Data science – is it really the answer to cybersecurity?

Data science, along with technologies such as machine learning and artificial intelligence, has found its way into countless security products, solutions, and services as of late. The promised benefit of these complex technological disciplines includes the ability to make better decisions in less time than a human might and deliver superior results in detecting and identifying threats using mathematics. All of these things, in theory, point to a ’safer’ environment.

While I do count myself as a big fan of data science and its various forms of implementation, I can’t help but be skeptical that these technological advancements are the equivalent of a messianic promise to “save us.” The industry has been noticeably impacted by hype, and some of product capabilities touted by vendors do not seem realistic. 

Is data really the answer? 

Data can be defined as any and all facts and/or statistics collected together for reference or analysis. There are many sources of data and data sets that we might want to be cognizant of in order to better understand our environments, our networks, our assets, and our personnel. Some of which are more interesting to information and cybersecurity professionals than are others. 

Understanding this is key to forming an awareness and appreciation of the various disciplines and technologies that comprise the data sciences. For those of us who spend our time laboring over investigations while researching threats, threat actors, and campaigns, the importance of identifying data sources, collecting those sources, and applying them wisely is key to prevention, the reduction of threat actor dwell time, and threat mitigation in general. And as important as that high quality, diverse, rich data is, there are only a few good ways to work with it in its raw form, hence the need for automated data science-driven solutions.

See also:

• The risks and rewards of meshing physical and cyber security

• Healthcare leading the way in data security awareness

• Encryption: The good and the bad

A lot of smoke, is there a fire?

With all of this in mind, what can we expect to hear from security vendors when it comes to these topics? Marketing departments are keen to discuss the merits and advantages of these complex technological disciplines and concepts as they pertain to the enterprise, mobile, and cloud security concerns. It’s not uncommon to read about promises with respect to the efficacy of these innovations in detecting and identifying threats using “math” (mathematics is one of many forms of data science). There are assertions that these advances will make better decisions in far less time than a human - for the pursuit of more efficient and accurate security tools - this is questionable and we’ll address later.

A lot of these claims cross into the realm of the fantastic, made by people who really cannot speak with authority on such complex capabilities. There’s a good chance anyone who spends the time to read into all the technology on offer will comprehend nothing due to the cacophony of mixed messages across products.

When it comes down to it, the questions that will matter most to customers revolve around money and safety. Will these technologies help us avoid a breach? Will they help us be more effective? Will our investment be worth it? Will it save us?

Can Data Science, Machine Learning, and Artificial Intelligence Save Us from Ourselves? 

No. I don’t believe that data science, machine learning, or artificial intelligence will save us from ourselves. 

In my mind, these are tools and platforms that can – provided we’re intelligent in maintaining them – help us, but save us? No. No, they will not save us. They are not the cavalry coming in at the last possible moment to save the day. There are no silver bullets. There have never been and there never will be.

What’s going to save us from ourselves and from our adversaries is a return to the core principles of IT and security hygiene: patching, asset management, and the use and application of encryption. What’s going to save us is “living off the land” or identifying and taking advantage of data sources within our enterprise environments. It’s only once we’ve identified all of our data that we can develop the clearest, richest picture of our environment’s risk posture. Furthermore, what will contribute to our salvation is our recognition and application of tradecraft driven through experience – experience which often and only exists in the minds of human beings who’ve devoted a lifetime to their craft as opposed to systems which have been “taught” to understand it. 

What’s going to save us is the identification and recognition of our gaps, our shortcomings, and our willingness as businesses and organisations to address them as they relate to how we do business. What’s going to save us is identifying high-quality threat intelligence that will complement what we have in-house and aid us in making quicker, more informed decisions that will have a material impact. But here’s the good news. If you and your organisation have been putting the core principles of IT and security hygiene into practice regularly, and have stayed ahead of the threats to date, data science, machine learning, and artificial intelligence may help you further shore up and fine tune your security programs. Remember, what’s going to save us isn’t the application of data science, the integration of machine learning or artificial intelligence into our ecosystems. What’s going to save us is ourselves.

Will Gragido, Director of Advanced Threat Protection, Digital Guardian