Oracle Uses OpenWorld to Scare Us into Better Security

October, 2017

Ghostwriting 2004 - Oracle Uses OpenWorld to Scare Us into Better SecurityFear can be a great motivator. Just in time for Halloween, Oracle spent the first week of October at its user conference spinning a tale of fright designed to sell its latest database and security offerings.

“Companies are losing the cybersecurity war,” said Oracle CTO and founder Larry Ellison. “Patching is hard,” said CEO Mark Hurd, “and failing to patch can put your entire company at risk.” Spooky words such as “Equifax breach” echoed through all of the OpenWorld conference.

The thing is, these horror stories are true. IT security is the boogeyman that keeps smart CEOs awake at night.  Whether Oracle is the company to save us from the malware that goes bump in the night depends on your feelings regarding automation and machine learning.

AI and Machine Learning the New Ghostbuster
Oracle’s biggest announcements from this year’s OpenWorld were a fully autonomous “self-driving” database, designed to eliminate human error and downtime, and a “mostly automatic” security offering called Oracle Security Monitoring and Analytics Cloud, to make security easier and reportedly better. Both rely heavily on automation and machine learning to augment (or in some cases replace) human intervention to better patch, maintain, monitor, and repair anomalies and vulnerabilities. They are both designed to solve major problems facing IT organizations right now—untimely patching and slow human responses to threats.

Both Ellison and Hurd emphasized that most breaches occur after a security vulnerability has been identified but before the company can fully patch it. Hurd pointed out that the recent Equifax breach occurred two months after a patch was available for a known problem. However, Equifax had not gotten a chance to fully patch its systems, though they had begun the process. Hurd pointed out that he has spoken with companies that often take six months or even a year to catch up with a patch’s release. Given the delay, companies can leave themselves vulnerable.

The self-driving database boasts among its selling points that it is designed to patch itself automatically without any downtime (as well as the ability to clean data, tune itself, and other duties usually done by humans). The Oracle Security Monitoring and Analytics Cloud links to the Oracle Management Cloud so that a clearer picture of all IT assets can be obtained. If one instance of an application is patched, it will go on to identify all other instances of the application for patching as well. It also uses machine language and artificial intelligence for security incident management and constantly recommends potential solutions for remediating security threats.

Data Analysts Move Like Zombies
“Our vision for security and management is simple,” said Ellison during his keynote. “We need all data in one place. We need purpose-built machine learning that can be used by security and operations professionals, not data scientists. We need automated remediation that does not require human effort.”

Ultimately machine learning and AI should respond better than people do to security threats. People are slow. They simply can’t take in the vast amounts of data coming in from varied sources. Ellison compared it to the autopilot on his airplane, which, he said, is a better pilot than he is.

And there’s the catch.

There will be a day when machines are better than humans at security. Just like there will be a day when cars are better at driving themselves than with humans behind the wheel. But there is a reason pilots still fly planes and people still drive cars. It is an open question whether the day has arrived that machines are ready to drive. And it is an even more open question as to whether humans are ready to let them take the wheel.

Juan Loaiza, SVP of systems technology for Oracle, summed it up best in a briefing on the self-driving database when he said that they knew that they had to make a self-driving database that was significantly better than one driven by humans. “No one is going to buy a self-driving car that drives you off a cliff,” he said. “We have to make a database that is more safe and more available.”

Ghost in the Machine
For Oracle’s ghost stories to work well enough to sell product, Oracle needs to prove that self-driving systems are better than those human-driven. They can say they save money and are safer and faster all they want. But someone is going to have to let them drive. Much as the major objection to the cloud in early days was in giving up control, we’d expect customers to be reluctant to hand the wheel of their database and major security functions to a computer. Control, or at least the illusion of control, is a major sticking point for humans.

Oracle’s toughest task is likely not convincing people that security is a big deal or that their offerings are cheaper because of AI. Its biggest task is going to be in convincing enough early adopters to be part of this experiment. Like Frankenstein, a lot of whether a creature (or an application) is a monster has to do with the brain you put inside it. And not all everyone is going to be willing to be the first to find out if Oracle has built a good brain.

Image Credit: Wikimedia Commons: