For CISOs trying to keep a hold on securing the information and systems of their company, automating their security operations is an absolute must, of course within the context of a broader security orchestration approach.
Understanding the benefits as well as the shortcomings of security automation will help CISOs create the most efficient model to orchestrate their organization’s security.
The Necessity of Automation Automation plays a critical role in security orchestration in today’s threat environment. Keeping track of the sheer volume of daily threats posed against a system is often beyond the human capacity of an analytics team. Additionally, the tedious and repetitive tasks of these threats can put strains on manpower. There tends to be a shortage of qualified analysts to execute these tasks effectively.
Breaches to a company’s cyber infrastructure is one of the most tell-tale signs that their cyber security strategy requires automation. A successful breach usually happens when someone overlooks an important exploitable weakness or fails to see indications that a breach is being attempted. Security orchestration and automation platforms are the layer of defense that helps a system overcome this unavoidable human error factor.
Despite high investments in cyber security, there has been a rising trend of failing security metrics. Many voices in the industry point to automation as the critical factor in helping firms avoid this trend.
The Shortcomings of Automation Still, it would be unwise to consider security automation as the end-all to maintaining robust information security. Automation, while not suffering from human limitations in cognition or attention span is, in a very important way, fundamentally limited. Automation is only as good as its original configuration, and is incapable of independently distinguishing between functions that are desirable to their human deployers and ones that are not.
This deficiency in security automation programs can, and has, caused a slew of very serious system failures.
Take, for instance, the 2014 incident involving file hosting service DropBox. During a routine maintenance run on one of its many databases, one of DropBox’s automated programs ran a line of script containing a bug against its own system. This resulted in the shutting down of the company’s live service for several hours.
Another poignant example, an episode that affected tech giant Google, also demonstrates the shortcomings of automation. In July 2016, Google was performing reconfiguration on its thousands of servers that support its operations. A bug in one of automated systems that executed these server updates led to faulty reconfigurations in multiple servers. As a result, all users based on these servers were denied data requests until the error was detected and corrected by human analysts.
These and many other instances from the recent period underscore the fact that automation is far from infallible. Still, there is no doubt that automation is a vital component to any robust security strategy seeking to overcome the human error element. The key is to balance automation with expert human analysis.
The Bigger Picture: Integrating Security Automation with Human Intellect In light of this reality, the question any good CISO should be asking is how they can achieve a proper balance between automation and human analysis to maximize the effectiveness of their security operations.
A good automation strategy should leave room for human analysis to be integrated with automated platforms. Programs will have to be produced based on the model of “semi-automation”, where the security team has the ability to define and refine the system’s protocols. In this way, an organization’s security will not be driving on autopilot by an imperfect template, while at the same time analyst teams will be able to save time and operate more efficiently. The recent appearance of programs based on this integrative approach suggests that this trend in the industry is gaining traction.
Orchestration is the backbone for good automation. With orchestration, security teams develop processes that work before automating them. This provides a testing environment to perfect the workflow. Most automations will be based on playbooks that already work and are in use.
As experts recognize the need to balance human analysis with automation, the field of cyber security will almost certainly be exploring the many models of incorporating these two components. With the growing volume of cyber threats, combining automated systems with a team of experts is the new paradigm.