The Future of Security Part One

To understand the current and future state of the cybersecurity landscape we spoke to and received written responses from 50 security professionals. We asked them, "What’s the future of cybersecurity from your perspective?" The most frequent responses focused on artificial intelligence, machine learning, and automation. You can read more about the future of security in Part two.

AI, ML, and Automation

• Some of the largest investments and resources for Enterprise security exist in the network and infrastructure. With the growth of public cloud, SaaS, and mobile, the shift in security will go toward identity, data, and applications. Looking further out into the future, security vendors have not yet reaped the benefits of machine learning and AI like other industries have. It will eventually happen in security but not in the next few years. 
• We are going to see more agent-based security embedded within our workload and implemented with the applications in microservices. There will be a distributed security position. Automation will help to handle changes. It will be absolutely critical to have higher intelligence to infer what challenges will come in future environments. We will need to deploy these in a very specific manner to get helpful insights.
• AI technologies hold a lot of promise for the future of cybersecurity in helping organizations become truly proactive in addressing advanced threats. While it’s nowhere near capable of replacing cybersecurity expertise at the moment, we’re making progress in terms of harnessing analytics driven by AI to process larger varieties, volumes, and velocities of data more efficiently in order to produce better insights for human operators.
• Get smarter with information. AI will be used across the board. We’re early in the game. AI will provide better contextual analysis to make better-informed decisions. A more focused approach to make security more effective.
• Increasing automation and AI is paramount for the future. The only way to combat highly automated cyber threats is to respond with intelligent software-based solutions; humans are too limited to deal with the complexities surrounding threat-detection.
• If you look at the growth of the internet from the 1970s and lay in the growth of cyber-attacks (essentially since 2010), it’s a scary graph. The attacks are increasing in frequency, scale, and effectiveness with success beyond data breaches and into debilitating ransomware.
  
  Globally, we are increasing our reliance on the Internet of Things (IoT); nearly 26,000,000,000 devices will be connected to the internet by 2020. The cybersecurity industry is going to need to leverage AI, machine learning, and deep learning more than ever in order to automate and augment the cyber workforce. Growing skills gaps and limited talent pools (estimated 3,500,000 million unfilled positions by 2021) are stretching current cyber teams beyond their limits, leaving company frontlines more vulnerable to threats.
  
  We will see the industry looking to AI/ML/DL to alleviate these challenges, but we must remember that new tools alone will not strengthen the company’s cybersecurity posture. We need to equally place a focus on upskilling the individuals and teams operating these new technologies in order to effectively use them to our greatest benefit. 
  
  The industry is already making strides in leveraging AI in cybersecurity products, many of which analyze user behavior and detect network anomalies. In the future, new products will leverage machine learning for log aggregation and enrichment, while the full scope of AI will provide intelligent advisors, feedback, and an AI adversary to practice against.  
• Cybersecurity in the next few years will be both exciting and challenging at the same time, stemming from a few different areas:
  
  1. AI: The proliferation of technologies, such as Artificial Intelligence, will drive some of that. We expect challenges in 2019 to come in the form of bots implementing supervised learning techniques to better mimic human behavior in attacks, such as credential stuffing. Hackers aren’t the only group that will cause companies AI headaches; security vendors will increasingly be part of the problem. I predict there will be more false claims by security providers that their product uses AI, forcing organizations to be diligent in the procurement process to separate fact from fiction.
  
  2.  IoT: The threat attack surface will continue to expand as the portals to configure and control the plethora of connected devices are exposed. Hackers will increasingly be less interested in the device itself and more in what can be obtained and/or accomplished by infiltrating the control portal. One industry that showcases this vulnerability is the automotive sector, as more cities allow self-driving cars, I predict there will be a major accident as a result of a hacker taking over the controls.
  
  3. Cloud: As more companies adopt cloud-based apps, security approaches will need to evolve to keep pace as companies can no longer rely on solutions built into the cloud environment. Flexibility is essential in this landscape, as many legacy solutions can’t provide visibility into hybrid environments. In addition to this need for adaptability, I predict the threat landscape will continue to struggle with DDoS attacks, which are expected to increase in both size and scope. That said, I do still believe passwords will remain the dominant threat vector in 2019. Although by 2025, I anticipate that passwords will be rendered obsolete and replaced by a new security standard

• The future of cybersecurity solutions will continue to have more automation (AI & MI) and more revenue-generating purposes. However, cybersecurity threats will never end. Hackers are only becoming smarter and they are using the same techniques as we (security vendors) are. They will always find a way to access private data and information, creating new vulnerabilities all the time. Attacks will continue to evovle; with this, the need to provide dynamic, agile security solutions will as well. 
• Expect to see higher-order work. Now you have bots versus bots, more with AI/ML, more complicated on both ends. Security vendors need to become more proficient at using AI/ML in the product to pull the signal from the noise as the noise gets louder.
• We will never stop chasing our adversaries. However, we can use automation to reduce the swivel chair pain point that sec pros have, and we can use tools with ML to combat attacks via good threat hunting and intelligence.
• Cybersecurity will increasingly rely on AI and ML. Combine the growing number of cybersecurity threats with the increased digitization of assets and processes vulnerable to those threats, and security is now mathematically impossible for humans to manage alone. There are simply too many attack vectors that must be continuously monitored and hundreds of thousands of vulnerabilities to sift through which must then be prioritized. Without the help of AI, these tasks are impossible, even for the largest security team comprised of the most skilled IT professionals. Take just the asset type of line of business (LOB) apps and just the attack vector of shared passwords.
  
  A Fortune 500 or 1000 size company will easily have 750+ apps and 1,500 users for each app. The risk multiplies to 1,000,000 or more potential shared passwords (e.g. a user having the same password for Facebook or LinkedIn as they do for Salesforce.com or Office 365). Imagine the full scale of an ‘attack surface’ when you do similar math for 100s of asset types (especially when you add in the growing number of IoT, BYO and other non-traditional, non-managed assets, as well as the assets of supply chain, reseller, and other business partners) and more than 100 attack vectors (e.g. phishing, unpatched software, passwords, etc.).
  
  Advanced security solutions that use AI to continuously monitor all assets over hundreds of attack vectors, and proactively predict what vulnerabilities are most likely to be exploited (and have the highest business impact), are now essential. However, humans are still very much needed. IT professionals must be ready to respond to the information that AI and ML tools produce, as well as provide the business context and guidance for the tools to learn what assets are more important than others. Also, with the majority of detection and remediation functions becoming more automated with AI and ML, humans will be able to focus more on the big-picture strategy of their company's security programs.
• For many years, CISOs have implemented process and technology to improve their organizations’ efficacy in identifying risk. Many have made a meaningful impact in reducing tactical risks such as vulnerabilities and code defects. Yet, the systemic risks associated with the underlying business, system, and security architecture remain.
  
  Many CIOs, CISOs, and CDOs are plagued with legacy technologies and applications that do not work well with one another. Security professionals are left manually gathering data from multiple systems, copying information from one system to another, and switching between far too many applications to complete a single task. To combat this, a new category of capabilities is becoming more popular in the cyber domain: robotics.
  
  Business users are employing Robotic Process Automation (RPA) to quickly and easily automate time-intensive processes. IT and cybersecurity groups are leveraging the ability of robotics platforms to orchestrate workflows and perform cognitive learning functions. As robotics is applied to various facets of an enterprise, a robotics program could both address cyber risks by securing robotics platforms and leveraging robotics to enable the execution of more effective and efficient cyber operations.
  
  While this is an important advancement, organizations must remember that RPA introduces a new attack surface that can be leveraged to disclose, steal, destroy, or modify sensitive data and high-value information. One of the most popular questions we hear today is, “What cyber risks should I be concerned about for my robotics capabilities?” We believe organizations must build trust in their robotics platforms to address many forms of risks including cyber.
• There will come a time when security teams have no choice but to rely on the community at large. Code is far too complex, and projects have become too massive to reliably secure through traditional methods. Cybersecurity companies and security teams within other organizations will invest in information sharing, creating a larger pool of knowledge and intelligence that will greatly reduce the duplication that currently holds back security teams. Companies will share the discoveries they make with others, lifting up the security floor of the entire community. There will also be a more purposeful use of automation and AI to combat human error that comes from the tedious assessment process – automated detection of untrusted data sources, and a ranking of alerts and results so that teams are always dealing with the most urgent problems first.

Be on the lookout for part two of this series. 

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera 
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue
• Kathy Wang, Senior Director of Security, GitLab 
• Amith Nair, VP Product Marketing, HashiCorp
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and Co-founder, PubNub
• Chuck Yoo, President, Resecurity
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters