Cybersecurity is always partly a competitive race between attack and defence. If the defence spends a lot of time on paralysing, constantly-repeating tasks, it invariably ends up playing catch-up. Security automation promises to remedy this: the machine performing tasks without needing human support, at its own speed—thereby shortening the time-window between a successful attack and its discovery. In short: without automation, the race is lost.
Why investing now, and why in this product category? Every managing director and every corporate CIO and CISO is familiar with these questions. In the case of security automation tools, the answers are quick to find: “now”, because it is already getting very late on if your own organisation has not yet automated. “Why”: because automation is absolutely necessary. Without it, cybersecurity teams will find themselves helplessly lagging behind.
Cybersecurity has long been a battle of equipment: giant, complex networks with a huge number of possible gateways in are pitted against a mix of attackers working with a deliberate focus and automated vulnerability scanners able to shake down the entire internet within a few hours. That’s why pretty well every organisation is already equipped with security components such as (next- generation) firewalls, intrusion detection systems / intrusion prevention systems (IDS/IPS), proxy servers etc.
The thing that many business managers are unclear about is the fact that all these components produce gigantic volumes of log files which, somewhere, may contain the hidden indicators of someone trying out gateways or even successfully penetrating the system. For human cybersecurity experts, wading through these logs is massively tiring—not to mention the fact that very few companies have anything like enough of these experts in-house. On top of this, the systems often do not work together and it is down to the human operator to copy data from one piece of management software to another using copy & paste—a time-consuming exercise that is susceptible to error.
For these reasons, the human component needs to have the machine alongside. With no sign of fatigue, it digs tirelessly through the logs and threat intelligence data flows. In the ideal scenario, it recognises successful attacks (attacks that have already made it beyond the firewall and onto a computer) autonomously. Depending on the degree of maturity of the automation solution, its manufacturers also promise to clean up the consequences of the attack without requiring a human intervention (incident response). If the tool is unable to perform this, for whatever reason, the more modern examples of their type will at least evaluate the incident and advise their human fellow combatants what needs to be focussed on first.
Moreover, human analysts are then able to tackle from the outset those suspect cases where the situation is not clear-cut, thereby reducing the number of false positives. A further benefit of automation is in creating the time needed for the security teams to observe attackers in the act. It is only by watching what people are getting up to at their keyboards that you can identify who is doing what and to what on the network, which parts of the infrastructure are still affected, and which data has been siphoned off.
But managing directors, CIOs and CISOs need to be aware of one thing amidst all the euphoria about automation: the concept of automated incident response is still in its infancy. To avoid interruptions to business operations, the machine should never be left alone to isolate or even reconfigure affected systems. It should be a human clicking the mouse to launch all such processes.
The subject of security automation was covered as part of the Integrated Risk Management thematic at Command Control 2018.