cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Unusual Security Competancy

Hi All

 

An interesting perspective: 

 

Most companies do not want to worry about security. They just want to do business. But in a hostile world, no one can take security lightly. For those industries that include healthcare, finance, government and pharma where security is a high priority, there may be only one security vendor capable of checking all the boxes, and that is IBM.   This is not a self promotion, they have a different perspective to many organisations around the world - with the Open Cybersecurity Alliance the key here is collaboration and the sharing of information to the security community.  However, I do not that IBM openly collaborates and shares intelligence information with many organisations and vendors around the world.

 

https://techspective.net/2022/09/13/ibm-steps-up-to-showcase-unusual-security-competency/

 

I am sure many vendors will have their own perspectives.

 

Regards

 

Caute_Cautim

13 Replies
wimremes
Contributor III

"Nobody's ever been fired for buying Cisco" was the correct quote 🙂

 

I'm sure many, especially IBM, would want all of this to be true for IBM but I'm not convinced that they'll just speak it into existence.

 

If we are security professionals, we should be very wary about fellow professionals that seem to claim that companies can outsource their responsibility. That has never worked and it is mostly marketing teams that seem to believe they can convince customers of such a reality. "Companies just want to do business"...Have I got news for you! Doing business comes with all types of risk. Managing your security, and its associated risks, is very much part of "just doing business" if you ask me.



Sic semper tyrannis.
JoePete
Advocate I


@wimremes wrote:

If we are security professionals, we should be very wary about fellow professionals that seem to claim that companies can outsource their responsibility.


The significant differentiator for IBM may be its Watson AI. It seems like from days of syslog to now, we've been chasing our tail (tail -f maybe). We keep upping the ante with monitoring, SIEMs, etc. It's this dilemma of trying to build this giant haystack of monitoring but also be being able to pick out the needle. You're dealing with massive amounts of consistent data and trying find the anomaly - the type of stuff AI handles well. Still, we've been promised this before, and it is just really hard to deliver. Monitoring, even when married to some kind of response capability, really is (or should be) the last line of defense. So even if IBM or someone else builds the perfect security tool, I'd worry about the unintended consequence of businesses flocking to that solution and abandoning all the security that should be baked at other junctures.

wimremes
Contributor III


@JoePete wrote:

@wimremes wrote:

If we are security professionals, we should be very wary about fellow professionals that seem to claim that companies can outsource their responsibility.


The significant differentiator for IBM may be its Watson AI. It seems like from days of syslog to now, we've been chasing our tail (tail -f maybe). We keep upping the ante with monitoring, SIEMs, etc. It's this dilemma of trying to build this giant haystack of monitoring but also be being able to pick out the needle. You're dealing with massive amounts of consistent data and trying find the anomaly - the type of stuff AI handles well. Still, we've been promised this before, and it is just really hard to deliver. Monitoring, even when married to some kind of response capability, really is (or should be) the last line of defense. So even if IBM or someone else builds the perfect security tool, I'd worry about the unintended consequence of businesses flocking to that solution and abandoning all the security that should be baked at other junctures.


I hate to disappoint anybody, especially at IBM, that currently believes that any flavor of AI is ready to be effective in addressing any infosec problem set. Feel free to read the book "Weapons of Math Destruction" on this topic. AI is really effective on extremely narrow and well-described problem sets, but those are far and few between in infosec. 

 

I love AI, let that be clear. I love how it, for example, detected breast cancer early for a loved one. I do not have high hopes of AI being anywhere near helpful for infosec problems any time soon.



Sic semper tyrannis.
denbesten
Community Champion


@wimremes wrote:

"Nobody's ever been fired for buying Cisco" was the correct quote 🙂


Yes, every company seems to want to own that saying, but I am pretty sure that it was being used to refer to IBM way before Cisco even existed.

 

And nowadays, I don't think it holds true for either company.  

Caute_cautim
Community Champion

@wimremes   I don't want to disappoint you, but being a member of the AI Ethics and Trust advocacy group reviewing what is released and what it is supposed to do - I have to disagree.

 

Please read the following, there are five principles :

 

https://www.ibm.com/artificial-intelligence/ethics

 

It is taken very seriously indeed.

 

Regards

 

Caute_Cautim

 

 

 

wimremes
Contributor III


@Caute_cautim wrote:

@wimremes   I don't want to disappoint you, but being a member of the AI Ethics and Trust advocacy group reviewing what is released and what it is supposed to do - I have to disagree.

 

Please read the following, there are five principles :

 

https://www.ibm.com/artificial-intelligence/ethics

 

It is taken very seriously indeed.

 

Regards

 

Caute_Cautim

 

 

 


I'm not sure why I would be disappointed when learning AI Ethics are taken seriously at IBM. I'd be disappointed if they weren't. That has nothing to do with AI not being ready to address the complex security problem sets though. 



Sic semper tyrannis.
JoePete
Advocate I

I think the fundamental challenge of AI is that it is a tool that we are still figuring (and will be for some time) the application for it. In regard to the article, IBM's acquisition of different service companies is not a differentiator for them (in my mind) as much as AI/Watson. Even then, I'm a watcher, not a buyer at this stage.

 

What I ponder is if AI is more like "computational experience" than it is true intelligence/problem solving.  AI is great on a large scale (processing massive amounts of data to learn or predict). The real question is can or will it scale down and be able to solve something with limited data and experience? To apply that to security, I see huge promise in AI's ability to churn through worldwide monitoring logs and identify some global spread of malware. Will it, however, work on the scale of protecting a single network from something more targeted?

Caute_cautim
Community Champion

@JoePeteThere are known limitations within AI, you need to know exactly what data is available, and whether it is clean, in terms of you trust it, and know that the information collected can provide the insights required.

 

You also need to understand what are you attempting to solve, if you make the scope to wide, then you will not obtain the insights you require or whether your actual Use Cases are too wide or too narrow.

 

For example Safer Payments :  https://www.ibm.com/blogs/client-voices/ai-stop-real-time-payment-fraud/

 

How it is applied, what its intended purpose actually is, and whether someone attempts to make the AI stretch beyond what it was intended for. 

 

The real danger is a) developer bias, intrinsically within the development of the AI model itself, whether the developer or organisation are aware of this bias and whether they can compensate for it.  The real danger is when there is over confidence that the AI model is actually correct, and whether it has been fully tested and validated.   

 

Without testing thoroughly, then inherent bias may actually be a threat and a danger to society:

 

https://www.ibm.com/policy/mitigating-ai-bias/

 

It is a tool, when combined with data analytics, can be harnessed as a power for good, but on the other extreme, it can be used for bad purposes - knowing the limitations is absolutely essential and from which sources the original collections came from to make the recommendations and decisions it provides.

 

Can you trust the results, again and again?  Especially where human lives are at stake?

 

For example to give you a real life example:  How do you teach a new Security Analyst within a SOC?  Partner them up with Mentor or an experienced one?  Or do you have an AI monitoring on the side, as an aide, to the Security Analyst.  For example the human analyst may see something in the event logs, and it kicks off a response, which they hope is correct.  But the AI on the side, see a far wider picture and has far greater access to records, past patterns and therefore provides insights a normal human being - with their less than efficient memory and pattern recognition capabilities can be augmented, that in fact that particular event is a part of a string of patterns culminating in a particular threat cycle.   Often the human being does not have that insight, so by using AI to augment the human beings capability is a vast aide.  Often within SOC's, it has been banded about that the increase in efficiency and effectiveness of a SOC Security Analyst has been improved by at least 60%, through the use of AI sitting side by side with the human security analyst.

 

Regards

 

Caute_Cautim

 

 

 

 

wimremes
Contributor III


@Caute_cautim wrote:

Often within SOC's, it has been banded about that the increase in efficiency and effectiveness of a SOC Security Analyst has been improved by at least 60%, through the use of AI sitting side by side with the human security analyst.

Citation needed?

 

Or is this a % on the same level as the claim that software bugs are 100x more expensive to fix after release based on an IBM Systems Sciences Institute study from 1981 or earlier ... that doesn't exist? It's been hurting our industry for several decades ...

 

Having run a SOC myself, AI tools more often than not throw a wrench in the gears. What a SOC does benefit from is automating SOC Playbooks and certain Analyst activities. Again, I am not anti-AI but I'm also realistic that most of the cyber security problem sets are far too wide for AI to be useful any time soon.

 

How many if loops are customers prepared to pay for?



Sic semper tyrannis.