This morning I was chatting to a colleague about the cyber security landscape and he asked me the question “Do you think machine learning and AI will replace the need for security (SOC) analysts in the future?”
Artificial intelligence and machine learning are just a couple of the buzz words that are ‘in fashion’ at the moment, especially around the world of cyber security. I have written before about how different terms come and go as the fashionable phrases to attach to your product. There is no better place to see this in action then to go to an event like InfoSec Europe. Look for the common wording that every vendor has on their stand and you can see what the current buzz words are. Anyway, I digress.
We are being promised amazing things from machine learning and its application. The promise of fully autonomous, self-driving cars is tantalisingly close. Across IT, there are some amazing advantages and efficiencies from applying machine learning to everyday processes. In fact, Oracle is doing some fantastic work in applying machine learning across our entire portfolio. Take our SaaS apps for example. Within HCM, recruiters benefit from in-line AI and data-driven candidate recommendations that reduce time-to-fill and cost-to-hire. Within ERP, we are intelligently automating repetitive and mundane tasks, such as approvals, and within CX, optimizing marketing and sales programs to better resonate with customers, increase conversion, and close more business. You can find more information on any of these examples and more here. It’s not just about apps. Within our analytics platform, the use of machine learning allows you to get to insights about your data quicker. And of course, Oracle Autonomous Database, the world’s first self-driving database has a large helping of machine learning under the covers.
From a cyber security perspective, machine learning is a perfect fit. Security event data, activity data, configuration data etc is all very structured and therefore ideal to throw at machine learning to understand and process that data very quickly to spot anomalies, identify threats, and recognise attacks. This means that you can reduce the false positives and provide more accurate, focussed insight to your SOC analysts to investigate the real incidents. However, the promise of machine learning goes beyond that. In the world of Oracle Autonomous Database we talk about the database being self-securing. Taking an excerpt from the whitepaper here:
“The Autonomous Database is more secure than a manually operated database because it automatically protects itself from internal and external vulnerabilities and attacks. The Oracle Cloud provides continuous threat detection, while the Autonomous Database automatically applies all security updates online and provides “always on”, end-to-end encryption. This preventative approach is critical because 85% of security breaches today occur after a CVE (common vulnerability and exposure) alert has been issued.”
So, if we can make the database self-securing, why can’t we apply that to all security events? Why can’t we automatically remediate issues identified by our SOCs and thus get rid of the SOC analysts completely? In fact, within Oracle’s combined cloud-based NOC / SOC platform, Oracle Management Cloud, we talk about automatic remediation as a key capability. However, we need to recognise the limitations of automated remediation and where it is and isn’t suitable.
In some places it makes sense. If your monitoring platform notices an increase in load, or a server shutting down, then you could remediate this by automatically spinning up another node, or adding CPU count to existing nodes. Even in some security scenarios, you could take automated remediation steps. If you see machine learning identify a user as risky due to their behaviour, you might disable the user, or enable multi-factor authentication on their account. Within Oracle Autonomous Database, the database is a controlled platform and therefore the remediation steps can be well understood on this focussed platform.
If we are looking at remediating incidents, we also need to understand where those attacks are coming from, and I don’t mean geographically in this context. It's true what Larry Ellison said in his keynote at Oracle Openworld back in 2017:
However, we need to recognise that it’s not just machine versus machine. The defenders have machine learning, but so do the attackers. Security has always been a game of cat and mouse. The attackers find a hole, the defenders plug it. The defenders put in stronger security, the attackers find another way in or a way around it. If it was just machines vs machines then the game may be more even, but adding the human element guarantees that security experts will still be needed.
Let’s go back to the example of autonomous cars. If there were only autonomous cars on the road, then I suspect we would see very few accidents. The biggest challenge autonomous cars are facing today is their interactions with other human drivers. Cyber security is the same. It’s not just computers vs computers, but the humans telling those computers what to do that adds to the unpredictability.
Even as machine learning gets more advanced, the size, scale, and complexity of organisations IT today makes it very hard to fully automate all remediation steps or cover every eventuality. In fact, there are many times you might not want to. For example, if you are an online retailer and you see an attack coming in on Cyber Monday, do you want a machine deciding to take your entire online presence down to fix the problem, or do you want to make a judgement call based on business risk on how to proceed?
I firmly believe that machine learning has a strong place within our cyber security defender’s toolbag. As it matures further, it will provide increased value and keep helping to strengthen an organisation’s defences. However, I don’t see a time, certainly within the rest of my career when we will be saying goodbye to the hugely talented pool of security analysts, specialists, and experts who underpin the security defences of every organisation.