The tectonic shift of network security is gaining momentum, yet this transformation continues to lag far behind the accelerating pace of change in the operating environment.
Related: The advance of LLMs
For at least the past decade, the cybersecurity industry has been bending away from rules-based defenses designed to defend on-premises data centers and leaning more into tightly integrated and highly adaptable cyber defenses directed at the cloud edge.
I first tapped Gunter Ollmann’s insights about botnets and evolving malware some 20 years when he was a VP Research at Damballa and I was covering Microsoft for USA TODAY. Today, Ollmann is the CTO of IOActive, a Seattle-based cybersecurity firm specializing in full-stack vulnerability assessments, penetration testing and security consulting. We recently reconnected. Here’s what we discussed, edited for clarity and length?
LW: In what ways are rules-driven cybersecurity solutions being supplanted by context-based solutions?
Ollmann: I wouldn’t describe rules-based solutions as being supplanted by context-based systems. It’s the dimensionality of the rules and the number of parameters consumed by the rules that have expanded to such an extent that a broad enough contextual understanding is achieved. Perhaps the biggest change lies in the way the rules are generated and maintained, where once a pool of highly skilled and experienced cybersecurity analysts iterated and codified actions as lovingly-maintained rules, today big data systems power machine learning systems to train complex classifiers and models. These complex models now adapt to the environments they’re deployed in without requiring a pool of analyst talent to tweak and tune.
LW: In what noteworthy ways have legacy technologies evolved?
Ollmann: Cybersecurity technologies are continuously evolving; they must because both the threat and the business requirements are continuously changing. It’s been that way since the first person suggested using a password along with a login ID.
That said, to date the two biggest changes and influences upon legacy technologies have been public cloud and AI. Public cloud not only shifted the perimeter of internet business, but it also enabled a shift to SaaS delivery models – forcing traditional legacy protection technologies to transform. This fundamentally changed the way organizations shared and consumed cyber protection and detection information. It took quite some effort to shift from every on-premise log action and rule being private and confidential, to trusting cloud solution providers with that same data, pooled across multiple customers, and reaping the benefits of collective intelligence.
That cloud transformation and pooling of threat and response data was fundamental to the second transformation: deploying and applying AI-based cybersecurity technologies that range from training and reinforcement learning of detection models to incident response playbook production and auto-response. While the core “legacy” security building blocks have remained the same, the firewalls have grown smarter, the SIEMs detect and classify kill chains faster and blocking responses have become more trusted.
LW: Which legacy solutions are threatened with extinction?
Ollmann
Ollmann: Solutions that focus on enterprise-level on-premises and air-gapped protection are on borrowed time. Some people will argue that there will always be a need for such solutions, but their efficacy against today’s threats is constantly diminishing. There’s a real reason why on-premises anti-spam gateways protecting on-premises mail services are failing, and part of that is because some classes of threats are exponentially easier to detect and mitigate through massive cloud scale and collective intelligence.
Additionally, the majority of today’s solutions that require a customer’s pool of in-house analysts and security experts to update and maintain a custom-tuned or unique set of detection rules, data connectors, response playbooks, blocking filters, etc., are also on borrowed time. The last generation of machine learning system automation and the first generation of LLM-based analyst augmentation have proven they can replace the tier-one and tier-two human analysts traditionally tasked with building and maintaining those customized rules. There’s a sizable ecosystem of tooling and providers that specialize in custom rule creation and maintenance. They’re equally in trouble if they don’t adapt and evolve.
LW: What does the integration of iterated legacy tools into edge-focused newer technologies look like?
Ollmann: To understand the next generation of security technologies and what that means for the iterated evolution of legacy tools, it’s important to step back. Too often, as security professionals, we’re day-to-day involved in watching our feet on the dance floor and keeping in time with the music. When we take a step back, we get to see the bigger movements and relationships between dances.
We have an ecosystem of niche tools and specialized solutions for elements and processes within a chained pipeline of protection and response. Enterprise buyers select and integrate these components to achieve the same lofty goals as everyone else. For the last decade, we’ve seen a significant uptick in the growth of managed security service providers that effectively offer an obscured, off-the-shelf integrated protection and/or response pipeline that focuses on delivering the buyer’s security objectives rather than the stack of technologies’ security.
In parallel, over the last half-decade, we’ve observed the rapid development and advancement of cross-cloud and hybrid-cloud security posture management and response solution providers. Vendors such as Wiz, Palo Alto Network and CrowdStrike have acquired or rebuilt from the ground up much of the legacy tooling and capabilities and brought them together as unified edge protection and security management platforms. Behind the scenes, they’ve invested hugely in intelligent automation and AI systems to overcome and do away with the stack of interdependent legacy technologies (from a customer’s perspective).
LW: Looking just ahead, which new security platforms or architectures do you expect to emerge as cornerstones?
I think the managed security services industry that’s been leveraging inexpensive human analysts will lose to the new cloud and edge security posture management and response solution providers unless they transform and completely embrace AI. They’re at a disadvantage because they’re not software developers. They’re not AI engineers. But they are sitting on a lot of very valuable customer data and already have the integrations and relationships to drive transformational impact to their customers.
Collective intelligence and the knowledge derived from streaming vast data is a cornerstone to protection, compliance, and threat response. AI, LLMs, machine learning models, and their future iterations’ efficacy is dependent upon this data. It’s true, data is the new gold rush.
The cornerstone around the corner (as it were) that will likely bring the next business transformation will be ubiquitous confidential cloud computing. The legacy on-premises and air-gapped business requirements disappear once confidential compute is economical, prevalent, and performant. At that point, the “edge” consolidates to the cloud-edge, and new protections over data and regulatory concerns are overcome.
LW: Where is this all taking us over the next two to five years?
The global shortage of cybersecurity talent continues to hold back the industry. Just as cybersecurity requirements have become mainstream, the explosion of corporate need for trained security professionals and the chasm of attaining the security experience required to protect and operate the advanced cyber defense technologies, have arguably made businesses feel less secure.
The rapid advances in applied AI to security and the growth of AI-first security companies gives us great hope in overcoming the skills gap situation.
Over the next few years, I think AI-based automation of response and augmentation of human analysts will largely overcome the bottleneck of the historic cybersecurity talent shortage.
While some experts presume that AI will help elevate a new generation of cybersecurity graduates to quickly become tier-three expertise proficient, I don’t think that’s where the primary changes and benefits will come. Just as generative AI has enabled almost anyone to near instantly create their own Shakespearean-esque sonnets or Picasso-ify their dream illustrations, I expect security AI advancements to apply to, and be adopted by, other non-cyber professionals already within the business.
It’s exponentially easier and more beneficial to elevate someone with multiple years of institutional experience and business process knowledge and augment them with advanced security capabilities than to take a cybersecurity graduate and teach them the ins and outs of the business and personalities in play.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
The post NEWS ANALYSIS Q&A: Striving for contextual understanding as digital transformation plays out first appeared on The Last Watchdog.
Donnelly explained how Amplifier leverages LLM to make Ampy friendly and increasingly knowledgeable. For instance, Ampy helped one early customer achieve a 70 percent improvement in security training compliance in just a couple of weeks and other customers report material improvement in the time and effort required to manage vulnerabilities.
