Humans can’t keep up. At least, not when it comes to meeting the rapidly expanding challenges inherent to enterprise cybersecurity. There are too many devices, too many applications, too many users, and too many megabytes of log files for humans to make sense of it all. Moving forward, effective cybersecurity is going to be a “Battle of the Bots,” or to put it less dramatically, machine versus machine.
That’s the message Oracle Executive Chairman and CTO Larry Ellison delivered during a keynote presentation at Oracle OpenWorld, held in October in San Francisco. Whether it’s state-sponsored hacking, or criminals stealing data for sale on the Dark Web, Ellison said, “We have to reprioritize and rethink about how we defend our information. We need new systems. It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers. And make no mistake: it's a war.”
Consider the 2015 breach at the U.S. Government’s Office of Personnel Management (OPM). According to a story in Wired, “The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence.” Yet despite sophisticated security mechanisms, hackers managed to steal millions of records on applications for security clearances, personnel files, and even 5.6 digital images of government employee fingerprints. (In August 2017, the FBI arrested a Chinese national in connection with that breach.)
About that breach, Ellison said, “These were people who had security clearances, and all of their security clearance and background data was stolen. These are the people who work at the White House and the Defense Department and the State Department and our embassies overseas. This is another state actor who took this data. And suddenly the state actor (and presumably the state) knows everything about every employee who works in the embassy in their capital city, and the consulates in other cities around the country and around the world.”
That’s why Ellison insisted, “We are losing the cyberwar.”
Can't Shut Down for Patches
Traditional security measures are often slow, and potentially ineffective. Take the practice of applying patches and updates to address new-found software vulnerabilities. Companies now have too many systems in play for the process of finding and installing patches to be effectively handled manually, Ellison said: “Our data centers are enormously complicated. There are lots of servers and storage and operating systems, virtual machines, containers and databases, data stores, file systems. And there are thousands of them, tens of thousands, hundreds of thousands of them. It's hard for people to locate all these things and patch them. They have to be aware there's a vulnerability. Going forward, it's got to be an automated process.”
Not only that, but too often, patches require taking systems offline to back up data, install patches, validate that the patches were installed correctly, and then put the systems back online. That’s simply not feasible in today’s always-on 24/7 world, which means some of those patches will be delayed.
Ellison put it succinctly: “You can't wait for a downtime window, where you say, ‘Oh, I can't take the system down. I know I've got to patch this, but we have scheduled downtime middle of next month.’ Well, that's wrong thinking and that's kind of lack of priority for security.”
Can't Manually Scan Log Files
Another practice that can’t be handled manually: Scanning log files to identify abnormalities and outliers in data traffic. While there are many excellent tools for reviewing those files, they are often slow and aren’t good at aggregating lots across disparate silos (such as a firewall, a web application server, and an Active Directory user authentication system). Thus, results may not be comprehensive, patterns may be missed, and results of deep analysis may not be returned in real time.
What’s worse, said Ellison, is that “with log analytics there is no automatic remediation. They just help you analyze the log. They don't fix anything.” And then administrators have to use a separate system to go ahead and patch the database, or patch Struts, or patch Linux, or whatever needs to be repaired.
The Secret Weapon: Machine-Speed Responses
Humans are too slow. That’s why new autonomous security technologies are so important, explained Ellison.
“The key thing is to find a vulnerability before there's a threat, and shut off the vulnerability or patch the system. If there is a threat, identify the threat and take remedial action against the actor who's threatening your data assets. And, again, you've got to be able to remediate these problems in real time. You can't wait for a downtime window,” he said.
“You can’t wait.” Those words are key to effective security. When there’s a vulnerability, if there’s an attack or a breach, the hackers are moving at machine speed. The response has to be at machine speeds as well. In the Battle of the Bots, humans are simply too slow.
Alan Zeichick is principal analyst at Camden Associates, a tech consultancy in Phoenix, Arizona, specializing in software development, enterprise networking, and cybersecurity. Follow him @zeichick.
