In the past year, research indicates that nearly a third of organisations have accelerated their plans to automate key security and IR processes. Additionally, another 85% plan on automating them in the next 12 months.
Despite the positivity of these statistics, many organisations struggle to change to a more automated process. This was highlighted at a recent webinar we held with a panel of senior cybersecurity experts from many sectors.
The discussion revealed that, while most organisations are exploring automation, few have made significant progress. They attributed this to a combination of factors. These include needing an improved understanding of automation, increased help from vendors and a lack of good IT foundations.
The current experience of cybersecurity automation
All attendees agreed that automation is the future of cybersecurity and that exploring the process was in their interest. Interestingly, most speakers said they used automated intrusion detection systems (IDS). However, there is resistance to adding an intrusion prevention system (IPS) in case false positives cause systems to shut down unnecessarily. As one delegate said, “They are afraid that automating blocking will break their world”.
During the event, the current experience of automation was described as frustrating. While an automated engine can successfully detect a problem, it fails to outline what the problem is.
In this case, the detection system can feel like a problem rather than a solution. As one attendee put it: “The noisy child in the corner”. One delegate mentioned that his platform raises six billion data points every month. Of those, 1,000 need to be manually investigated. From those, only two are likely genuine threats, but someone still needs to be tasked with investigating those 1000 threats regardless. The human component still exists despite automated intrusion detection processes.
How do companies measure successful automation?
Attendees agreed on some of the main ways that they measured successful automation. Both time and expense were viewed as vital success measures. Some “measure success by finding out the attack has happened and how soon they can prevent that attack, as well as ensuring that it doesn’t spread”. Automated responses to threats have saved money and, just as importantly, time. Consequently, a quicker reaction response than the attacker was established as an essential measure of success.
Others pointed out that success is simply based on whether the company’s system was still working in the morning. It is not about defeating every challenge but ensuring that the threat to the business is greatly reduced. One indication of this is a lack of false positives, which was viewed as another success measure.
However, as Leon Ward of ThreatQuotient outlined, automating cybersecurity is particularly challenging due to the widely varying measures of success. Automating an industrial process can be simpler because it can be measured by an improvement in speed, output, or some other metric. Overall, in his opinion, the ultimate measure of success must be when nothing bad occurs.
What foundations do businesses need to have to successfully build an environment for automation?
Research from ThreatQuotient found that 41% of businesses say a lack of trust in the outcomes of automation is preventing its deployment. Numerous attendees noted that further education within businesses was necessary to understand that to defend themselves, there may have to be some impact on the day to day running of the business.
Speakers agreed that there is a belief that automation can add a bigger target to security teams’ backs as automation is viewed as an overhead. Unfortunately, as part of the nature of cybersecurity, problems are always noticeable when they arrive. It perhaps adds to the wariness around the automation offering, despite problem-spotting being a good thing.
Additionally, it was highlighted that many companies do not have the IT infrastructure to make a smooth automation transition; disjointed systems and legacy tools can lead to automation challenges. Some noted that their company’s systems cannot even automate password resets yet. Others indicated more of a cultural issue, with people often suspicious of new systems. In some businesses, people get annoyed if security tools impede their workflow.
What needs to happen to improve automation efforts within the industry?
The metrics that are commonly used in cybersecurity were predominantly discussed. Mean time to detect (MTTD) and mean time to response (MTTR) metrics were viewed as not very helpful. There is a belief that there is no useful difference between the two. “If we’ve detected it, we’ve responded,” was the common opinion. Additionally, measuring either is difficult because it can be hard to know when to start measuring.
There was general agreement that poor quality metrics prompt the board to ask, “So what?” Attendees said they would favour a metric that tracks the extent of coverage and success. However, they acknowledged that it is hard to know what data points could be used to measure those things.
The need for more help from vendors was raised as an action point. Delegates agreed it would be useful to know where vendors struggled with automation rather than finding this out for themselves. This kind of honesty and openness can help build fruitful partnerships between vendors and businesses.
The next step:
Overall, a lot of work still needs to be done to improve the journey towards automation in cybersecurity. Despite ThreatQuotient’s research indicating positive steps, the roundtable event showed that a cultural change is needed for mass adoption to occur. Further education is required on the subject, as well as a general understanding of what constitutes success.
Vendors can make strides to ensure that this happens. They can also help build the trust enterprises need to make this journey as smooth as possible. Attendees were ultimately realistic. As one spokesperson said, “we’re not looking for a silver bullet”. Vendors must take this viewpoint into account and strive to build the necessary partnerships to learn, improve and seek demonstrated measures to help with automation.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.
