. The only feasible solution to the increase in threat sophistication and the higher rate of change in development is that security teams are able to move at the speed of business. That requires that we enlist the help of machines to augment the efforts of our overworked security staff. The bad guys have already done it, and now it’s the industry’s turn to make a step-function improvement in our detect-and-response capabilities.
- DevSecOps will become the norm (I hope). Thanks to DevOps practices, enterprise IT is faster and more agile. Automation in the form of automated builds, tests, and releases plays a significant role in achieving those benefits and creates the foundation for Continuous Integration/Continuous Deployment (CI/CD) pipelines. Teams can integrate security into the DevOps pipeline by making sure that released code is safe from the very start. The concept of integrating security as a first-class citizen into a DevOps process is known as DevSecOps and is considered a best practice for security-sensitive businesses.
- Automation is an absolute necessity in high-velocity IT and cloud-centric environments. Applications need to have security instrumentation in runtime to enable accurate vulnerability detection and auto-remediation. IAST/RASP techniques are a growing segment in this area. Machine learning/Artificial intelligence (AI): Alert fatigue is a common problem in SIEM and other SOC tools. More contextual alerts are needed, and machine learning/AI can help us in this area.
- Ideally, companies should ensure that all their products and services are “secure by design” with automated security features and practices whenever possible. Most companies are far away from achieving that, but I think that idea is starting to take hold a bit more. You see leading companies, like Google and Apple, realizing that they have a responsibility to make their platforms secure by design. Even though that idea has been around for a long time, it was often just marketing speak. I think you’re only now seeing companies really, truly incorporate that thinking into their product development process.
- Automaton, AI/ML, and the concept of shifting to identity are a huge component of security today. Shift in organizations should be seen as a look at prevention, ID, and access threat prevention.
- Seeing a crossover for fraud prevention, AI/ML graph DB help to get smarter to identify cyber threats and cyber attacks.
- The key is to identify how we can adapt to changing scenarios using AI/ML. We need to understand AI/ML, so we can optimize and implement well. We have to understand how an adversary might use ML against us. The security industry likes to sell an easy button. In reality, organizations have to invest in people who understand InfoSec and their networks. The mindset of traditional organizations that IT people are widgets. This means losing a lot of talent versus pressing an easy button and hoping it’s secure.
- The future belongs to intelligent machines that will augment some of the security functions and will work alongside humans. Skill shortage of security professionals on both sides — AppSec and CyberSec — and their relatively high cost will drive an adoption of intelligent automation powered by AI systems and Quantum computing.
- It’s a psychology thing. It’s an arms race. The mathematical aspect of cryptography — more algorithms and computer power will defeat cryptography. Clean house, clean home understands dependencies and monitors vulnerabilities in production. Remediating quickly becomes table stakes. The ability to scan the world for people running vulnerable things is here. As an industry, we’ll start treating security as a feature.
- Our biggest potential is using ML and anomaly detection. Moving from algorithms and pattern matching to ML, we need to learn how to use and make sense of what’s going on.
- There’s greater opportunity to see the bigger picture and visualize the entire kill chain of an attack. Modern security tools will need to be able to correlate security events from multiple vectors.
- The greatest opportunity starts with a firm conviction that we can make our applications secure. Thereafter, the opportunities for improvement are numerous: artificial intelligence, formal methods, economic theory, and many higher level paradigms that will necessarily bring more rigor and clarity.
- Security is a large part of the emerging technological world, with each new advancement adopting security practices. With AI, for example, security activities will become machine handled and controlled. Very few will remain controlled by a human. Though, hopefully, regulation will combine AI and the human eye to prevent disasters we can’t even imagine. The opportunities lie in the legislation and standards area, including those who will define those will have a global impact.
- We see the future of security prioritizing AI/ML. We are seeing security vendors attempt to tie ML and AI into their solutions in a multitude of ways, but the number of enterprises implementing these tools is still relatively small. A recent presentation from OpenText noted that 12 percent of enterprises have already adopted AI-based security analytics, which shows a legitimate move toward AI adoption, but it also says it’s still a little early. There is a lot of big talk and thinking taking place — as this is clearly where the industry is heading — but the reality is that people are just starting to dip their toes into the AI waters, and we expect great growth and opportunity here over the next few years.
- We’re part of a trend of end-to-end encryption like What’s app and Wicker. The paradigm shifts to keep things in a server but don’t trust and protect so much.
- Security tools have to address the weakest link, which is the user (humans), and the culture inside companies has to embrace security as everyone’s problem not just IT or the security team.
- Crowd-sourcing is a useful potential. Be a fan of threat modeling. What are the risks to security innovation? Think of Uber where you have a trusted broker willing to take on the responsibility — a matchmaker for on-demand penetration testing and match up from a pool that is available. Potential to be very disruptive. Pen testing can make more money and get more varied and interesting work.
- There is so much opportunity because of a big problem. If starting from scratch, start at the IoT market because there’s a lot of opportunities. There is no "go to" brand. Every household has an average of 20 devices. There is no beautiful, simple product that can protect all of them. The company that figures it out has a tremendous revenue opportunity. Tanium for your house.
- 1) In regards to user education, you can’t have enough. This is the weakest link all of the time. Process development. 2) If email is not authenticated properly, we’re not going to deliver it. Not there yet, but ISPs are rate limiting mail, applying some friction. IPD6 340 (30 zeros) IP addresses no block list will be able to handle.
- What are the economics and how do companies evolve? Getting to a secure mindset. A secure way of developing software. One way of getting there is tying it up with robustness – does the thing work if the power goes off. What happens to a smart city device if a truck hits the pole the device is on? Think through the robustness and piggyback security on it.
- We may have to encounter another bad hacking episode. Until something big happens, people don’t tend to change. Universities start teaching college students about security. Make IT security a mandatory class for all students, because they’re going to be using technology in their career.
- Reducing your surface layer is a big one. The 20 percent has to be protected. Enterprises have to step up their game. The movement to the cloud exacerbates will force teams to build confidence and learn how to handle sharp tools.
- The opportunity lies in helping our clients release the value of what they already have free from the fears of security that block simple decisions. This is very high value to our clients, at a very low cost, and is quick and easy to do.
- Security by design and default — if a system fails, it fails into a safe state. This is the greatest single area where we can make progress. Companies need to design security in from the start. It may take longer to produce, but it will be secure from the start to prevent data breaches versus remediating them.
- All organizations take security seriously. Integrate security at the inception of the SDLC and follow a DevSecOps methodology. We need more adoption because more organizations see the value and are able to bring development teams on board more quickly.
- Ransomware protection is big. In the Verizon data breach, 75 percent are financially motivated, and ransomware is a big part of this. Physical attacks are big. We need to think about security from day one with IoT.
- Improvements — this goes for hackers as well. Manpower is going to be much stronger. Like DevOps, it is more common today, and we’ll see many more security experts. See right technologies as well like cloud and containers. More skilled people with the right technology. We will see more adoption of open source tools in security — GRL, OSQuery, Yara — same as with DevOps. Sharing information with one another, see frameworks like Mist and Virus Bay to share more information. More community tools.
- Standards building world-class password storage. Encryption. Authenticate and authorization. The password is a significant piece needs to have standards built around it.
- Education and making sure customers and businesses of all sizes are aware of the risks they are taking on with an online presence. Proactive risk scoring system. Use a variety of factors behind that as an educational tool. How likely are you to face a breach? There are lots of affordable options. Be more proactive so customers can make smarter decisions.
- Think of security as if everything can be hacked. Send data to who you want but make sure you are sending it to who you think you are and that it’s encrypted. Protect the data whether it’s displayed via a raw API, mobile, or web page.
- Audited, trained, secured, cannot see customer data. Use well-known external vendors to evaluate. My fear in all of this how do we know a device is a device it says it is. Manufacturers guarantee the device is what you say it is – cameras and IoT devices accepted by Fortune 500 companies. How do the engineers or the vendor or the end customer know when they have been compromised? We would like to understand what tools or procedures are standard in the industry.
- Digital transformation has ushered a host of new technological areas, from mobile and the cloud to blockchain. This makes it much more challenging for organizations to protect the entire attack surface area of each individual user and their respective data. Large security vendors also lack the ability to secure this in a high fidelity manner, presenting an opportunity for smaller players and MSSPs to meet these needs. The necessity to protect an organization’s crown jewels is always going to be critical, from email and document servers through to systems that hold medical and payment data. These sensitive assets will always remain prime targets for attackers wherever they are stored within the network and so protecting them remains crucial, feeding the opportunity for security providers.
- 1) To be able to move left, you need to be able to move right. From our vantage point, you have to be able to move to production to see the real vulnerabilities and you can drive change on the left. Create the business case to drive action. 2) Over the last three years, people have talked about DevSecOps. My take is Sec should be silent. Security is seen as part of regular DevOps take care of functional defects as part of the process.
- It is more diverse than what the enterprise would like — more complicated, not simpler. You need a middle-level platform that harmonizes access. GDPR is forcing people to understand lineage. You need to understand the touchpoint or remove them.
- As we continue to see more issues that take place, like security incidents, there has to be an acknowledgment that security must be front and center, and you cannot rely on one thing. Layered defense models must keep up with performance needs. No hacks are different — poor programming creates application exploits, as does poor protocol and the introduction of devices and endpoints without security built in.
- The greatest opportunities in security lie in making it a standard part of every department across an entire organization. If security becomes less siloed, there is more opportunity to stop breaches before they occur. For example, CMOs need to understand how a breach impacts brand reputation, and CFOs need to understand the full financial implications of a breach.
- The biggest opportunity here may not be technical, but cultural, and — to a degree — based on resource constraints. Every enterprise is striving to move faster and become more efficient in their development processes. We’ve made great progress with concepts, like DevOps, that accelerate the deployment of applications by involving IT earlier in the cycle. Similarly, by involving security earlier in the process, organizations save time and reduce expensive fixes and testing required to meet compliance requirements and reduce risk. From a resource perspective, the reality is that there are far more developers than there are trained applications security professionals. Processes and tools that automate the security aspects of the CI/CD pipeline can enlist the larger base of developers to secure the application throughout its lifecycle.
Here’s who we talked to:
- Jim Souders, CEO, Adaptiva
- Murali Palanisamy, CTO, AppViewX
- Amir Jerbi, Co-founder and CTO, Aqua Security
- Andreas Pettersson, CEO, Arcules
- Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
- Andrew Avanessian, COO, Avecto
- Nitzan Miron, Vice President Product Management, Barracuda Networks
- Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
- Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
- Cliff Turner, Senior Solutions Architect, CloudPassage
- Mark Forrest, CEO, Cryptshare
- Antonio Challita, Director of Product Management, CyberSight
- Doug Dooley, COO, Data Theorem
- Patrick Lightbody, SVP Product Management, Delphix
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
- Paul Kraus, CEO, Eastwind Networks
- Don Lewis, Senior Marketing Manager, EdgeWave
- Anders Wallgren, CTO, Electric Cloud
- Venkat Ramasamy, COO, FileCloud
- Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
- Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R&D, Illusive
- Roy Halevi, CTO and Co-founder, Intezer
- Darren Guccione, CEO, Keeper Security
- Andrew Howard, Chief Technology Officer, Kudelski Security
- Rajesh Ganesan, VP Product Development, ManageEngine
- John Omernik, Distinguished Technologist, MapR
- James Willet, Vice President of Engineering, Neustar
- Gary Duan, CTO, NeuVector
- Randall Degges, Head of Developer Advocacy, Okta
- Dan Koloski, Vice President, Security and Systems Management, Oracle
- Heather Howland, CEO, Preempt
- Randy Battat, CEO, PreVeil
- Arkadiy Miteiko, CEO, QbitLogic
- Linus Chang, Founder, Scram Software
- Altaz Valani, Research Director, Security Compass
- Ed Adams, CEO, Security Innovation
- Neill Feather, CEO, SiteLock
- Oded Moshe, VP Products, SysAid
- Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
- Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
- Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
- Erik Nordmark, Co-founder and Chief Architect, Zededa
Opinions expressed by DZone contributors are their own.