Five years ago, the Strata Conference hosted a panel debating the value of domain expertise versus machine learning skills in data science. The machine learning side won. This debate continues today, not just in data science, but there is frequently news of AI-powered robots on track to replace humans across most industries. In security, this contention generally manifests along the lines of some new AI-powered tool that single-handedly stops all digital attacks. While this certainly would be a welcome surprise, security still requires a human in the loop, and not solely those experts in computer science, but also across a range of disciplines. Machine learning isn’t the only technological innovation that will shape security for the foreseeable future, but human-computer interaction also will be key to truly innovate security and strengthen defense resiliency. It will require all disciplines on deck to build and apply these defenses.
The Data Challenge
Until relatively recently, the overwhelming volume, velocity, variety, and veracity of infosec data remained a natural, but underexplored, data science challenge. This has started to change and, as often happens, the pendulum has swung and is trying to overcorrect. Data science expertise has been designated the sexiest job in the twenty-first century, and security is definitely one area where both attackers and defenders are increasingly integrating data science. Data scientists are essential to tackle a range of security challenges, including malware classification, outlier detection, structuring the data pipeline, and even providing natural language query capabilities. Interestingly, most operationally successful use cases require some level of coordination between data scientists and domain experts. In cases of semi- and supervised machine learning, the domain experts are necessary to ensure the parameters are properly scoped, and to help update and train the model. In addition, an underappreciated, but vital, role of domain experts is ensuring that data scientists are addressing the key pain points for defenders. Domain experts also comprehend biases inherent in data, and provide feedback to ensure algorithms don’t reinforce biases, while simultaneously data scientists craft solutions to provide new insights for domain experts and serve as force multipliers for that expertise. In short, five years after that Strata panel, to build defenses it is not an either/or scenario - both domain experts and data scientists are key to innovating defenses.
The Usability Factor
Unlike most tech industries, security has yet to fully embrace the value of user experience and human-computer interaction (HCI). Instead, many interfaces remain clunky, difficult to use, or require proprietary scripting for even simple queries. Too frequently, users are berated for their inability to use the tools, as opposed to making the tools more accessible. Couple this mentality with a growing skills and workforce shortage, and it becomes exceedingly clear that improved HCI could have a big impact on security.
Fortunately, HCI is slowly creeping into security, prompting the integration of user experience professionals, visual designers, data scientists, and domain experts. For instance, alert fatigue is a well-known challenge for defenders, as they must prioritize which of the ever-growing number of alerts to respond to first, and which may end up being ignored all together. A combination of data science, design, and workflow improvements could help make this more manageable by enabling user-defined priorities, context, and easier query capabilities, for instance. In fact, user experience professionals can interview and work with domain experts to enhance the entire workflow across a range of use cases. From improved tooltips to simplified data querying and visualization, more usable and intuitive interfaces not only optimize and enhance the workflow of current defenders, but HCI can make security more accessible for a broader range of defenders as well.
Domain Expertise Still Required
Returning to the Strata debate, regardless of the best data science and usability improvements, domain expertise remains essential. This expertise extends both into the technical coding aspect of defense, as well as the analytic side. Malware researchers, reverse engineers, and experts in offensive techniques and exploitation all are essential for understanding and stopping adversarial behavior. Similarly, threat intelligence analysts are necessary for campaign-level insights and identifying the objectives and intent behind the attacks. Each of these, in turn, also are essential to ensure the data scientists and user experience professionals craft the appropriate parameters and workflows into their work.
These are only some of the more technical disciplines where domain expertise will remain vital. Defense must also be viewed through a socio-technical lens, including the legal, policy and privacy domain expertise required to establish the appropriate regulations, rules of the road, and protections necessary for stronger defenses. In addition, since every company is a tech company these days, organizations need cultural shifts in security awareness within their organizations. Experts across a range of disciplines from organizational theory to marketing to security experts can work together to instigate a security culture in ways that can actually resonate within the workforce (as opposed to those click-through trainings that can easily be gamed).
Multidisciplinary Innovation for Better Defenses
In short, the path to better defenses is through a multidisciplinary approach, integrating innovations across a range of disciplines. From the data complexities to usability to the proliferation of new techniques and capabilities, crafting better defenses is truly a multidisciplinary challenge. For the most part, security remains perceived as a career path only for experts in offensive techniques, reinforcing stereotypes and contributing to the workforce shortage. However, this is changing, as conferences such as O’Reilly Security contribute to bringing together cutting-edge research across a range of disciplines to improve defenses. For instance, Endgame data scientists Rich Seymour and Bobby Filar will be presenting there next week on usable security, combining data science with user experience and domain expertise to address key pain points in the user workflow. In short, multidisciplinary and socio-technical solutions are increasingly the key to building stronger defenses and requires a range of perspectives, insights, and innovations across a range of disciplines.