The Programmable Defense

Security Engineering & GenAI Might Spell the End of the Security Black Box Vendor As We Know Them.

Hackers are just like us: they don't really want to do the work. With the introduction of LLMs into our lives, it became immediately clear that there was a huge gain in labor productivity to be had for all knowledge workers. In the arena of cybersecurity, this has ushered in a new era in an industry where there is already a massive labor shortage to begin with. Of course, the opponent on the other side of the field (or rather web) is not sitting idle. Threat actors have already started to experiment with AI to supplement or enhance their own attack campaigns. And so, much like the ease at which we can now generate essays or complex documents using tools like ChatGPT, the barrier to entry for hackers orchestrating cyber attacks has plummeted. This has led to a significant uptick in both the variety and volume of cyber threats. This phenomenon is already evident today in areas such as phishing, which is up 967% since Q4 of 2022, or endpoint security, where a ChatGPT-based Polymorphic code was able to evade EDR systems. As we enter this new AI-fueled era where hackers are utilizing these new tools, security engineering, a discipline that focuses on detecting malicious activities or unauthorized behaviors, will become more important than ever. 

Modern security organizations have invested heavily into building out personnel and tooling in that department. A member of the Decibel early adopter community –a global banking institution – stated that they were analyzing over 1 petabyte of security data per day with over 1000 security engineers working in the organization. For organizations with limited budgets for direct investment in security engineering, vendors such as Arctic Wolf and Expel have provided assistance. The commercial success of these companies, both having valuations of $4B and $1B respectively, underscores a trend: customers are increasingly seeking security engineering solutions, whether in-house or through outsourcing.  

As the enemy upgrades its arsenal with a broader range and variety of AI-based attacks, it becomes evident that security engineers will need new tools to counter these threats effectively. The traditional reliance on vendors for updates and patches is becoming increasingly untenable in this rapidly evolving landscape. The burgeoning field of security engineering had embodied this shift towards adaptability and self-reliance long before the AI hype cycle, but against the plethora of attacks GenAI might unleash, security teams are craving control, transparency, and explainability over their defensive measures more than ever.

In the following, I wanted to explore a few of the product principles that might be incorporated into the next generation of security tooling and how they might spell the end of Black Box type products as we know them. 

Vendor Bottleneck vs. Adaptability, Transparency & Explainability

It is unsurprising that the sheer volume and variety of email attacks has drastically increased with the adoption of LLMs by hackers. This in turn has prompted email detection teams to take a more proactive stance to keep their inboxes safe. In a vendor-dominant world, customers might find themselves queueing up to get critical security issues addressed, especially if they're not deemed 'important' customers. 

Custom detections by Sublime Security 

Sublime Security has emerged with an alternative approach, offering a unique solution to email security. By allowing detection teams to write, run, and share custom detection rules to threat-hunt phishing attacks, Sublime enables a level of customization and transparency that empowers defenders to respond swiftly to phishing attacks. This open platform approach not only facilitates rapid adaptation to newly observed phishing techniques but also fosters collaboration across organizations, effectively democratizing the fight against email-originated threats. The more detections are contributed by Sublime’s users the more effective the system becomes.

Us Against Them: Community vs. Vendor System

The battle against cyber threats—be they from nation-states or hacker groups—is more effectively fought as a collective rather than in isolation. Security practitioners have long congregated in digital forums like Slack channels, Twitter, and HackerNews, sharing insights and strategies, but implementing them uniformly has always been a challenge. As Mike Schwartz, former Cybersecurity leader at AWS and Target, pointed out to me, “the implementation of this shared knowledge often hits a wall at the product level because everyone has different vendor tooling and thereby can’t be implemented in a prescribed way”. 

Community Rules by Semgrep 

The Semgrep community exemplifies this proactive stance, swiftly sharing code fixes in response to new Common Vulnerabilities and Exposures (CVEs), underscoring the importance of agility and collaboration in modern cybersecurity efforts. This highlights the need for a community-first approach, where enterprises can unite, speak a common language, and implement solutions directly, without being hampered by vendor bottlenecks. Just based on the sheer volume of vulnerabilities that exist today, this is needed more than ever. 

One Size Fits Most vs. Control & Customization

The belief that a one-size-fits-all security solution is effective is becoming increasingly impractical. Modern IT ecosystems, characterized by their complex cloud infrastructures, containers, and continuously evolving attack surfaces, demand a security approach that goes beyond the limitations of traditional, generic solutions. 

Custom checks & dashboards by Prowler 

Within this context, Prowler emerges with an interesting solution, specifically engineered for AWS environments. It distinguishes itself by offering a suite of tools designed for comprehensive security assessments and audits, enabling organizations to conduct in-depth analyses of their own AWS configurations against best practices and compliance standards. By allowing users to customize checks and adapt security configurations to their unique operational environments, Prowler facilitates a more open and granular approach to cloud security. This capability is essential for effectively managing the intricate requirements of today's IT infrastructures, ensuring that security measures are as nuanced and dynamic as the ecosystems they protect. 

Conclusion

As we stand at the cusp of a new era in cybersecurity, it's clear that the traditional vendor-reliant defense mechanisms may not suffice against the sophisticated, AI-driven offensive tactics that are emerging. The future of cybersecurity lies in transparent, programmable, and community-driven systems that can serve as first-party data for a future autonomous defense. This approach will allow our future products to dynamically adapt and respond to new forms of attacks. Tools like Semgrep, Sublime, and Prowler are only a few examples of this trend, providing platforms that not only foster community collaboration, but also enable the tailored, flexible defense mechanisms that tomorrow's security landscape will likely demand.