Our team is back from Las Vegas where Black Hat USA 2019 was held two weeks ago. The main themes this year included IoT, application security, and the role of humans in security and privacy. Personally, I had a very different Black Hat experience than previous ones. I missed all the sessions, I didn’t get to see the keynote, and I didn’t check out a single booth. Instead, I spent the entire show at the Irdeto booth, engaging with our visitors: the Security Engineers, the SOC Engineers, and the Pen Testers. From small to large companies, these are the people organizations rely on to make sure their products aren’t breached in embarrassing and costly ways.
Many of the people I spoke to were struggling with the same problem: how to transfer their security knowledge to the rest of the organization. One frustrated Security Architect explained that product teams regularly refuse to consider any security measure that might add work or impact delivery dates. When time-to-market is the key to profit, and when engineers are rewarded for delivering features quickly and penalized when they miss deadlines, who can blame them? This puts security specialists in a tough spot: How do we help the engineers who are doing the work that brings in the dollars to also make the right security decisions?
The industry seems to be looking toward machine learning (ML) and automation to answer these questions. We’re seeing a ton of companies launch products with this in mind. We’re seeing ML applied to threat prediction, detection, and monitoring. We’re seeing products targeted at the network traffic, at endpoint integrity, and even at user behavior. There are also companies like Irdeto launching products that automatically apply ML to prevent tampering at the application level.
The ML-based products that will win are the ones that can be adopted seamlessly by engineering teams. The products that succeed won’t require expertise or complex configuration, and they won’t slow down the engineering teams. The key to helping the security advocates out there – the Security Engineers and CISOs – is to make sure the products we build are so easy to use that engineering teams have no hesitation to use them.
But more important than usability is getting the security right. Irdeto knows, from our own experience training ML models, that replicating the mindset of a security professional is a complex and multi-faceted thing. We also know that false positives can waste time, and false negatives are worse. It will be interesting to see over the next year how far these ML products will progress. I’m looking forward to having more time to check them out at Black Hat next year!
Bonus – Click here for our podcast interview with Byron V. Acohido; Mark Hearn and I met him at Black Hat to discuss mobile app security.