There is much talk of topics like artificial intelligence, machine learning, and automation within the security industry. We are led to believe that these capabilities will revolutionize our security practices. However, we need to be conscious of the limits of these capabilities before we entrust them with matters of importance. To understand the limits, we need to understand what each of these capabilities really mean and how they fit together. Unfortunately, most people combine these capabilities and use the terms almost interchangeably. Doing so is dangerous and can create unintended consequences.
New Paradigms for the Next Era of SecuritySounil Yu
As we enter the 2020s, we will see the attacks culminate to where machines, infrastructure, and data become irrecoverable. In these scenarios, our old security paradigm of confidentiality, integrity, and availability no longer apply. Instead, we need a new paradigm of distributed, immutable, and ephemeral design patterns for the next era.
The Cyber Defense Matrix helps people organize and understand gaps in their overall security program. These slides describe several additional use cases of the Cyber Defense Matrix, including how to map the latest startup vendors and security trends, anticipate gaps, develop program roadmaps, capture metrics, reconcile inventories, improve situational awareness, and create a board-level view of their entire program.
See the 2016 version at: http://bit.ly/cyberdefensematrix
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.
In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points:
1. What Threat hunting is.
2. Why it is becoming so popular and what kinds of attacks are making it necessary.
3. What the challenges are.
4. Threat Hunting and Investigation services for attacks.
5. Case studies.
Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715
Understanding the Cyber Security Vendor LandscapeSounil Yu
We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.
New Paradigms for the Next Era of SecuritySounil Yu
As we enter the 2020s, we will see the attacks culminate to where machines, infrastructure, and data become irrecoverable. In these scenarios, our old security paradigm of confidentiality, integrity, and availability no longer apply. Instead, we need a new paradigm of distributed, immutable, and ephemeral design patterns for the next era.
The Cyber Defense Matrix helps people organize and understand gaps in their overall security program. These slides describe several additional use cases of the Cyber Defense Matrix, including how to map the latest startup vendors and security trends, anticipate gaps, develop program roadmaps, capture metrics, reconcile inventories, improve situational awareness, and create a board-level view of their entire program.
See the 2016 version at: http://bit.ly/cyberdefensematrix
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
The Cyber Defense Matrix enables organizations to define clear categories for the range of products and services that are available in the marketplace to solve our various infosec problems. This model removes confusion around the security technologies that we buy and helps organizations align their vendors to have the right suite of capabilities to execute their information security mission.
See the 2019 version at: http://bit.ly/cyberdefensematrixreloaded
See the 2022 version at: http://bit.ly/cyberdefensematrixrevolutions
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.
In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points:
1. What Threat hunting is.
2. Why it is becoming so popular and what kinds of attacks are making it necessary.
3. What the challenges are.
4. Threat Hunting and Investigation services for attacks.
5. Case studies.
Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715
Understanding the Cyber Security Vendor LandscapeSounil Yu
We are often inundated with vendors offering their products and services to solve our various information security problems. How can you make sense of the wide range of technologies and ensure that your control gaps are being covered? Where are opportunities for technology disruption? Where are you overly reliant on technology? This is a framework for understanding security technologies so that you can align vendors in the right bucket to ensure that you have the suite of technologies that you need to execute your information security mission.
This presentation explained the security controls and evolving threats that pertain in the market
at the moment through giving descriptive elaboration on today's security landscape. The
presentation further envelopes the key reasons why Cyber Security is imperative for
organizations today.
Happiest Minds Cyber Security Services:
http://www.happiestminds.com/cyber-security-services/
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
LTS Secure Security Information and Event Management (SIEM), is a technology that provides real-time analysis of security alerts generated by network hardware and applications.
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
Targeted attacks need targeted Defense
What protocol should we use for CTI information exchange?
How should we describe our indicators of compromise
Structured threat information expression (STIX)
How we can keep information within our defined trust boundaries?
Where to store IOCs?
Threat Intelligence Feeds Lifecycle
How to measure the CTI process?
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
Learn how to prevent & detect even the most complex “file-less” ransomware exploits
Ransomware continues to evolve as perpetrators develop new exploits with consequences that can be dramatic and immediate. The purveyors of ransomware continue to prosper with adversaries developing new strains such as Zepto and Cerber that are proving to be more challenging than ever. Other exploits can alter programmable logic controller (PLC) parameters and adversely impact mechanical systems. Clearly, new defense approaches are needed because organizations can no longer rely on backups and conventional security solutions to protect them. Join CrowdStrike Senior Security Architect Dan Brown as he offers details on these sophisticated new ransomware threats, and reveals recent innovations designed to offer better protection – including new indicator of attack (IOA) behavioral analysis methodologies that can detect and prevent even the most complex “file-less” ransomware exploits.
Attend this CrowdCast where Dan will discuss:
--The challenges of defending against dangerous new variants, such as Zepto and Cerber
--Real-world examples of ransomware in action and the sophisticated tactics being used by a variety of adversaries
--How the CrowdStrike Falcon cloud-delivered platform can defend your organization against new super strains of ransomware that use sophisticated malware-free tactics
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Machine learning cybersecurity boon or boondogglePriyanka Aash
Machine learning (ML) and artificial intelligence (AI) are the latest “shiny new things” in cybersecurity technology but while ML and AI hold great promise for automating routine processes and tasks and accelerating threat detection, they are not a panacea. This session will demonstrate what they can and can’t do in a cybersecurity program through real world examples of possibilities and limits.
(Source: RSA Conference USA 2017)
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
Digital Forensics for Artificial
Intelligence (AI ) Systems:
AI systems make decisions impacting our daily life Their actions might cause accidents, harm or, more generally, violate
regulations either intentionally or not and consequently might be considered suspects for various events. In this lecture we explore how digital forensics can be performed for AI based systems.
This presentation explained the security controls and evolving threats that pertain in the market
at the moment through giving descriptive elaboration on today's security landscape. The
presentation further envelopes the key reasons why Cyber Security is imperative for
organizations today.
Happiest Minds Cyber Security Services:
http://www.happiestminds.com/cyber-security-services/
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
LTS Secure Security Information and Event Management (SIEM), is a technology that provides real-time analysis of security alerts generated by network hardware and applications.
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Security Incident Event Management
Real time monitoring of Servers, Network Devices.
Correlation of Events
Analysis and reporting of Security Incidents.
Threat Intelligence
Long term storage
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
Targeted attacks need targeted Defense
What protocol should we use for CTI information exchange?
How should we describe our indicators of compromise
Structured threat information expression (STIX)
How we can keep information within our defined trust boundaries?
Where to store IOCs?
Threat Intelligence Feeds Lifecycle
How to measure the CTI process?
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
Learn how to prevent & detect even the most complex “file-less” ransomware exploits
Ransomware continues to evolve as perpetrators develop new exploits with consequences that can be dramatic and immediate. The purveyors of ransomware continue to prosper with adversaries developing new strains such as Zepto and Cerber that are proving to be more challenging than ever. Other exploits can alter programmable logic controller (PLC) parameters and adversely impact mechanical systems. Clearly, new defense approaches are needed because organizations can no longer rely on backups and conventional security solutions to protect them. Join CrowdStrike Senior Security Architect Dan Brown as he offers details on these sophisticated new ransomware threats, and reveals recent innovations designed to offer better protection – including new indicator of attack (IOA) behavioral analysis methodologies that can detect and prevent even the most complex “file-less” ransomware exploits.
Attend this CrowdCast where Dan will discuss:
--The challenges of defending against dangerous new variants, such as Zepto and Cerber
--Real-world examples of ransomware in action and the sophisticated tactics being used by a variety of adversaries
--How the CrowdStrike Falcon cloud-delivered platform can defend your organization against new super strains of ransomware that use sophisticated malware-free tactics
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Machine learning cybersecurity boon or boondogglePriyanka Aash
Machine learning (ML) and artificial intelligence (AI) are the latest “shiny new things” in cybersecurity technology but while ML and AI hold great promise for automating routine processes and tasks and accelerating threat detection, they are not a panacea. This session will demonstrate what they can and can’t do in a cybersecurity program through real world examples of possibilities and limits.
(Source: RSA Conference USA 2017)
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
Digital Forensics for Artificial
Intelligence (AI ) Systems:
AI systems make decisions impacting our daily life Their actions might cause accidents, harm or, more generally, violate
regulations either intentionally or not and consequently might be considered suspects for various events. In this lecture we explore how digital forensics can be performed for AI based systems.
Designing Trustworthy AI: A User Experience Framework at RSA 2020Carol Smith
Artificial intelligence (AI) holds great promise to empower us with knowledge and scaled effectiveness. To harness the power of AI systems, we can—and must—ensure that we keep humans safe and in control. This session will introduce a new user experience (UX) framework to guide the creation of AI systems that are accountable, de-risked, respectful, secure, honest and usable.
Presented at the RSA Conference 2020 in San Francisco, CA on February 28, 2020.
Intelligent and Smart Systems define the cutting edge of information technology now. They are invisible yet ubiquitous. From identifying individual student’s lack of attention to suggesting remedial measures, from predicting financial failures to preventing future fraud, and from assisting noninvasive surgery to guiding missiles to moving targets, the Artificial Intelligence based applications are stepping into every domain.
Numerous concerns have emerged in parallel. Should they be permitted to run a completely human less system? Can they be assigned all cognitive non routine tasks that humans are good at? Are they effective communicators and consensus builders? What role should they play in decision making? How good are they in picking up data compared to human senses? These and many other questions have surfaced in many fora.
Data used in model building adds another dimension. How unbiased are the data sets used in training? Can a data set be ever unbiased? What are the consequences of data bias in models and algorithms?
This talk explores the issues of setting the boundary for use of AI technology. Areas of concern are delineated, and principles of restraint advocated. It aims to inspire researchers to keep the boundary in mind as they explore new frontiers in AI and to design stable boundary line interfaces.
Machine Intelligence and Moral Decision-MakingBohyun Kim
A presentation given at the IMLS project of "Libraries Facilitating Cross-disciplinary Research," DC Workshop, Washington D.C., May 31, 2019 by Bohyun Kim, CTO, University of Rhode Island Libraries.
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Aaron Rinehart
Large scale distributed systems have unpredictable and complex outcomes that are costly when security incidents occur. Security incident response today is mostly a reactive and chaotic exercise. Chaos engineering allows security incident response teams to proactively experiment on recurring incident patterns to derive new information about underlying factors that were previously unknown.
What if you could flip that scenario on its head? Chaos engineering advances the security incident response framework by reversing the postmortem and preparation phase. This is done by developing live fire exercises that can be measured and managed. Contrary to red team game days, chaos engineering doesn’t use threat actor tactics, techniques, and procedures. Instead it develops teams through unique configuration, cyberthreat, and user error scenarios that challenge responders to react to events outside their playbooks and comfort zones.
Join Aaron Rinehart to explore the hidden costs of security incidents, learn a new technique for uncovering system weaknesses in systems security, and more. You’ll also get a glimpse of ChaoSlingr, an open source security chaos engineering tool built and deployed within a Fortune 5 company. Aaron explains how the tool helped his team discover that many of their security controls didn’t function as intended and how, as a result, they were able to proactively improve them before they caused any real problems.
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
It is given that you will be hacked, irrespective of your level of cyber security. Learn how you can detect, respond & recover from cyber attacks. Quicker.
Key Content:
1. The threat landscape and how existing monitoring and response capabilities are ineffective in detecting and responding to advanced cyber attacks
2. Lifecycle and speed of an attack and how early detection can help in responding and managing losses
3. Blueprint for an effective (and vendor agnostic) Incident Management Program
If you have been tracking the Cyber Security News lately, one thing is for sure - Cyber Attacks are imminent and it is a matter of time when you will be the next one to come under an attack, if not already.
What Robert Mueller, Former Director of FBI said in RSA Conference in March 2012 is still very relevant.
"I am convinced that there are only two types of companies: those that have been hacked and those that will be. ” and what he says further makes it worse "And even they are converging into one category: companies that have been hacked and will be hacked again."
Cyber attacks are no more a work of lone warriors or a group of hackers but involve cyber crime syndicates, collaborating and pumping large amount of money, precision, knowledge, expertise and persistence. Their capabilities are equal if not better than state sponsors.
Data says that cyber security incidents affects all kinds of organizations - small, medium or large and across all industries - financial, telecom, utility, health care, education and more. Organizations fail to detect and respond to security incidents due to weak monitoring capabilities and lack of expertise, tools and procedures.
In this webinar we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber attacks.
A presentation on AI, Artificial Intelligence.
Intro of the Author
Automation vs AI
What is AI
History& Trends
Framework of Agents
Ethics
Social Economic Implications
https://www.youtube.com/watch?v=wbXEXGT3I9I&list=PLqJzTtkUiq54DDEEZvzisPlSGp_BadhNJ&index=8
Link of video:
https://www.youtube.com/watch?v=wbXEXGT3I9I
This is a review of the keynote presented by Eric Horvitz, Managing Director, Microsoft, Redmond.
This keynote was presented at Computing Community Consortium in Washington DC on June-07-2016.
Eric has discussed about 3 things in his keynote: Healthcare, Agriculture and Transport.
Mainly he has focussed on Health care.
The goal of AI
Broad Spectrum of Opportunities for AI
Healthcare
Sciences
Transportation
Agriculture
Sustainability
Education
Governance
Criminal justice
Privacy & security
Emergency management
A work conducted in John Hopkins University
References:
http://research.microsoft.com/en-us/um/people/horvitz/AI_supporting_people_and_society_Eric_Horvitz.pdf
https://www.youtube.com/watch?v=rek3jjbYRLo
https://en.wikipedia.org/wiki/Artificial_intelligence
https://en.wikipedia.org/wiki/AI_winter
http://research.microsoft.com/en-us/um/people/horvitz/
GDG Cloud Southlake #23:Ralph Lloren: Social Engineering Large Language ModelsJames Anderson
Each day, the world continues to get smaller and smaller. The Cybersecurity and Data Science domains have converged, and we are now at a crossroads. Soft skills and effective communication are in higher demand than ever, with new roles such as Prompt Engineering being created. So, where do humans go from here?
Dive with us into the hidden depths of Social Engineering, a topic often considered taboo to explore. We must have the hard conversations now to tackle the Fear, Uncertainty, and Doubt that AI/ML brings. Is resistance really futile? No matter what, have fun during the event, and be sure to join us afterward for the social networking hour so we can practice our verbal judo on each other.
Trusted, Transparent and Fair AI using Open SourceAnimesh Singh
Fairness, robustness, and explainability in AI are some of the key cornerstones of trustworthy AI. Through its open source projects, IBM and IBM Research bring together the developer, data science and research community to accelerate the pace of innovation and instrument trust into AI.
Data Visualizations in Cyber Security: Still Home of the WOPR?Matthew Park
Visualization of security data has not advanced significantly since the days of the WOPR in War Games. Other tech industries have embraced the role of modern user interfaces to facilitate and expedite data search, analysis and discovery, which has significantly helped users in those industries gain insights from a big data environment. In contrast, the security industry prefers to relegate everyone into command line prompts and clunky interfaces with minimal functionality and an inability to scale to the volume, velocity, and variety of security data. I’ll address the core challenges and impact of the industry’s failure to take data visualization and user experience seriously, and provide recommendations on key areas that would most benefit from modern data visualization. Through the use of attack timelines, I’ll demonstrate how we, as an industry, must move beyond familiar visualization conventions (that tend to break at scale) and provide functional data visualization that is usable for analysts and operators across all levels of expertise.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Accelerate your Kubernetes clusters with Varnish Caching
Lessons Learned in Automated Decision Making / How to Delay Building Skynet
1. #RSAC
SESSION ID:
Sounil Yu
Lessons Learned in Automating Decision Making:
Pitfalls and Opportunities
(or How to Delay Building Skynet: A Cautionary Tale on Connecting AI with Robotics)
MLAI-T06
@sounilyu
2. #RSAC
@sounilyu
Questions to ponder
2
How is AI/ML distinct from automation?
How mature are our AI/ML and
automated decision making capabilities?
How mature do they need to be for
security?
What can we learn from failed cases of
automated decision making in security?
What guardrails should be considered for
automated decision making until sufficient
maturity is achieved?
Age 5 Age 13 Age 18 Age 21
= ?
3. #RSAC
@sounilyu
Framework #1: Modified OODA Loop
3
Acting
Decision Making
Sense Making
Sensing
• Analytics
• Artificial Intelligence
• Machine Learning
• Execution
• Robotic Automation
• Response Scripts
• Defined Processes
• Courses of Action
• Orchestration
• Sensors
• Raw Telemetry
• Big Data
Artificial intelligence
capabilities are distinct from
robotic automation capabilities
4. #RSAC
@sounilyu
• A fictional computer system developed for
the U.S. military featured in the Terminator
movie series
• Originally built as a “Global Information
Grid / Digital Defense Network”
• Later given command over all
computerized military hardware and
systems including the B-2 stealth bomber
fleet and America's entire nuclear weapons
arsenal
• Strategy behind creation was to remove
the possibility of human error and slow
reaction time to guarantee a fast, efficient
response to enemy attack
What is Skynet?
4
5. #RSAC
@sounilyu
What Could Possibly Go Wrong?
5
Acting
Decision Making
Sense Making
Sensing
• A fictional computer system developed for
the U.S. military featured in the Terminator
movie series
• Originally built as a “Global Information Grid
/ Digital Defense Network”
• Later given command over all computerized
military hardware and systems including the
B-2 stealth bomber fleet and America's entire
nuclear weapons arsenal
• Strategy behind creation was to remove the
possibility of human error and slow
reaction time to guarantee a fast, efficient
response to enemy attack
security use case
6. #RSAC
@sounilyu
Framework #2: DARPA’s Perspective on AI
https://www.darpa.mil/about-us/darpa-perspective-on-ai
6
Perceiving
Learning
Reasoning
Abstracting
RICH, COMPLEX AND SUBTLE INFORMATION ABOUT THE
OUTSIDE WORLD TO UNDERSTAND WHAT’S GOING ON
WITHIN AN ENVIRONMENT AND ADAPTING TO ITS CONDITIONS
AND SITUATIONS BASED ON WHAT IS PERCEIVED
TO PLAN / DECIDE BASED ON A SET OF PRESCRIBED OR
IMPLIED RULES AND UNDERSTANDING WHY
BY TAKING KNOWLEDGE OF ONE DOMAIN AND APPLYING TO
OTHER DOMAINS TO CREATE NEW MEANINGS
Notional intelligence scale
Human Level
7. #RSAC
@sounilyu
Perceiving
Learning
Reasoning
Abstracting
Perceiving
Learning
Reasoning
Abstracting
First Wave of AI – Handcrafted Knowledge
– Enables reasoning over narrowly defined problems
– No learning capability and poor handling of uncertainty
– Examples: Turbotax, Chess, Logistics, DARPA Cyber Grand
Challenge
– First generation SIEMs
Second Wave of AI – Statistical Learning
– Nuanced classification and prediction capabilities
– No contextual capability and minimal reasoning capabilities
– Examples: Voice recognition, Face recognition, DARPA Grand
Challenge – Self Driving Cars
– Statistically impressive, individually unreliable
– Current generation SIEMs
DARPA’s Perspective on AI
https://www.darpa.mil/about-us/darpa-perspective-on-ai
7
10. #RSAC
@sounilyu
Why statistical-based machine learning and neural
networks DO NOT work for security…
10
Outside the Closed World: On Using Machine
Learning for Network Intrusion Detection
Robin Sommer, Vern Paxson, 2010
https://www.icsi.berkeley.edu/icsi/node/4511
“Our main claim is that the task of
finding attacks is fundamentally
different from these other applications,
making it significantly harder for the
intrusion detection community to
employ machine learning effectively.”
• Bounded vs unbounded environments
• Inviolable rules vs shifting rules
• Human adversaries deliberately try to
shift the rules (i.e., novel attacks)
“…[ML is generally not] suitable for finding
novel attacks … Rather, the strength of
machine-learning tools is finding activity that
is similar to something previously seen…”
11. #RSAC
@sounilyu
Perceiving
Learning
Reasoning
Abstracting
DARPA’s Perspective on AI continued
https://www.darpa.mil/about-us/darpa-perspective-on-ai
Third Wave of AI – Contextual Adaptation
– Systems construct explanatory models for classes of
real world phenomena
– Models explain decisions (cause and effect)
– Understand why and why not
leads to an understanding of when the system will
succeed or fail
leads to when to trust and why mistakes are made
11
Source: Robust Physical-World Attacks on Machine Learning Models
By Ivan Evtimov, Kevin Eykholt, Earlence Fernandes,
Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, and Dawn Song
Classified 100% of
the time as…
How do I know this really is
a stop sign?
Explainable model:
• Red
• Octagonal
• At intersections
12. #RSAC
@sounilyu
Why Do We Need Better Decision Making?
… Because of Deliberate Attempts to Fool Sensing and Sense Making…
12
Source: Nguyen A, Yosinski J, Clune J.
Deep Neural Networks are Easily Fooled: High Confidence Predictions for Unrecognizable Images.
In Computer Vision and Pattern Recognition (CVPR ’15), IEEE, 2015
13. #RSAC
@sounilyu
Framework #3: Classical Education Trivium
13
Remember:
According to the
DARPA Framework,
this capability emerges
in the Third Wave
Rhetoric
Convincing and persuading
Bearing fruit in wisdom
Applying and integrating subjects
Dialectic/Logic
Investigating the truth of opinions
Gaining in understanding
Explaining “why” and “how”
Grammar
Structures and rules
Soaking in knowledge
Memorizing a broad base of facts
14. #RSAC
@sounilyu
The “Age” of Machine Learning
14
Machine learning has
not left this stage yet
Rhetoric
Convincing and persuading
Bearing fruit in wisdom
Applying and integrating subjects
Dialectic/Logic
Investigating the truth of opinions
Gaining in understanding
Explaining “why” and “how”
Grammar
Structure and rules
Soaking in knowledge
Memorizing a broad base of facts
GRADES K-6
ELEMENTARY SCHOOL
GRADES 7-9
JUNIOR HIGH SCHOOL
GRADES 10-12
HIGH SCHOOL
RHETORIC RHETORIC
RHETORIC
DIALECTIC
DIALECTIC
GRAMMAR
DIALECTIC
GRAMMAR GRAMMAR
15. #RSAC
@sounilyu
Children vs Fully Grown Adults
15
Acting
Decision Making
Sense Making
Sensing
Prefrontal Cortex
• Coordinates and adjusts complex
behavior
• Controls impulse
• Prioritizes competing and
simultaneous inputs
Fully Developed
at Age 25
Fully Developed
at Birth
Amygdala
• Fear
• Emotion
• Impulse
• Aggression
• Instinct
Better Filters and Prioritization
• Knowledge and Wisdom
• Discernment
• Model Based Perception
Questionable
Inputs
• Peers, Memes,
Social Media
Fully Grown AdultsChildren
“Algorithms”
• Rational and logical
• Explainable
“Algorithms”
• Irrational
• Illogical
17. #RSAC
@sounilyu
Lessons Learned: Reflexive Stimulus – Response
17
Threat Intel Sharing
– Blocking google.com
– Null routing 0.0.0.0/0
Automated patching
– NotPetya
– Windows 10 1809 – The “I hope you made a backup”
Update
Guardrails:
– Ensure sensor sources are trustworthy and reliable
– Apply actions that are narrowly scoped
– Have a kill switch ready if it goes beyond the scope
– Make the action immediately reversible
Acting
Sensing
18. #RSAC
@sounilyu
Acting
Sense Making
Sensing
Lessons Learned: Conditional response based on
analysis, enrichment, and regression testing
18
Threat Intel Sharing
– Would this new regex pattern create false positives
by matching on anything else over the past 30 days?
– Is there a unanimous verdict based on enrichment
from multiple other sources? (i.e., what does
VirusTotal say?)
Automated patching after regression testing
– Do all systems in the testbed continue to operate as
expected after the patch?
– Did any applications stop working after the patch?
19. #RSAC
@sounilyu
Lessons Learned: Conditional response based on
analysis, enrichment, and regression testing
19
“The automation process
has to leave a trail of logic
behind decisions so
humans can follow it up,”
Sam Hamilton, Chief Scientist
BAE Systems, Cyber Tech Group
Sources:
https://www.darpa.mil/program/cyber-hunting-at-scale
https://defensesystems.com/articles/2018/08/17/bae-cyber-ai-tool.aspx
The CHASE program seeks
to develop automated
tools to detect and
characterize novel attack
vectors, collect the right
contextual data, and
disseminate protective
measures both within and
across enterprises
Sensing
Acting
Sense Making
20. #RSAC
@sounilyu
Acting
Sense Making
Sensing
Lessons Learned: Conditional response based on
analysis, enrichment, and regression testing
20
Automating funds transfers requests from
emails to an electronic transfer system
– Assumed that emails were only coming from
legitimate sources
– Assumed that copying action was purely mechanical
and didn’t involve any further analysis or thought
beyond mapping email content to the proper fields
Guardrails
– Use regression testing to ensure the outcomes are
fully deterministic
– Validate assumptions that no other decision making
is actually needed or happening
– Ensure entire process is well documented and
understood by the operators
21. #RSAC
@sounilyu
Acting
Sense Making
Sensing
Decision Making
Lessons Learned: Conditional response based on
business considerations
21
Bank of Valletta shuts down all of its operations
after hackers broke into its systems and shifted
funds overseas
DoD responds to the Code Red worm by
disconnecting NIPRNet from the Internet, resulting
in the Army Corps of Engineers not being able to
control the locks on the Mississippi River
Guardrails:
– Pre-establish thresholds where the costs of inaction are
worse than the negative repercussions of action
– Pre-determine authorities for actions and
accountabilities for outcomes
22. #RSAC
@sounilyu
Comparing Frameworks… How Mature is AI/ML Today?
22
Acting
Decision Making
Sense Making
Sensing Perceiving
Abstracting
Reasoning
Learning
Rhetoric Stage
Dialectic Stage
Grammar Stage
OODA Loop DARPA Classical Education
23. #RSAC
@sounilyu
Summary of Guardrails:
When might it be okay to enable automated decision-making?
23
AI/ML
Robotic
Automation
Create a conscious mental chasm that you
deliberately choose to cross when enabling
automated decision-making
Sensor Diversity
Ensure sensor sources are trustworthy and
reliable based on multiple sources of truth
Established Thresholds
Know when the costs of inaction are worse
than the negative repercussions of action
Algorithmic Integrity
Ensure entire process and all assumptions are well
documented and understood by the operators
Brakes and Reverse Gear
Have a kill switch ready if it goes beyond the scope
and make the action immediately reversible
Bounded Conditions
Ensure decisions are highly deterministic and
narrowly scoped using regression testing
Authorities and Accountabilities
Pre-establish authorities for taking action
and accountabilities for outcomes
24. #RSAC
@sounilyu
“Apply” Slide
24
Within the next month
– Start inventorying capabilities broken out by Sensing, Sense-Making,
Decision-Making, Acting
– Determine where automated decision-making may be happening within
those capabilities
Within the next 90 days
– Review potential guardrails for automated decision-making
Within the next year
– Establish governance processes to ensure that systems with automated
decision-making stay within those guardrails
25. #RSAC
@sounilyu
DARPA’s Perspective on Artificial Intelligence
https://www.darpa.mil/about-us/darpa-perspective-on-ai
AI is now so complex its creators can’t trust why it makes decisions
https://qz.com/1146753/ai-is-now-so-complex-its-creators-cant-trust-why-it-makes-decisions/
Automation Should Be Like Iron Man, Not Ultron
https://queue.acm.org/detail.cfm?id=2841313
How can we be sure AI will behave? Perhaps by watching it argue with itself.
https://www.technologyreview.com/s/611069/how-can-we-be-sure-ai-will-behave-perhaps-by-watching-it-argue-with-itself/
AI is more powerful than ever. How do we hold it accountable?
https://www.washingtonpost.com/outlook/ai-is-more-powerful-than-ever-how-do-we-hold-it-accountable/2018/03/20/e867b98a-2705-11e8-bc72-
077aa4dab9ef_story.html
Artificial Intelligence Has A Problem With Bias, Here's How To Tackle It
https://www.forbes.com/sites/bernardmarr/2019/01/29/3-steps-to-tackle-the-problem-of-bias-in-artificial-intelligence/
The case against understanding why AI makes decisions
https://qz.com/1192977/the-case-against-understanding-why-ai-makes-decisions/
When computers decide: European Recommendations on Machine-Learned Automated Decision Making
https://dl.acm.org/citation.cfm?id=3185595
Counterfactual Explanations without Opening the Black Box: Automated Decisions and the GDPR
https://arxiv.org/abs/1711.00399
Explanation in Artificial Intelligence: Insights from the Social Sciences
https://arxiv.org/abs/1706.07269
For further reading
25
There is much talk of topics like artificial intelligence, machine learning, and automation within the security industry. We’re oftentimes led to believe that these capabilities will revolutionize our security practices. However, we need to be conscious of the *limits* of these capabilities before we entrust them with matters of importance.
In today’s session, we will discuss how ML and automation are distinct and how they fit together through decision making. Many people combine these capabilities and use the terms almost interchangeably, especially if we are letting the machine also do automated decision making. It’s easy to fall into this trap. Doing so can be quite dangerous and can create many unintended consequences. So before we let machines do automated decision making, let’s understand the limits of these capabilities.
Using a combination of multiple frameworks, I plan to show you how we can determine how far AI/ML has advanced and understand when it might be appropriate to connect it to automation through automated decision making.
These frameworks can help us answer some of the following questions such as what is the difference between AI/ML and automation? How separable are those functions?
How mature are these capabilities and how mature do they need be for certain security relevant use cases?
There’s a long history of EPIC FAILS when it comes to automated decision making. Using these frameworks, what can we learn from those failures, particularly as it relates to security?
And lastly, given the current level of maturity of these capabilities, what guardrails should we consider?
So the first framework for consideration is the OODA loop, or a slightly reworded modified version of it, courtesy of the IACD program. When we look at most security stacks, they have elements of these four components: Sensing, Sense-Making, Decision-Making, and Acting.
Sensing requires sensors, the collection of telemetry from those sensors, and the ability to get them to a point where the data is usable.
Sensemaking is where we have analytics, and this is also where AI/ML goes.
Next up is decision making. This is where we take information, and based on our knowledge, wisdom, and judgment, we hope to make the right decisions that define the next courses of action.
And then lastly, in acting, you have the actual execution of the decision.
If we use this construct, then it becomes clear that AI/ML is distinct from automation and there is a Decision-Making function that connects AI/ML with Automation.
It’s important to consider these separately. When we conflate these terms together, we also risk connecting these capabilities together without a mature decision-making framework, which then may result in severe unintended consequences.
So this first framework is intended to explicitly call out the function of decision making which separates out sensing making from acting, or AI/ML from automation.
This next framework is from DARPA, and it gives perspectives on what specific factors drive higher levels of capability as it pertains to artificial intelligence. With DARPA’s framework, there are also four components, and they align partially with the OODA loop.
The first factor is perceiving. How well can a machine consume large quantities of data about the world and understand what’s going on. That’s sensing and a little bit of sense making.
The second factor is learning. How well can a machine take the information and start adapting to that environment. This is squarely in sense making.
The third factor is reasoning. How well can a machine decide on what to do next and explain why it made that decision. This is squarely in decision making. Note here that DARPA does call out decision making separately from the other functions, but still bundles it all within the context of AI.
The fourth factor is abstracting. How well can a machine take what it has learned and decided and apply it to an entirely different domain. There’s no analogue here with the OODA loop, but note here too that DARPA doesn’t include the action itself or the execution of the decisions as a part of AI.
Now within DARPA’s view of AI, they talk about three waves.
The first wave is based on handcrafted knowledge. This has a little bit of perceiving and lots of reasoning. The examples they give include things like tax preparation software and chess. Even the Cyber Grand Challenge that they ran only a few years ago fit into this category. Capabilities in this wave rely heavily on the handcrafted knowledge of experts who can codify their decisions into software and provide deterministic outcomes. For example, in tax prep software, it can take basic inputs in various formats and make highly deterministic decisions over them. First generation SIEMs perceive their world using common event and logging formats and reason over this data using various alerting rules that are handcrafted. These capabilities fit into this first wave fairly well.
The second wave has a lot of perceiving and learning capabilities. Machine Learning and most of what people call AI today is in this space. The second wave can do some amazing things to find patterns similar to what has previously been seen and this pattern recognition has been useful to develop capabilities like voice and facial recognition, somewhat self-driving cars, and the current generation of SIEM products that we see today. But this second wave of capabilities is also very limited in its reasoning capabilities. And remember, this is where decision-making lives. Also, note that DARPA calls this statistical learning.
And on that point, let’s talk about statistical learning for a moment. Statistics are helpful to spot similarity to known patterns, but statistics without context or explanation can be very dangerous.
You may have heard this quote before. There are 3 kinds of lies: Lies, Damn Lies, and Statistics.
Or this awesome book entitled, “How to Lie with Statistics”
And did you know that 83.7% of all statistics are entirely made up?
Statistics without context or proper explanation has its limitations. And likewise, systems that use statistical-based machine learning will have similar limitations. As I mentioned previously, statistics are helpful to spot similarity to known patterns and fitting a curve, but without context or explanation, the similarities may mean nothing. For example, here are some known patterns that are similar. It turns out that people who drown after falling out of a fishing boat correlates nicely with the marriage rate in KY.
And our spend on science, space, and tech correlates really closely with suicides by hanging, strangulation, and suffocation.
But we know that these are absurd, unexplainable correlations, but why do we know that? How would a machine know that?
And when these techniques are applied to security problems, we have encountered similar challenges. This is a great paper on the use of machine learning for network intrusion detection. Note that this was written in 2010, well before all the craze that we’ve seen recently around AI/ML. This paper specifically talks about why it is so fundamentally different and significantly harder to apply ML to security problems. In a nutshell, it distills down to the differences in the nature of problems and the environment that we are in when it comes to security. ML works greated in closed worlds, where things are bounded and the rules don’t change. However, the Internet, and most enterprise environments, are unbounded environments. And the rules change all the time. Furthermore, attackers are constantly trying to change the rules through novel attacks.
But as I mentioned before, ML isn’t really that great for finding novelty and outliers, particularly in open environments like the Internet. There are many things that are outliers, which is why we end up with so many false positives when it comes to machine learning. And when we tune our ML systems, we recognize that the costs and the consequences for a false negative are pretty high. In other words, we don’t want to misclassify a real attack as being normal. But as we try to ensure that we don’t have any false negatives, we typically end up with many false positives, which has its own associated costs in terms of analyst time.
By the way, most any vendor in this space that makes a claim about ML in their product will state that they have very few false positives. This is just a play on words. They mean that everything that they alert on will be an anomaly, which they don’t deem to be a false positive, because well, it really is an anomaly. But the vast majority of these anomalies are benign. Only a few are malicious.
Ultimately, we need these systems to help us find malicious anomalies that we already know the pattern for, but also those malicious anomalies that are novel, and all the while, filtering out the benign anomalies.
But to reduce the false positive problem, these systems also need to explain *WHY* these anomalies are malicious.
And so that takes us to the third wave of AI, which we haven’t reached yet. This wave is what DARPA calls contextual adaption. Here, we have similar perceiving and learning capabilities as in the second wave, but we see much better reasoning and abstracting capabilities.
What this means is that for this third wave, we would expect to see systems that can explain its alerting and decisions, ultimately leading to a clearer understanding of causal factors, not just based on statistical correlation.
Ultimately, such a system would give us a better understanding of why it classified something as malicious or why it was okay. This provides more predictability for when a system succeeds or fails and drives towards more trust in that system. And with security, we want more trustworthy systems.
Our ML systems today have hundreds of inputs and no clear explanation for how it makes sense of those inputs. As an example, here’s an example of a simple attack that was made against a visual recognition system that made a stop sign look like a speed limit sign. If you asked an ML system why it thought it was a speed limit sign, you would struggle to get a comprehensible answer. But at this third wave, such a system should be able to tell you simply that it can differentiate a stop sign from a speed limit sign because the stop sign is red, octagonal, and at intersections.
It’s difficult to test machine learning models thoroughly, and they are easy to deceive or confuse. This presents challenging new security problems in it of itself. But when it comes to security use cases, it is doubly important that we get this right because it can undermine our ability to have security at all.
ML models are black boxes that can only be tested as a unified whole. They usually have a huge number of inputs, and so it’s not possible to thoroughly test even simple models with every possible combination, which leaves open the question of how a ML model will perform in a given situation.
And if you have adversarial behavior that is trying to actively fool the sensing and sense-making capabilities of our security products, then we have all the more reason to ensure that we have a better, more mature, decision making framework.
And so when it comes to the maturity of a decision making framework, let’s look at this last framework. Now, we homeschool our children, so in the process of learning how to teach kids, we also learned about this thing called the classical education trivium. It lays out the progression of how kids learn.
First, you start with the Grammar stage. This is where you just soak up facts and raw information. Think of it as the roots and the trunk of a tree. It sets the foundation for everything that grows above it.
Next, you go into the dialetic or logic stage. Here, it’s like the branches of a tree. It connects facts together and compares the truth of opinions to determine what is logically correct and what is not. This is also when kids really can start explaining why and how one truth connects to another truth.
The last stage is the rhetoric stage, when kids grow in wisdom and can convince and persuade others, having integrated multiple subjects and discplines together.
Now if you remember, according to the DARPA framework, the ability to explain why and how happens in the third wave, which means, we’re not quite there yet.
Now, if you match these three stages of childhood learning to actual ages, you get this breakdown, where during the elementary school years, the focus is primarily on grammar with a little bit on rhetoric and a little bit on dialectic. This is also why some people call elementary schools… grammar schools.
In junior high school, we focus more on dialectic, and then in high school, we focus more on rhetoric.
But note again, if we need machines to be able to explain why and how, and our current technologies aren’t able to do that adequately, then we have to realize that our machines haven’t left elementary school yet.
Think about that for a moment. What kind of decisions are you comfortable in delegating to kids in that age range?
And to tie this to the OODA framework, when we compare these components to the abilities of children vs adults, we can see why we might want to take precautions when giving decision making and acting abilities to machines.
Looking more specifically at the comparison, consider that the decision making engine for children is the amygdala, which is fully developed at birth. This decision making engine is driven by fear, emotion, impulse, aggression, and instinct.
But for a fully grown adult, the decision making engine is the prefrontal cortex, and this is fully developed at age 25. (If you ever wondered why you can’t rent a car until age 25, that’s your hint.) It’s towards the forehead and it controls behavior, meaning that you can avoid having a tattoo on your forehead that say poor impulse control. It can prioritize inputs and provides impulse control.
Now, an amygdala for a decision making engine might be fine if one’s sensing and sense-making are clean and unpolluted, but let’s look at that as well.
For children, we have questionable inputs, like their peers, and memes, and social media. For adults, we might have similar inputs, but we’ve developed filters and better discernment of those inputs.
And then for our algorithms, anyone who has a teenager probably can agree with me that their sense making may not make much sense. But for adults, we should expect them to be rational and logical and be able to explain their logic.
So, consider now. With the current level of maturity in our machine learning systems and the type of hostile sensory inputs that we get from the Internet, and with unexplainable logic, what kind of decisions should we allow machines to make?
To put it another way, if you combine ML/AI with RPA, is the system going to mimic the behaviors of fully grown adults or teenagers?
Do we understand the behavior of these entities and do we have confidence that they will behave or make decisions in an appropriate manner? Where do we get that confidence from?
To understand how we can gain that confidence, let’s now look at some lessons learned and from these lessons, determine how we can gain confidence and trust in our systems, even if some of the elements make up the system are not fully mature.
As a way to represent what happens when we lack of maturity of a certain capability, I will depict the lessons learned as skipping steps in the sensing, sense-making, decision-making, acting process.
When we skip steps, we need more guardrails. Let’s look at each of these scenarios with lessons learned from the security world and the guardrails that we might need for each.
In this first scenario, we’re going straight from sensing to acting. This is like a reflex action, so basically like a stimulus response system.
Mention that we want to do automated patching and automated blocking from threat intel, but we should make sure we have these guardrails in place first
Mention that there should be warning signs if there is no decision making called out