From patch management to outfit management (OFMa)
Shay shabtai, Rescana Chief Strategy Officer
It’s good enough but not enough
The best of the best of the Cyber Security ecosystem has gathered together to publish an Expedited Strategy Briefing on the AI Vulnerability Storm. The trigger for the effort is the new Anthropic’s Mythos capabilities to massively discover new vulnerabilities.
It is seen by the writers as a major leap in the ability of the AI to provide the ‘3 Vs’ (Velocity, Volume, Variety) of vulnerabilities that is beyond the response capabilities of current cyber security efforts. This means that the bad guys have a possible approach to a tool that can give them significant leverage in cyber attacks.
The briefing moves on to suggest an impressive set of Priority Actions for a Mythos-Ready Security Program. This includes, among other things, self use of powerful LLM tools to screen organizational code and detect them before the attacker, accelerated and advanced mechanisms of possible threat and risk analysis and mitigation, patch management process ‘on steroids’, hardening environment with segmentation and zero trust approaches, and enhanced capabilities of incident response.
The positive debate that has risen around the briefing - with some well accomplished cyber security experts commenting - is focused on the question whether Mythos is a tipping point in terms of the vulnerability detection threat rising from LLMs. The commentators might be right in their observations that it is not. Yet. But it seems that the discussion should focus on another point.
Humans can’t beat machines
The main gap in the briefing may be that the mitigation efforts proposed are too humanly orchestrated. Generally speaking humans can’t beat machines: Manual processes, even if heavily automated, will not be able to suppress rapidly improving machine based progressions.
As Guy Halfon, CEO of Rescana reflected on X: “Once highly capable, AI-augmented attackers enter the field, the idea of holding back and relying on manual vulnerability patching stops being viable”. Mythos may not be the turning point, by the way there might not be a recognizable one, but the development of machines defeating humans in patch management is irreversible. The wake up call may be, as generally was, a super cyber attack based on the new capabilities.
So we are back to the drawing board, and as the famous quote attributed to Einstein says: “We cannot solve problems with the same thinking we used when we created them”.
A maybe new idea (maybe): OutFit Management (OFMa)
So, the notion that AI created the problem, and AI will fix it may not be enough. We need a new kind of cyber security approach. As ‘Patching’ is a term from clothing, let's get back to fashion, and adopt another term: ‘Outfit’.
Think about your shirt. If you patch it too much, as is now needed because of AI-Based massive amounts of vulnerabilities, it will lose its shape and no longer look like a proper shirt. But if every time you have a problem with your shirt, you can adjust it into a new outfit, you may even benefit from the process (people will compliment you about your new outfit…).
What does This OutFit Management (OFMa) actually mean in terms of cyber security? I invite all the cyber geniuses to reflect, invent and then make a lot of money…
It seems to me that the way we look at development and maintenance of software should basically change: Instead of looking for vulnerabilities (a thing that we will have to continue doing anyway), create more robust software and protocols that are basically indifferent to them, or have enough layers of security to absorb them.
OFMa must include TPRM
As Guy Halfon wrote in his comment: “A secondary effect is on infrastructure… on-prem environments could become economically unattractive, pushing more organizations toward fully managed or AI-optimized cloud setups”.
Organizational OutFit will most probably be heavily based on AI and Cloud solutions. This means that its Management must include TPRM considerations.
Cyber security is waiting for an OFMa Eureka.
