As hacking attacks become more prevalent and the cybersecurity industry continues to struggle with a shortage of skilled workers, the sector needs to rely more on automation and data sharing to let experts focus quickly on the hardest problems, says Chris Young, general manager of Intel Security.
"What you see, unfortunately, in a lot of cybersecurity shops today is that the humans are drowning in alerts," says Young, who is slated to remain at the helm of the security unit after it’s spun off next year under the name McAfee. (In 2010, Intel acquired the firm McAfee and the company has used the brand name for various purposes since, but Young emphasizes the firm has been unaffiliated with controversial founder John McAfee for many years).
In many networks, Young says, warnings and notifications fire from a variety of security products from different vendors, and the software tools often aren’t set up to communicate with one another. That means engineers need to spend valuable time connecting data from different sources themselves and determining what is and isn’t a threat.
"Right now the humans are the glue between the disparate parts of cyber infrastructure in many, many places," he says.
At the same time, the industry is facing a rising number of threats—"In our Q3 threat report, we’ve seen 125% increase in variants of ransomware, for example, year on year," says Young—and attacks against new types of targets, like the internet of things devices implicated in the recent record-breaking denial of service attack on infrastructure provider Dyn.
To help engineers devote more time to fewer, more complex security issues, Intel has developed what it calls the McAfee Data Exchange Layer, which lets products from different vendors directly share data with one another. The company has also developed a tool dubbed the McAfee ePolicy Orchestrator, which lets security workers gather data and change configurations for multiple security products from one interface. That helps avoid situations where customers need to separately configure scores of security systems across their networks.
"They may have upwards of 50 or 60 vendors that they’re using in their own cybersecurity infrastructure," Young says. "They all have their own management. They all have their own information repositories."
The idea may not sound novel to engineers working in other areas of information technology, where being able to configure multiple servers or software products through one visual interface or set of scripts is now relatively commonplace—and practically a cornerstone of the popular DevOps methodology. But such efficiency is still relatively rare in security, says Young, despite a skills shortage that networking firm Cisco estimated last year leaves more than 1 million security jobs unfilled.
"We’re not kind of fully caught up to the rest of IT," says Young. And as threats and hacking attacks get more complex, customers increasingly need to be able to coordinate their responses across multiple computers and cloud systems, he says.
"Threats are going to hit me at all different parts of their infrastructure, so I need to have an integrated response at all different parts of my infrastructure," he says.
Intel Security is also working to share its own data on security threats with rivals such as Symantec, Palo Alto Networks and Fortinet, through what the companies call the Cyber Threat Alliance.
And the company is increasingly integrating machine learning features into products to let automated systems detect and respond to more basic attacks and let engineers focus their attention on more complicated ones. Ideally, those statistically based tools can spot suspicious behavior and new variants of malware before they cause damage—and without risking engineers chasing down minor malware infections while bigger attacks are a more serious risk.
"If you can use the machines to deal with the volume so that the humans can focus on kind of the more difficult-to-detect attacks, that’s when you get the balance right," says Young.