Cyber threats are growing in number and strength and the future of cybersecurity is looking ever more complex and challenging. Organizations are therefore turning to analytics and automation to aid cyber specialists in their job.
While cybersecurity can be a complex and challenging field, some aspects of it are all too clear. The number of threats to large organizations is growing rapidly, as is the number of bad actors who create them and the number of systems at risk from cyberattacks. Statista, a statistics portal, estimates that there are 22.9 billion connected devices in 2016, and predicts they will grow to 50 billion by 2020.1 The Internet of Things (IoT) will create massive needs and problems for cybersecurity as millions of devices come online. Data breaches are increasing, according to one report, by 85 percent a year, and in 2016, half a billion personal records were stolen or lost.2 How can organizations possibly keep up with such a scary growth trajectory?
In other domains of business that are subject to massive numbers of entities, a typical approach is to employ analytics and automation. These tools identify the most important events and entities. In customer analytics, for example, the normal approach is to segment customers by their value, focus on the most important ones, and predict what those customers are likely to buy. Automated offers can be customized to each customer’s preferences.
The same technologies can rescue cybersecurity from its growing problems. There are not enough cyber specialists in organizations to deal with the number of threats today, and the imbalance will likely become much worse. Cybersecurity is too often reactive to hacks and breaches, with actions only taken after (sometimes long after) a problem has occurred. The technology most commonly used to address cyberattacks employs “threat signatures” based on patterns of previous attacks. But these approaches are of limited value in preventing new types of attacks.
A promising solution is to employ analytics to predict and screen threats and to take some automated corrective actions. Given the sensitivity of cybersecurity issues, there is also no doubt that humans will still be necessary to confirm and investigate threats, particularly when they are internal. But their jobs will be made much easier and more productive with some help from technology.
The analytical and automated future of cybersecurity is already here, but it’s very unevenly distributed. Academic researchers at Carnegie Mellon, for example, have employed the attributes of web servers (software used, keywords present, and so on) as variables to predict how likely a server is to be hacked.3 Their model successfully predicted 66 percent of future hacks, with a 17 percent false positive rate. This sort of predictive power would allow organizations to focus security efforts on the technology environments most likely to be targeted.
Other predictive and real-time approaches are beginning to emerge from software vendors. The same software and modeling approaches used to identify credit card fraud—a form of anomaly detection—are being applied to behaviors in cybersecurity attacks.4 These approaches can identify emerging anomalies much faster than using threat signatures, and may be able to prevent substantial breaches before they occur.
If the current frontier of cybersecurity is predictive analytics, the next one involves automated actions. A recently concluded DARPA (Defense Advanced Research Projects Agency) competition asked developers to submit automated programs for detecting attacks and intrusions, identifying flaws, and fixing them, all without human intervention.5 The competition (and two million dollars) was won by a Carnegie Mellon spinout called ForAllSecure, although their autonomous system later finished last in a contest with human cybersecurity analysts. But as with other autonomous software, automated cybersecurity solutions are expected to get better over time.
Of course, technology will never solve all cybersecurity problems. Some automated actions can be undertaken; but in many cases, organizations will want to investigate problems identified by analytics before taking corrective action. The investigation requires research, testing, and perhaps even interviews for internal threats—all of which involve human experts. This means that the most effective cybersecurity environments will be complex hybrids of human and machine intelligence, and that the handoffs between automated and analytics-driven alerts and human interventions will be extremely important for effective security.
It will also require a well-defined process for identifying, screening, and acting on threats that clearly defines roles for smart machines and capable humans. The process must not only identify and qualify threats, but also take rapid action on them. That's not easy with an overwhelming number of threats, but analytics-based prioritization can help.
We are not describing a future scenario, but rather the early stages of a present one. Organizations in both public and private sectors today are using analytics and—to a lesser degree—automation to improve their cybersecurity programs. There may be some doubt about when such technical capabilities will be fully mature, but let there be none about their necessity and the likelihood of their adoption.