Charles Schmidt discusses Mitre’s plan for encouraging new standards within AI security tools

As the job pool of security analysts continues to be stretched, many companies are turning to automated tools to protect their systems.

But a rise in the usage of automated software has sparked a new issue: should artificial intelligence be trusted to look after security?

The answer, at least according to the US government, is yes – albeit with a few limitations in place.

“The ultimate goal is to improve the security of automation, and that involves several things,” Charles Schmidt, group leader at the Mitre Corporation, told The Daily Swig.

Schmidt was speaking at the AppSec Europe conference in London last week, as he discussed at length the institute’s plan for a meta standard employed across the industry.

Mitre, a federally funded independent research organization, is working with the US government to create a framework to be adopted by automated security vendors.

Vendors include companies that produce automated software, meaning anything from vulnerability scanners to intrusion detection tools.

Schmidt told the audience: “Why is the US government involved in working in security automation standards?

“Well, I’ll jump to the reason you’ll probably believe – they’re in it for themselves. They’re having the same problems the whole industry has, in that they don’t have enough analysts.”

An increasing number of companies in the US and beyond are relying on automated tools to carry out simple security checks, increasing the urgent demand for guidelines or standards.

This is where the SCAP (pronounced ess-cap) plays its part, offering a method of measuring security risks to ensure that products are defending against the latest threats.

Mitre aided the launch of The Security Content Automation Protocol in July 2010.

The method, governed by US government repository National Vulnerability Database (NVD), uses specific standards to measure the impact of security flaws and therefore helps to prioritize the threat of these vulnerabilities.

Standards implemented in the protocol include the Common Vulnerability Scoring System (CVSS), and the Common Vulnerabilities and Exposures (CVE) list.

SCAP 2.0

As Mitre prepares to launch an updated version – SCAP 2.0 – in the coming months, we spoke to Schmidt about the hurdles the organization faces in encouraging vendors to implement it.

One of these barriers is the fact that as of present, most of the vendors interested in adopting SCAP are doing so because the US government requires them to be compliant before purchasing their software.

Schmidt told The Daily Swig after his presentation: “In SCAP 1 the vendors were very much partners in this, they were wonderful, they provided feedback, they helped us define it.

“But they raised some legitimate concerns – one is they need to have the demand for the standards.

“The US government likes to think that it’s a huge purchaser and it can dictate [which standards need to be employed], but vendors will tell you the global market is so much larger.

“So they need to hear users asking for the features.”

He added: “We need them involved in the conversation to create those standards.

“And so we tried to get them to come to the table and give their input so they can say, yes, that’s a realistic expectation of our products, or no, if we do that our products are going to be $300 more expensive per unit and no one is going to pay for that.

“They sort of keep up grounded in reality.”

Mitre is banned by law from competing with other vendors and cannot market products or software, even those which it has invented.

Because of this, it is in a key position to develop relationships with vendors that wouldn’t be willing to discuss security issues with competitors.

Due to these relationships, Mitre is able to have an open conversation with some of the security industry’s main players – something which Schmidt says the organization values highly.

He said: “It’s very important. We like to describe ourselves as a trusted third party, and a lot of Mitre’s value is because we can engage vendors.

“They can talk to us and the government can talk to us in a way they can’t talk to others.

“As far as Mitre’s concerned, we view that sort of conversation, the honest feedback from the government, the honest feedback from these corporations, as very important.

“Because at the end of the day we can create the most wonderful standard in the world but if it’s not commercially viable, it was an academic exercise.”