The human and robot balancing act

Automation is an increasingly important capability for the modern SOC, but as powerful as it is it can’t completely replace human expertise.

By Tony Hallett

Wed 10 Jan 2018 @ 14:44

It's now clear that the argument for security automation has been won. Automation technology provides the ability to stop threats in their tracks and enables security staff to beat alarm fatigue and focus on tasks that generate more value.

With cyber threats evolving as criminals develop new ways to get through perimeter defences, the likelihood of a corporate network being compromised remains high.

Security teams need all the help they can get to cope with the volume of alarms and alerts they are bombarded with every day as they work to keep networks safe. The ongoing cybersecurity skills shortage also means that security operations centres (SOCs) can be easily overwhelmed, reducing effectiveness as a result.

Automation has a place in security operations as it lets mundane but important tasks, such as network monitoring, be handed over to software. This reduces inconsistencies in responses and reduces the pressure on security staff.

These robotic tools can quickly contain thousands of potential threats while human analysts examine the details of incidents, work out how to tackle them and determine how they can prevent a similar threat occurring again. In addition, automation tools can create clear incident reports that can be used to improve responses in the future.

Security staff can use the time they get back to investigate threats more thoroughly, as they are under less pressure to respond to every alarm because the robots take care of them. They can also develop ways to test the effectiveness of their security capabilities, through stress testing and other approaches.

Analysts also have the time to get up to speed on the latest threats and improve their skills. This improves the general security expertise within organisations and helps move them from a reactive to proactive stance, letting them deal with genuine threats more quickly and reducing the opportunity for problems to progress.

But, as we know, the threat environment is extremely complex. While automation technology is incredibly sophisticated, it's not foolproof.

One issue is false negatives. Although these can be largely eliminated through effective fine-tuning of automation software and workflows, this problem demonstrates that solely relying on algorithms would be an error.

Automation should be treated as a tool that can help SOCs operate more efficiently and make the most of available resources, never as a substitute for human expertise and experience.

Security teams need to perform a robot-and-human balancing act to ensure that human intervention remains a major part of the threat detection and resolution equation.

Automating too much of the workload will mean threats that are outside the experience of the machine learning software go undetected or aren't investigated properly. It could also mean unusual but legitimate user activity that isn't a threat could be blocked, creating more work for security teams as users demand access.

On the other hand, too little automation will mean security teams continue to feel the strain and are unable to do their jobs properly. Again, this could result in threats being missed or a security team that isn't as up to speed on security developments as it needs to be.

And the security skills that humans bring remain a vital commodity. The security skills shortage is widely acknowledged as a problem that automation can't fix. Research by the Enterprise Strategy Group found that the security skills shortage is most acute in security investigations/analysis (31 per cent), application security (31 per cent) and cloud security (29 per cent).

These areas can't be taken care of by automation tools -- the expertise and adaptability that humans bring are key.

While automation provides the ability to flag and contain threats and prioritise them for further investigation, it can't investigate threats to the extent that human analysts can, or take the action to remove them from the network and repair the damage that has been done.

And when it comes to security for specific applications -- both on premises and in the cloud -- specialist skills are needed to ensure systems are set up correctly and that the activity that takes place within them is appropriately managed.

The role of automation in security operations is certain to grow, but organisations need to ensure the right things are automated and that human intervention remains a key element in keeping the organisation safe. The extent of automation will vary among different organisations, but all businesses need to ensure they get the right balance to keep their organisations as safe as possible.