As published in Technology First magazine
When it comes to cyber threats, every second counts. Quickly identifying a security breach or cyber threat minimizes the damage and cost to an organization. Unfortunately, the volume of threat alerts an organization receives every day, from multiple security systems, creates an overload of tickets needing to be analyzed, prioritized, and investigated.
Hackers are now using artificial intelligence to make their own criminal activities more efficient. If cyber criminals are using automation technologies, it makes sense that cybersecurity professionals do the same to stay one step ahead.
Heightened productivity, consistency and keeping up with increasingly complex security needs are all solid advantages for adopting automation. With automation and Artificial Intelligence (AI), repetitive tasks like manually sifting through threat alerts can be handled quickly and efficiently. Automation technologies also use vast amounts of threat intelligence to quickly identify and address emerging threats—specifically sophisticated threats designed to avoid detection. Through the use of playbooks, systems can quickly and efficiently eliminate risk. This quick response reduces Mean Time To Detection (MTTD) and Mean Time To Response (MTTR) saving companies time, expense and downtime.
There are five ways artificial intelligence and automation fill a need for data security teams:
- Machine learning-powered security can quickly spot and automatically address sophisticated new threats
- Automated tools can uncover and fix vulnerabilities before attackers can exploit them
- Tasks can be automated to extend the capabilities of security teams and reduce alert fatigue
- Automation handles threat analysis and response in a matter of seconds 24/7
- As part of a larger security solution, automated platforms work together in a coordinated response
Why isn’t every SOC relying on these automation tools?
If AI-powered automation tools are providing more accurate and timely results than humans, why isn’t every Security Operation Center (SOC) using them? For one, automation tools are behavior-based, meaning they need data to inform their learning and actions. Cost can also be a factor since these platforms require expertise to configure and manage, often requiring outside Managed Security Service Provider (MSSP) support. And finally, automation needs to be part of an overall cybersecurity plan rather than simply patching a hole.
First and foremost, organizations need to be sure they have the basic security measures in place, like adhering to the CIS Top 20 Controls to stop the most pervasive and dangerous cyber threats. Having the basics in place before jumping into AI- and machine-learning platforms is the best place to start. Some of the basic elements include:
- Understanding your network and the devices on your network
- Addressing perimeters such as firewalls, intrusion prevention systems, and encryption
- Secure network coverage such as SD-Wan and VPNs
- End-point protection such as antivirus and anti-malware
- Good email security and hygiene
- Controlling the use of admin privileges
- Proper password management
- Ensuring firewalls, email gateways and other security devices are properly configured
- Resources behind the scenes to satisfy training needs, create awareness and develop a positive cybersecurity culture
Automation isn’t replacing security teams, rather automation enhances the skills and capabilities available. Minimizing human errors in repetitive cybersecurity tasks is a benefit of automation. Automation provides consistency, reducing error rates and increasing protections. A higher level of detection and speed of response means there is a quicker link between suspicious behavior and action. Over time as AI-powered platforms continue to learn your network environment and ingest threat intelligence data, its benefits to your organization will continue to improve.
Automation can be rapid, agile, and consistent. What automation can’t be is creative and curious. When security processes are automated, security teams are freed up to exercise their creativity to solve problems and build more comprehensive security approaches. Cybersecurity professionals still need to decide what servers or networks to isolate, when incident response teams need to be brought in, plus determine what changes should be made to policies and procedures to institute corrective actions. Like everything else in the IT stack, it comes down to needs, workload, and budget to determine how much automation will deliver a return on your investment.
So, what’s the answer for cybersecurity automation?
The reality is the complexity of technology and the amount of data that must be watched and analyzed is not slowing down. In order to manage the growing threat surface and threat alerts, security automation and integration tools will continue to evolve with the same urgency to support security teams. Is your company prepared to take advantage of automation? If not, how will you develop strategies to keep up with the speed and sophistication of cyber threats?