We’re in an exciting time in our profession. There is a lot of new technology, a huge demand for our skills, and a bright future that promises only more work for us. Yet, this excitement is a two-edged blade. We often hear from peers about how hard it is to hire good security folks. My email box gets at least one mention a week from a peer looking for folks to bolster their team. But beyond anecdotes, we have data, as well. The F5 and Ponemon survey, The Evolving Role of CISOs and their Importance to the Business, found that 58% of CISOs reported “difficulty in hiring qualified security personnel.”
The ever-growing complexity of technology and security controls makes this situation worse. A “qualified security person” may seem like a singular job role to most outside of IT, but the reality is far more complex.
As of this moment, there are 77 different security certifications,1 some of which overlap and some that are widely divergent. The National Institute of Standards (NIST) has classified 33 distinct areas of cybersecurity work within its Cybersecurity Workforce Framework.2 You can’t just hire a “security person” and expect them to be competent in every one of these areas, so we need to hire lots of people with different skills. These specializations are opaque to the outsider—including the Human Resources department.
So, what’s a CISO to do? Looking at the F5 Labs Ponemon report we find half of surveyed respondents say machine learning is important to address security staffing shortages. Furthermore, 70% of CISOs report that machine learning will be important to their IT security functions in the next two years.
Using Machine Learning (ML) systems to enhance the capabilities of a security team makes sense. We don’t have enough people to look at all the alerts, vulnerabilities, and threat feeds. Worse, under a deluge of data, humans get tired and produce inconsistent results. Because of the wide spectrum of expertise, training, and experience, human bias can creep into the results. Yet, a machine learning system, once trained with enough correct statistics, can produce consistent and usable results. Machine Learning excels at classifying a population of data into buckets, which makes it good at anomaly detection and finding hidden relationships. In some cases, machine learning can be trained by being fed presorted data and in other cases it can learn unsupervised without help. However, it is far from perfect.
So instead of relying on these kinds of systems alone, CISOs can use the machine learning analysis as a “first cut.” That way the most interesting results bubble up for expert review and action. You can increase quantity and quality of analysis with the same staffing levels. Mike Simon, CTO of Critical Informatics, is doing that.
“We chose to embrace the carbon/silicone stack and focus our efforts on making the humans efficient as we present them with truly interesting things to investigate. By focusing on combining ML and human interaction, rather than trying to eliminate the human loop, we produce an astoundingly low false positive rate and continue to challenge our best-in-the-industry analysts with ever more interesting things that don’t quite make AI ring the bell but may still be worth noticing. Computers are good at boring; people are good at interesting.”
As with any technology, there is a danger that attackers can game the machine learning system to their advantage. There is already ongoing research in preventing the injection of adversarial examples to skew results.3 Security always has and always will be an arms race. As machine learning in security is growing, this is definitely an area worth keeping an eye on.