A growing number of computer security thinkers, including myself, think that in the very near future, most computer security will be machine versus machine--good bots versus bad bots, completely automated. We are almost there now.
Fortunately or unfortunately, I don’t think we’ll get to a purely automated defense for a long, long time.
Today’s security defenses
Much of our computer security defenses are already completely automated. Our operating systems are more securely configured out of the box, from firmware startup to the operating system running apps in secure hardware-enforced virtual boundaries, than ever before. If left alone in their default state, our operating systems will auto-update themselves to minimize any known vulnerabilities that have been addressed by the OS vendor.
Most operating systems come with rudimentary blacklists of “bad apps” and “bad digital certificates” that they will not run and always-on firewalls with a nice set of “deny-by-default” rules. Each OS either contains a built-in, self-updating, antimalware program or the users or administrators install one as one of the first administrative tasks they perform. When a new malware program is released, most antimalware programs get a signature update within 24 hours.
Most enterprises are running or subscribing to event log message management services (e.g., security information event monitoring, or SIEM), that aggregate security events, report on them, and maybe automatically implement corrective actions (i.e., “self-healing”). Each of these protective services gets better and more accurate over time.
Tomorrow’s security defenses
Operating system vendors are working to provide even more automated security in the near future. One of the most daunting tasks for any enterprise admin is to make sure all the computers and devices under their control are securely configured and stay that way over the long run. Most enterprises already have software programs that inventory and control system security configuration settings. What is changing is that OS vendors will let trusted third parties, which have a better and more up-to-date understanding of the current security climate, more easily configure everyone’s computer.
The customer will subscribe to a cloud-based service, which will completely manage the security configuration of their devices. It’s already offered and happening today, but most of the services aren’t overly sophisticated. Many of these services manage only a few dozen settings. This is quickly changing. In the near future, I expect customers to have dozens of sophisticated configuration services to choose from with myriad configuration options. Your people will likely not be making most of the security decisions. That’s what you’ll be paying the managing vendor to do.
Another change will be more timely updates of security configurations based on current security conditions. Today, the security configuration managers can take weeks to respond to a new, growing threat. In the near future, when a new security threat is noticed, the necessary defensive configuration changes will likely be pushed out in a few hours. If a new ransomware or advanced persistent threat (APT) becomes known, it will be put down in hours well before it can do your organization harm--not just at the antimalware signature level, but at all the places (e.g., firewall or blacklisting) that are needed to put down the threat.
Good AI-driven bots will travel and scour your network looking for badness and misconfigured computers. If your device is compromised, expect that device to heal itself. It will back up your data, if needed--probably not because it’s protected in the cloud--and then restore the OS to the last known uncompromised copy.
Future battles: hacker vs centralized security services
Because so much of our computing infrastructure will be protected and controlled by well-informed, cloud-based decision makers, the malware and hackers of the future will be forced to fight the centralized services first and foremost if they ever hope to spread. They will probably subscribe to these same services and look for holes, or subscribe to a malicious service that belongs to multiple services and looks for and sells weaknesses, much like some services do today fighting the accuracy of VirusTotal.
This is where the future defense and attack scenarios start looking very machine versus machine. Our future defenses will be more centralized, coordinated, and automated. The hackers will have to do the same thing to stay ahead. If they don’t automate as much as or more than the defensive services do, they won’t be able to do as much badness.
Hackers and malware will turn to automation and AI just as much as the defenders. When the defenders block the malicious thing that was being successful a few minutes ago, the malicious automated service will have to quickly respond. Whomever’s AI is better will ultimately win.
Humans will never be completely out of the equation
Since the beginning of computers, human-based compromises such as social engineering and phishing have been among the top computer threats. It has proven very difficult for any software or hardware solution to stop humans from making bad security decisions. If it was easy, we would have defeated these types of threats decades ago. Instead, we will continue to rely on end-user education to varying extents, possibly forever.
Will Skynet become self-aware?
Unlike Elon Musk (what does he know?), I don’t worry about artificial intelligence (AI) and automation being a huge threat to humanity. Sure, as we become more centralized about security and configurations, a single mistake can take out more computers than ever before. We’ve already seen similar instances where a large antimalware scanner mistakenly removes a critical operating system file. We occasionally have these misfires, they cause a temporary interruption, and we learn and move on. Over the longer time horizon, occasional mistakes are worth it for the protection we gain in return.
It’s important to realize that greater, more centralized computer security solutions are likely to be part of your future computer security career and decisions. Just like email and your applications moved to the cloud, so, too, will your computer security.