Barricade is an innovative security company based in Ireland. Their solutions work based on machine learning and artificial intelligence, in a successfull attempt to democratize and simplify security. You can read all about them on their website here: CLICK! You should also follow them on Twitter, @barricadeio.
We have talked with David Coallier, the founder of Barricade. We asked him about machine learning, artificial intelligence, problems of the current shape of the industry and issues of the future.
Take a look!
[eForensics Magazine]: Barricade works so well thanks to artificial intelligence. Can you explain how the system differentiates between normal and malicious activity? Is it just statistical similarity to other events, or is there something else to it?
[David C
oallier]: We use various techniques for judging and ranking the accuracy of our results.
The first part is all based on statistical similarities. The second part is a comparison with known signatures. Whilst we don’t believe signatures to be efficient in the modern world of security they do serve a purpose for us which is helping the machine learn about known malicious behaviour.
We also randomly select sequences of interactions and we manually review them. We use the term sequences of interactions a lot because we inspect the whole behavioural lifecycle of an actor and groups of actors.
For instance, if ten attackers are distributed around the world, based on their behaviour they might end up being clustered in the same group. We look at the type of requests they make but we also inspect the responses of the servers they are attacking. Because our intelligence does not happen on the customer’s servers but on our side we also get access to much larger computing powers and ultimately a holistic view of an actors behaviour over her whole lifespan.
oallier]: We use various techniques for judging and ranking the accuracy of our results.[eFM]: Does your system ever seem creative in the way it learns?
[DC]: It is quite funny to see the divergence of opinions it has with us about what might constitute abnormal behaviour. Even though we are influencing its learning and inflicting bias (not unlike a parent), most times the engine discovers very small behavioural changes that we don’t catch and in a sense has its own opinion of what the world looks like (not unlike a child growing up).
An interesting fact is that many of our learning models are based off of the insurance industry with survival and risk modelling. Some other models are taken from the financial industry (lots of transactions all the time), others are borrowed from the compution vision and biology fields. There are plenty of really clever learning techniques in various fields that can be used.
[eFM]: What was a bigger challenge: finding models that fit in your idea or integrating them together? Have you ever had a situation when two learning models were just not compatible?
[DC]: We have incompatible data models all the time and that’s where domain expertise comes in as well as weights. We run a lot of different predictive models for a single decision.
Every predictive model used in a single decision is assigned an importance-value (similar to human biases). This is the engine’s belief system. If two, three or five models disagree, their importance-value decides which model has more klout than the others. The weights are dynamically assigned based on statistical analysis and fit of the data to each model.
A better fit means a stronger belief.
[eFM]: Do you think artificial intelligence and machine learning are the future of security? Is processing speed enough to outrun hackers’ creativity and win the cybersecurity arms’ race?
[DC]: There’s no doubt about it and this is where we’re going. One of the biggest problem the security space faces is the massive divide between the security functions and the operations function of the organisation. The processing power is there, methods can be borrowed from other fields, and we now understand that design is primordial to products. It shouldn’t be about outrunning hackers’ creativity but more about developing systems that learn new behaviours in real-time and present findings to the users in a meaningful and non-obtrusive manner.
[eFM]: Do you think that this divide demands a major reorganizational effort to fix, or will changing our attitudes suffice?
[DC]: This is a question that I ask myself quite often and always come up with the same answer.
The problem is not the organisation’s attitudes. We, the security industry, are the problem.
We must provide the developers and operations with better products for instance.
We must build products that integrate with other tools that are part of the everyday toolset. We must redefine the pricing models and user interfaces.By providing the organisations with much more intuitive products and making security accessible in-lieu of exclusive, the attitudes change. As simpler products are provided and more people adopt them, the risk-awareness, the culture of the organisation starts shifting, and the attitudes will change.
The security industry is in a place not too dissimilar to where computing was only a few years ago in the sense that you had to be an expert to run, manage, monitor and fix servers. Products came along and provided the IT industry with an alternative, something much more accessible and approachable. I believe security to be in a similar situation at the moment and it’s all up to us to make the transition.
[eFM]: Barricade’s philosophy states that security is a strong differentiator between companies. Can you elaborate on that point?
[DC]: The answer is twofold.
The first is that by investing and developing a security-aware culture it shows your customers that you care about them. You care about their information, you care about their families, their lives. Some of them are paying money for your services the least you can do is treat them with respect. It also tells them they can depend on you for running their businesses, or sharing private pictures without being scared of seeing this information sold on the internet.
The second part is that a correctly implemented security will increase specific things like business uptime, security tools can help you resolve issues in a faster manner, and will again provide your customers with confidence and loyalty in your service.
It should always be about the customer and the respect of the customer. Security increases your products quality, ultimately driving up customer loyalty.
[eFM]: Agreed, but at the same time the main factor of competitiveness remains the price of your services. Do you think that does not apply to security, or maybe we should start thinking about it as Security-as-a-Cost-Saving?
[DC]: It completely applies to the security industry. In fact cost is a direct reason why so many SME’s [small and medium enterprises – edit MS] are left in the dark. They can’t afford the upfront contracts or they don’t have the technical skills necessary to use these expensive products. There are new pricing models nowadays that can be leveraged. For example, our pricing is based on traffic.
A customer that has more servers will pay more than a customer who has a personal site with very little traffic but they both benefit from the same computing power and same probabilistic models.
There are other pricing models models which are also very beneficial to the customer and allows the business’ costs to grow as they grow. It’s evident from the number of SaaS [Software-as-a-Service – edit MS] Security products coming into the marketplace that new and refreshing models are greatly appreciated and adopted. See the incumbents trying to adapt their pricing models to reflect that trend is another strong indicator of the readiness of the market and the industry.
[eFM]: Are you worried about the unavoidable issues with security in the age of the Internet of Things?
[DC]: I’m not worried at all. I’m excited! I’m more than excited in fact, I don’t think the Internet of Things can become mainstream if security isn’t intrinsicaly built into it.
The problem with the security industry at the moment is that its products are geared towards security analysts and security experts. Only a new breed of security companies will be able to make the Internet of Thing secure and security available to the everyday person. This is a very exciting time for the security industry as a whole, scary for many incumbents as well.
[eFM]: Is there something generally misunderstood about cybersecurity among the people you talk with?
[DC]: The biggest misunderstandings I see is that people think security is hard or that it simply doesn’t work. This is a symptom of an industry which consist only of products made for analysts and security savvy individuals. Security is hard, yes, but managing security shouldn’t be hard.
[eFM]: How about among the companies you work with?
[DC]: As we’re mostly selling to SMEs we talk to a lot of teams without security experts, we hear some very interesting opinions. Many small and medium businesses don’t seem to think they are at risk if they don’t process payments. Another common misunderstanding is the “too-small-to-be-hacked”. To us however the biggest misunderstanding is the belief that security is a scary thing. It seems as if the security industry has been inadvertidly fearmongering for many years and often-times this has prevented the security discussions from happening within organisations.
We don’t like that and are really working on making a difference in the industry by allowing businesses to understand that security is serious, but if you are prepared, have testable, automated security as well as clear visibility into what’s happening then you are ready to respond to security incidents in a much more mature manner.
One way to achieve that, and that is what we believe in, is by making security issues as natural as software bugs. Software bugs are still annoying but they are easier to deal with because people have been provided with tools to allow them to prepare, get notified, identify, priotitize, test and fix these issues in a continuous manner. Security should be a natural part of operations and businesses rather than a side-function.
[eFM]: Do you sometimes get the impression that some companies are not as much as scared of security, but simply surprised that it’s a thing they should think about?
[DC]: You are completely right. A lot of people just aren’t aware of the importance of their assets, their data and their reputation. A lot of people put the security discussions aside because they are usually very uncomfortable due to the traditionally high associated costs and the perception people have of the security industry. Moreover, security is rarely at the top of the priority list for most companies (until something happens). Again this calls for a new breed of security products that will allow people to get started with their security really easily, and have these products fade into the background and not be distracting.
It’s an incredibly exciting time for the security industry!
[eFM]: What would be a perfect security system: a simple or a complex one? Barricade is one of the simplest systems to use, but the technology behind it is quite complex – if not complicated. Is there a one-size-fits-all solution?
[DC]: To us it’s quite simple. For security to be used more broadly, the products need to address the non-security experts. I don’t think there’ll ever be a one-size-fits-all security product but for instance we’re working on helping businesses prepare and respond to incident in a more positive manner. An example from our product is when we detect something we give you a recommendation on how to fix it and what that recommendation does. A second example is that when you implement one of our recommendation, we’re giving you a discount on you rmonthly cost. We call that progressive pricing. The idea is that you should be able to use security products regardless of your level of security knowledge, whether you are an expert or you know very little.
[eFM]: What conditions should security systems fulfill in order to be effective in today’s world?
[DC]: The application development lifecycle has changed a lot in the last few years. The security systems need to be focused on the user-experience at every level from simplicity of installation, to having upgrade paths, have simple pricing structures, be real-time and more importantly they should not be an impendance. Forcing users to use new “security” tools for notifying and managing their incidents is not right. For security products to become an intrinsic part of the ecosystem, they need to integrate with existing technologies like PagerDuty, Slack, HipChat, etc. The tools used by the developers and operations teams shouldn’t have to be changed.
By making security simple and positive, people won’t be scared of security. Whilst they’ll understand it is serious, they’ll also understand that it is possible to deal with security in a responsible manner.
[eFM]: What is a single most important thing you’ve learned about cybersecurity and would like to share with our readers?
[DC]: You will go through security incidents and it’s ok. It’s part of today’s world. Just be prepared, find tools that don’t waste your time, and try and build a risk-aware culture by encouraging good security practice. If you are a business find products that will grow with you, if you are a customer, use products that have strong security practices.
Be responsible.
[eFM]: Thanks so much for talking with us!
Leave your comments and opinions below!