The Difference Between Security Trick Plays and Security Fundamentals

I like watching great football plays on YouTube, but I especially like watching trick plays where players sell some sort of deception so their opponents take their eyes off the ball. Trick plays make great video clips and can win a football game if deployed at the right moment, but there’s a reason “blocking and tackling” are the fundamental skills, tasks, and roles necessary to function. A team can win a football game without trick plays, but show up without “blocking and tackling” and you’re going to have a bad day. I bring this up because sometimes we confuse the trick plays with the fundamentals, and we do so at our own peril. That does not mean trick plays are bad or not helpful; it just means we can’t forget about the “blocking and tackling.”

DevOps Connect:DevSecOps @ RSAC 2022

These days we hear a lot of hullabaloo about machine learning (ML), and with good reason. However, it’s quickly becoming the “trick play” of security, the flashy new toy that leads people to overlook the “blocking and tackling” fundamentals.

Life in the information age yields unprecedented amounts of data to use for training, mining, and predictive analysis. While that data contains a significant amount of noise, many businesses have arisen from finding and leveraging hidden useful signals. All of the big tech names (Google, IBM, Microsoft, Twitter, Apple, Facebook, and Amazon) have significant ML projects. Generating and, more importantly, processing large data sets has become more practical recently thanks to the continued adherence to Moore’s law and the adoption of cloud computing models. It does not take an advanced degree to see the significant real value derived from ML and interpolate the reasonable expectation of even more value in the future. The reality is that ML is still a “trick play” in the cloud security space and not a fundamental requirement for security teams.

The saying goes that when you have a hammer, everything looks like a nail. That holds true with ML. If we have something that generates a lot of electronic data, then we assume machines learn from that data and produce meaningful results. That’s not always the case. I look at the wealth of advertising data I give to various internet companies and wonder why they still cannot give me a decent advertisement for a product or service I might consider buying during my lifetime. Unfortunately, ML is not some magic wand or silver bullet that we can wave at a problem and suddenly prove that P=NP. The reality is that it’s a subset of artificial intelligence, and it still has limitations.

Spend a little time looking at artificial intelligence headlines for context:

That’s a sampling of the cautionary drumbeat over the last few years. It’s also an explanation of why the conversation has moved on from “artificial intelligence” to “machine learning” or even “deep learning.” Regardless of the name, it’s still the same old over-hyped solution.

If ML represents the trick plays of cyber security, then we need to figure out what represents the “blocking and tackling.” We will be diving into proper cybersecurity hygiene in future posts as part of our series on operationalizing security. For now, I recommend taking a look at what Heather Adkins, Google’s head of security and privacy, told CNBC: “ignore cyber scare tactics and learn from history.” She points out that companies continue to ignore the fundamentals, and so they continue to fall for the same old tricks. Rather than finding vendors and tools that help with the trick plays, I recommend that you find vendors and tools that help with the “blocking and tackling.”

My first programming job consisted of writing perl scripts to clean corpora for language models of speech-to-text software. I did not understand it at the time, but I was part of a machine learning pipeline back in the 90s. We can now see, two decades later, how machine learning has completely solved the speech-to-text problem. Just hold on a few seconds while I get my Google Home to play the Avengers theme song for my son. No, not that song. No, not that one either. I said “A-VEN-GERS.” No! Grrr.

*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Nathan Cooprider. Read the original post at: