If there is one universally true statement about every organization regardless of size, location, or industry – it is that they all have too many security problems to deal with comfortably and in time. If you believe that you have your cybersecurity well under control, you probably simply don’t have full visibility into every corner of your IT… Unsurprisingly, the idea of replacing overworked (and increasingly scarce) humans with some kind of automation both for daily administrative routine and for responding to security incidents looks universally appealing to everyone in IT. Or does it?
According to a recent market study, the majority of organizations have experienced problems implementing security automation for a variety of reasons, ranging from a lack of skills and budgets (obviously) to a much more bizarre claim of not trusting the outcomes of automation. In fact, many companies already having automation capabilities in place (such as SIEM or EDR products) do not trust them to perform any operations more advanced than sending out an alert.
For years, we have blamed industrial security experts for sticking to their old ways and putting safety and process continuity above security. Meanwhile, AI and machine learning technologies have been making great strides and entire new market segments for intelligent and highly automated security solutions have emerged. And yet, even people not involved in OT security are still afraid of them. But why?
Before diving into technical details of implementing security automation, it can perhaps be useful to address a couple of common misconceptions about it. First, the goal of automating cybersecurity is not to eliminate humans from the decision-making process or drive security analysts to unemployment. On the contrary, the whole idea is to automate the least interesting but most tedious parts of the repetitive manual activities we have to face daily – from separating meaningful security events from false positives to making disjointed legacy tools work together efficiently.
Unless this unqualified menial labor is the only thing you do as a security analyst, there is really nothing to be worried about – automation will actually allow you to spend your time on more challenging and rewarding tasks. You will also always have the final say in every potentially disruptive decision (and a good automation tool will not just help you make the right one, but also to evaluate its potential risks beforehand). Unless, of course, you’ll decide to block any future attacks of the same kind automatically…
Having said that, it is also important to stress that investigating and responding to security incidents is definitely not the only area of cybersecurity that needs to be automated. Proactive measures such as identifying vulnerabilities in IT infrastructure or application code, as well as regulatory compliance, can greatly benefit from intelligent automation.
And speaking of intelligence: contrary to many people’s beliefs, artificial intelligence and machine learning should not be the primary focus of any automation strategy. While AI/ML provide a multitude of opportunities to automate specific narrow tasks, on a strategic scale, automating processes, workflows and collaboration between people is much more important.
Security Orchestration, Automation and Response (SOAR) products are perhaps the most promising class of solutions that helps, well, orchestrate the processes between other tools and products that do not support this integration natively. However, this market is still evolving rapidly, and most currently available tools tend to focus on automating forensic investigations and incident response. Designing a universal platform that could automate all security-related processes in an organization is thus still a challenge that every company must address individually.
In a sense, security automation as a concept can be compared to another popular buzzword – Zero Trust. Both do not refer to specific technologies or products, but rather deal with architectures and guiding principles. However, whereas you still “cannot buy Zero Trust”, the situation with security automation tools nowadays is a complete opposite. There are so many various products that promise to solve all your automation needs that finding the right combination of tools becomes a problem that might need a bit of automation itself…
Security automation will be one of the key topics at the Cybersecurity Leadership Summit in Berlin this November. Whether you are looking for strategic advice from industry analysts or are more interested in technical implementation details, you will surely find the right people and relevant presentations at the event. For example, check out “Sustainable vulnerability management: Case Study by KuppingerCole” by Christopher Schütze, “Security Automation Strategies to Succeed or Fail: You Choose” by Dr. Donnie Wendt of Mastercard, or a panel discussion on “Implementing Enterprise Security Automation for Threat Detection and Intelligence”.